Conclusion and Future Directions

Transcription

1 Chapter 9 Conclusion and Future Directions The success of e-commerce and e-business applications depends upon the trusted users. Masqueraders use their intelligence to challenge the security during transaction over the Internet. Since millions of users are involved in business transactions over the Internet and they need to interoperate, it is difficult to eradicate impersonation. Thus it is necessary to take proper security measures that allow authentication of business partners, consumers and suppliers, prior to the interchange of information, goods and services. Public Key Infrastructure provides the required trust between users during transactions over the Internet. Trust models are used to establish trust relationship between the users. Hierarchical PKI is one of the most popular PKI trust models that the companies deploy as their security infrastructure. One of the important needs of current PKI is interoperability, which makes possible secure interconnection and co-operation between different PKI structures. In electronic commerce, different PKIs need to be interoperated. So there is a need for efficient methods to merge PKIs so as to achieve interoperability between them. In order to merge PKIs, one has to consider different cases such as whether the merging of companies is permanent or temporary. Depending upon the case, appropriate merging method is to be used. Certificate based user authentication is one more challenge in e-commerce and 147

2 e-business transactions. This can be done by verifying user certificates in PKI. For quick and easy verification of certificates in PKIs, efficient certificate verification algorithms are to be built since there is enough requirement for such methods. For verification of certificates, a user builds a chain of certificates from its trusted CA to the other user s certificate known as certification path. The processing of certificate paths may be a very complicated and time demanding operation, depending on the length of the certificate path and the possible inclusion of relations using cross-certification. Certificate path construction in a Hierarchical PKI is a straightforward process that simply requires the relying party to successively retrieve issuer certificates until a certificate is located that was issued by the trusted root. Peer-to-Peer(also called Mesh PKI) architecture is one of the most popular PKI trust models that is widely used in automated business transactions, but certificate path verification is very complex since there are multiple paths between users, and the certification path is bidirectional. 9.1 Major Contributions A general method to unify Hierarchical PKIs has been developed that takes a different approach from cross-certification technique. The method is to unify the multiple CAs without using cross-certification. By using this method, the trust model with an efficient path processing is built in comparison with the traditional merging methods with cross-certification. A certificate verifier should construct and validate the certification path. If there are crosscertifications, the path construction process is very complex. Cross-certification at the root is the most common solution to merge PKIs for their interoperability. But during acquisition of companies, cross-certification is not required because, whenever a company acquires another company, the 148

3 acquired company becomes a part of the acquiring company. In order to reduce the cost of maintaining Root CAs and to reduce the runtime for certificate path processing, a merging method of CAs without cross-certification has been developed. The Root CA of the company to be acquired is not necessary after merging and can be discarded. In the method, there is no cross-certification and the Root CAs of the acquired PKIs are ignored. So certificate path verification time and the employment cost of Root CAs is reduced significantly as compared to the methods already existing. The merging process is of low-cost. It can be easily constructed and is flexible. A strict hierarchical model is constructed by performing this merging process, so certification path processing is more efficient than other methods. Certificate path length is reduced which in turn reduces the verification time. All the Root CAs except the New Root CA can be ignored and so maintenance cost is reduced. The unification of PKIs for interoperability is possible only if their certificate policies are similar. In case of acquisition of companies, the acquired PKI has to adapt to the certificate policy of the acquiring PKI. However, for other cases, merging of PKIs is possible only if the compatibility score of the certificate policies of the PKIs to be merged, satisfies the final acceptance rule. So one of the contributions of the research work is a method developed to compare and assess certificate policies during merger and acquisition of companies. The method is applicable for merging PKIs with or without cross-certification. In Hierarchical PKI, certificate path is unidirectional, so certificate path development and validation is simple and straight forward. To reduce time required for certificate path verification, an efficient method for path processing in Hierarchical PKIs has been developed. The method uses a local cache in the client side with the Forward path verification technique so that 149

4 it gives better performance than that of the normal Forward path verification technique for certificate path verification. Path construction in a mesh environment is significantly more complicated than in a subordinated hierarchy, requiring the ability to iteratively obtain and combine sets of cross-certificates issued by various CAs. In this research work, an efficient method to convert a mesh or Peer-to-Peer PKI to its equivalent DFS spanning tree to simplify the certificate path construction has been developed. This reduces the complexity of certificate path verification in Peer-to-Peer PKIs by avoiding multiple paths between the users. A novel method to simplify the Certification Path Discovery in Peer-to-Peer PKI by establishing a Virtual hierarchy has also been developed. The resultant hierarchy may be a single rooted or a multi-rooted one. This eliminates the complexity of path verification in Mesh PKI because the path verification in Hierarchical PKI is simple and straightforward. The research contributions are summarized in Table 9.1 and Table 9.2. Table 9.1: Summary of research contributions Contribution Purpose Merging Hierarchical PKIs- Solution1 When the merging of companies is temporary and the companies dynamically change their collaborators. Merging Hierarchical PKIs- Solution2 During acquisition of companies, the merging of companies is permanent and the acquired company becomes a part of the acquiring company in the future. 150

5 Contribution Table 9.2: Summary of research contributions continued... Purpose A method to compare and assess Certificate Policies(CPs) during merger and acquisition of companies Certificate path verification method in Hierarchical PKIs In order to merge PKIs, the CPs of both the PKIs should match. Merging is possible only if the compatibility score of the CPs is satisfies the final acceptance rule. The existing certificate verification methods in Hierarchical PKI are not optimized. The proposed method is an optimized one that reduces certificate path verification time significantly. It is observed that, if the cache hit is doubled, the certificate path verification time is reduced by 50%. Certificate path verification method in Mesh or Peer-to- Peer PKIs-Solution1 Certificate path verification method in Mesh or Peer-to- Peer PKIs-Solution2 This method removes the complexity of certificate path verification in Mesh PKIs due to multiple paths between any two users in Mesh PKI. This method constructs a virtual hierarchy in a Mesh PKI, thus obtaining the best features of certificate path verification of Hierarchical PKI. In Hierarchical PKI, the certificate path construction is simple and straightforward since the certificate path is unidirectional. 151

6 9.2 Suggestions for future research Although our research work contributes toward the technical dimension of merging Hierarchical PKIs during merger and acquisition of companies for interoperability purpose, several measures still need to be taken at the legal/regulatory level. This needs to be done in order to provide a commercially viable service, yielding international co-operation and information exchange in e-commerce and e-business applications. The development of Certificate Policies and Certificate Practice Statements can be automated. This can be integrated with broader security policy and mechanisms. Based on the PKI architecture, there can be provision for online cross-certification services. Reverse Certificate Path Verification by constructing a binary tree using codeword algorithm increases certificate path length. So, more sophisticated algorithms need to be developed for reducing the certificate path length. Algorithms can be developed that work in more realistic environments. For example, we can have a varying number of LDAP servers for each domain. Also, the certificates can be issued or revoked dynamically. Further, more trust anchors can be configured for each relying party. Besides certificate path discovery, certificate revocation checking is another critical process in PKI. Certificate status information is needed for validating a certification path. Checking revocation information introduces additional time and space requirements. At the same time, not checking revocation information or relying on out-of-date information causes construction of invalid certification paths. In this case, relying parties have to repeat their efforts to try to discover a valid path. A simulation that models these situations can help users evaluate the trade-offs between performance overhead and successful rate. 152

7 Even though the certificate path development is more complex in a Mesh PKI, it is most widely used in applications such as MANET. There is enough scope to apply the principles of wired PKI to wireless PKI. Research can be carried out on certificate based user authentication in MANETs. The communicating parties have to provide credentials for authentication without knowing each other from prior sessions. In this case authentication must be based on certificates and a common trusted third party. A PKI is needed for certificate management through their lifecycle. Efficient and more sophisticated path verification(certificate based user authentication) algorithms are required in MANETs because mobile devices have limited processor capacity and memory storage. 153