Conclusion and Future Directions



Similar documents
Cross-Certification and PKI Policy Networking

Public Key Infrastructure

Creating Virtual Hierarchy in Peer-to-Peer PKI to Simplify Certificate Path Discovery

Building a virtual hierarchy to simplify certification path discovery in mobile ad-hoc networks

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

TeleTrusT European Bridge CA Status and Outlook

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

The IVE also supports using the following additional features with CA certificates:

Certificate Policies and Certification Practice Statements

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Lecture 10 - Authentication

Entrust Managed Services PKI

PKI implementation issues in B2B e-commerce Pita Jarupunphol and Chris J. Mitchell Information Security Group, Royal Holloway, University of London

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

TELSTRA RSS CA Subscriber Agreement (SA)

National Certification Authority Framework in Sri Lanka

DoD Root Certificate Chaining Problem

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Introduction to Network Security Key Management and Distribution

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

How To Make A Trustless Certificate Authority Secure

Restricting Access with Certificate Attributes in Multiple Root Environments A Recipe for Certificate Masquerading

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Certificate Authority Product Overview Technology White Paper

Digital certificates and SSL

The Security Framework 4.1 Programming and Design

Modeling and Evaluation of Certification Path Discovery in the Emerging Global PKI

NIST ITL July 2012 CA Compromise

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Overview. SSL Cryptography Overview CHAPTER 1

White Paper: Managing Security on Mobile Phones

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Chapter 5. Regression Testing of Web-Components

A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E- GOVERNMENT SERVICES IN ROMANIA

Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Authentication Application

Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

U. S. Department of Justice Information Technology Strategic Plan. Appendix E. Public Key Infrastructure at the Department of Justice.

SBClient SSL. Ehab AbuShmais

Module 2: Deploying and Managing Active Directory Certificate Services

How to Prepare Your Salesforce Service for Certificate Changes

Public Key Infrastructure for a Higher Education Environment

Securing LAN Connected Devices in Industrial Sites with TLS and Multicast DNS

Administration Guide Certificate Server May 2013

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

6.1.2 Installing AD DS 7:45

Concept of Electronic Approvals

1 Public Key Cryptography and Information Security

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Committee on National Security Systems

Authentication Applications

Certificate technology on Pulse Secure Access

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Certificate technology on Junos Pulse Secure Access

APPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES

Making Digital Signatures Work across National Borders

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

State of PKI for SSL/TLS

Security Digital Certificate Manager

SSL Certificates and Bomgar

Configuring Digital Certificates

How To Install The Snow Active Directory Discovery Service On Windows (Windows) (Windows 7) (Powerbook) (For Windows) (Amd64) (Apple) (Macintosh) (Netbook) And (Windows

Security Digital Certificate Manager

Topological Properties

Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows

MS Implementing an Advanced Server Infrastructure

SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Testing Intelligent Device Communications in a Distributed System

The Convergence of IT Security and Physical Access Control

Blending FreeIPA in a Certificate Infrastructure

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory

Transcription:

Chapter 9 Conclusion and Future Directions The success of e-commerce and e-business applications depends upon the trusted users. Masqueraders use their intelligence to challenge the security during transaction over the Internet. Since millions of users are involved in business transactions over the Internet and they need to interoperate, it is difficult to eradicate impersonation. Thus it is necessary to take proper security measures that allow authentication of business partners, consumers and suppliers, prior to the interchange of information, goods and services. Public Key Infrastructure provides the required trust between users during transactions over the Internet. Trust models are used to establish trust relationship between the users. Hierarchical PKI is one of the most popular PKI trust models that the companies deploy as their security infrastructure. One of the important needs of current PKI is interoperability, which makes possible secure interconnection and co-operation between different PKI structures. In electronic commerce, different PKIs need to be interoperated. So there is a need for efficient methods to merge PKIs so as to achieve interoperability between them. In order to merge PKIs, one has to consider different cases such as whether the merging of companies is permanent or temporary. Depending upon the case, appropriate merging method is to be used. Certificate based user authentication is one more challenge in e-commerce and 147

e-business transactions. This can be done by verifying user certificates in PKI. For quick and easy verification of certificates in PKIs, efficient certificate verification algorithms are to be built since there is enough requirement for such methods. For verification of certificates, a user builds a chain of certificates from its trusted CA to the other user s certificate known as certification path. The processing of certificate paths may be a very complicated and time demanding operation, depending on the length of the certificate path and the possible inclusion of relations using cross-certification. Certificate path construction in a Hierarchical PKI is a straightforward process that simply requires the relying party to successively retrieve issuer certificates until a certificate is located that was issued by the trusted root. Peer-to-Peer(also called Mesh PKI) architecture is one of the most popular PKI trust models that is widely used in automated business transactions, but certificate path verification is very complex since there are multiple paths between users, and the certification path is bidirectional. 9.1 Major Contributions A general method to unify Hierarchical PKIs has been developed that takes a different approach from cross-certification technique. The method is to unify the multiple CAs without using cross-certification. By using this method, the trust model with an efficient path processing is built in comparison with the traditional merging methods with cross-certification. A certificate verifier should construct and validate the certification path. If there are crosscertifications, the path construction process is very complex. Cross-certification at the root is the most common solution to merge PKIs for their interoperability. But during acquisition of companies, cross-certification is not required because, whenever a company acquires another company, the 148

acquired company becomes a part of the acquiring company. In order to reduce the cost of maintaining Root CAs and to reduce the runtime for certificate path processing, a merging method of CAs without cross-certification has been developed. The Root CA of the company to be acquired is not necessary after merging and can be discarded. In the method, there is no cross-certification and the Root CAs of the acquired PKIs are ignored. So certificate path verification time and the employment cost of Root CAs is reduced significantly as compared to the methods already existing. The merging process is of low-cost. It can be easily constructed and is flexible. A strict hierarchical model is constructed by performing this merging process, so certification path processing is more efficient than other methods. Certificate path length is reduced which in turn reduces the verification time. All the Root CAs except the New Root CA can be ignored and so maintenance cost is reduced. The unification of PKIs for interoperability is possible only if their certificate policies are similar. In case of acquisition of companies, the acquired PKI has to adapt to the certificate policy of the acquiring PKI. However, for other cases, merging of PKIs is possible only if the compatibility score of the certificate policies of the PKIs to be merged, satisfies the final acceptance rule. So one of the contributions of the research work is a method developed to compare and assess certificate policies during merger and acquisition of companies. The method is applicable for merging PKIs with or without cross-certification. In Hierarchical PKI, certificate path is unidirectional, so certificate path development and validation is simple and straight forward. To reduce time required for certificate path verification, an efficient method for path processing in Hierarchical PKIs has been developed. The method uses a local cache in the client side with the Forward path verification technique so that 149

it gives better performance than that of the normal Forward path verification technique for certificate path verification. Path construction in a mesh environment is significantly more complicated than in a subordinated hierarchy, requiring the ability to iteratively obtain and combine sets of cross-certificates issued by various CAs. In this research work, an efficient method to convert a mesh or Peer-to-Peer PKI to its equivalent DFS spanning tree to simplify the certificate path construction has been developed. This reduces the complexity of certificate path verification in Peer-to-Peer PKIs by avoiding multiple paths between the users. A novel method to simplify the Certification Path Discovery in Peer-to-Peer PKI by establishing a Virtual hierarchy has also been developed. The resultant hierarchy may be a single rooted or a multi-rooted one. This eliminates the complexity of path verification in Mesh PKI because the path verification in Hierarchical PKI is simple and straightforward. The research contributions are summarized in Table 9.1 and Table 9.2. Table 9.1: Summary of research contributions Contribution Purpose Merging Hierarchical PKIs- Solution1 When the merging of companies is temporary and the companies dynamically change their collaborators. Merging Hierarchical PKIs- Solution2 During acquisition of companies, the merging of companies is permanent and the acquired company becomes a part of the acquiring company in the future. 150

Contribution Table 9.2: Summary of research contributions continued... Purpose A method to compare and assess Certificate Policies(CPs) during merger and acquisition of companies Certificate path verification method in Hierarchical PKIs In order to merge PKIs, the CPs of both the PKIs should match. Merging is possible only if the compatibility score of the CPs is satisfies the final acceptance rule. The existing certificate verification methods in Hierarchical PKI are not optimized. The proposed method is an optimized one that reduces certificate path verification time significantly. It is observed that, if the cache hit is doubled, the certificate path verification time is reduced by 50%. Certificate path verification method in Mesh or Peer-to- Peer PKIs-Solution1 Certificate path verification method in Mesh or Peer-to- Peer PKIs-Solution2 This method removes the complexity of certificate path verification in Mesh PKIs due to multiple paths between any two users in Mesh PKI. This method constructs a virtual hierarchy in a Mesh PKI, thus obtaining the best features of certificate path verification of Hierarchical PKI. In Hierarchical PKI, the certificate path construction is simple and straightforward since the certificate path is unidirectional. 151

9.2 Suggestions for future research Although our research work contributes toward the technical dimension of merging Hierarchical PKIs during merger and acquisition of companies for interoperability purpose, several measures still need to be taken at the legal/regulatory level. This needs to be done in order to provide a commercially viable service, yielding international co-operation and information exchange in e-commerce and e-business applications. The development of Certificate Policies and Certificate Practice Statements can be automated. This can be integrated with broader security policy and mechanisms. Based on the PKI architecture, there can be provision for online cross-certification services. Reverse Certificate Path Verification by constructing a binary tree using codeword algorithm increases certificate path length. So, more sophisticated algorithms need to be developed for reducing the certificate path length. Algorithms can be developed that work in more realistic environments. For example, we can have a varying number of LDAP servers for each domain. Also, the certificates can be issued or revoked dynamically. Further, more trust anchors can be configured for each relying party. Besides certificate path discovery, certificate revocation checking is another critical process in PKI. Certificate status information is needed for validating a certification path. Checking revocation information introduces additional time and space requirements. At the same time, not checking revocation information or relying on out-of-date information causes construction of invalid certification paths. In this case, relying parties have to repeat their efforts to try to discover a valid path. A simulation that models these situations can help users evaluate the trade-offs between performance overhead and successful rate. 152

Even though the certificate path development is more complex in a Mesh PKI, it is most widely used in applications such as MANET. There is enough scope to apply the principles of wired PKI to wireless PKI. Research can be carried out on certificate based user authentication in MANETs. The communicating parties have to provide credentials for authentication without knowing each other from prior sessions. In this case authentication must be based on certificates and a common trusted third party. A PKI is needed for certificate management through their lifecycle. Efficient and more sophisticated path verification(certificate based user authentication) algorithms are required in MANETs because mobile devices have limited processor capacity and memory storage. 153

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information