Certificate Revocation using Fine Grained Certificate Space Partitioning



Similar documents
The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

A Secure Password-Authenticated Key Agreement Using Smart Cards

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

An Alternative Way to Measure Private Equity Performance

Recurrence. 1 Definitions and main statements

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

An Interest-Oriented Network Evolution Mechanism for Online Communities

Simple Interest Loans (Section 5.1) :

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

DEFINING %COMPLETE IN MICROSOFT PROJECT

Project Networks With Mixed-Time Constraints

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Fault tolerance in cloud technologies presented as a service

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

8 Algorithm for Binary Searching in Trees

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

What is Candidate Sampling

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

Vembu StoreGrid Windows Client Installation Guide

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

Forecasting the Direction and Strength of Stock Market Movement

Secure Network Coding Over the Integers

IT09 - Identity Management Policy

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Watermark-based Provable Data Possession for Multimedia File in Cloud Storage

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

A role based access in a hierarchical sensor network architecture to provide multilevel security

Efficient Striping Techniques for Variable Bit Rate Continuous Media File Servers æ

Calculating the high frequency transmission line parameters of power cables

7.5. Present Value of an Annuity. Investigate

Traffic-light a stress test for life insurance provisions

Section 5.4 Annuities, Present Value, and Amortization

Multiple-Period Attribution: Residuals and Compounding

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

BERNSTEIN POLYNOMIALS

Thursday, December 10, 2009 Noon - 1:50 pm Faraday 143

How To Understand The Results Of The German Meris Cloud And Water Vapour Product

A Performance Analysis of View Maintenance Techniques for Data Warehouses

1. Math 210 Finite Mathematics

The Greedy Method. Introduction. 0/1 Knapsack Problem

SUPPLIER FINANCING AND STOCK MANAGEMENT. A JOINT VIEW.

Section 5.3 Annuities, Future Value, and Sinking Funds

Robust Design of Public Storage Warehouses. Yeming (Yale) Gong EMLYON Business School

An MILP model for planning of batch plants operating in a campaign-mode

Construction Rules for Morningstar Canada Target Dividend Index SM

An RFID Distance Bounding Protocol

Proceedings of the Annual Meeting of the American Statistical Association, August 5-9, 2001

A Programming Model for the Cloud Platform

Calculation of Sampling Weights

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT

Survey on Virtual Machine Placement Techniques in Cloud Computing Environment

Using Series to Analyze Financial Situations: Present Value

FINANCIAL MATHEMATICS. A Practical Guide for Actuaries. and other Business Professionals

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35, , ,200,000 60, ,000

A DATA MINING APPLICATION IN A STUDENT DATABASE

Small pots lump sum payment instruction

Mathematics of Finance

Joe Pimbley, unpublished, Yield Curve Calculations

A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION IN WIRELESS SENSOR NETWORKS. Received March 2010; revised July 2010

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Conferencing protocols and Petri net analysis

Efficient Dynamic Integrity Verification for Big Data Supporting Users Revocability

A DISTRIBUTED REPUTATION MANAGEMENT SCHEME FOR MOBILE AGENT- BASED APPLICATIONS

Learning the Best K-th Channel for QoS Provisioning in Cognitive Networks

How To Know The Components Of Mean Squared Error Of Herarchcal Estmator S

A Dynamic Load Balancing for Massive Multiplayer Online Game Server

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

How To Solve A Problem In A Powerline (Powerline) With A Powerbook (Powerbook)

PKIS: practical keyword index search on cloud datacenter

Trivial lump sum R5.0

How To Calculate The Accountng Perod Of Nequalty

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Politecnico di Torino. Porto Institutional Repository

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Software project management with GAs

Efficient Bandwidth Management in Broadband Wireless Access Systems Using CAC-based Dynamic Pricing

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

IMPACT ANALYSIS OF A CELLULAR PHONE

Design and Development of a Security Evaluation Platform Based on International Standards

Joint Scheduling of Processing and Shuffle Phases in MapReduce Systems

Yi Mu and Vijay Varadharajan. School of Computing and IT, University of Western Sydney, Nepean, PO Box 10, Kingswood, N.S.W.

SPECIALIZED DAY TRADING - A NEW VIEW ON AN OLD GAME

This circuit than can be reduced to a planar circuit

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification

In our example i = r/12 =.0825/12 At the end of the first month after your payment is received your amount in the account, the balance, is

CS 2750 Machine Learning. Lecture 3. Density estimation. CS 2750 Machine Learning. Announcements

EVALUATING THE PERCEIVED QUALITY OF INFRASTRUCTURE-LESS VOIP. Kun-chan Lan and Tsung-hsun Wu

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

Canon NTSC Help Desk Documentation

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

Updating the E5810B firmware

Mining Multiple Large Data Sources

Transcription:

Certfcate Revocaton usng Fne Graned Certfcate Space Parttonng Vpul Goyal Department of Computer Scence Unversty of Calforna, Los Angeles vpul@cs.ucla.edu Abstract A new certfcate revocaton system s presented. The basc dea s to dvde the certfcate space nto several parttons, the number of parttons beng dependent on the PKI envronment. Each partton contans the status of a set of certfcates. A partton may ether expre or be renewed at the end of a tme slot. Ths s done effcently usng hash chans. We evaluate the performance of our scheme followng the framework and numbers used n prevous papers. We show that for many practcal values of the system parameters, our scheme s more effcent than the three well known certfcate revocaton technques: CRL, CRS and CRT. Our scheme ams to strke the rght balance between CA to drectory communcaton costs and query costs by carefully selectng the number of parttons. 1 Introducton A certfcate s a dgtally sgned statement bndng the key holder s (prncpal s) name to a publc key and varous other attrbutes. The sgner (or the ssuer) s commonly called a certfcate authorty (CA). Certfcates act as a mean to provde trusted nformaton about the CA s declaraton w. r. t. the prncpal. The declaraton may be of the form: We, the Certfcate Authorty, declare that we know Alce. The publc key of Alce s... We further declare that we trust Alce for... (optonal part) Certfcates are tamper-evdent (modfyng the data makes the sgnature nvald) and unforgeable (only the holder of the secret, sgnng key can produce the sgnature). Certfcates are the buldng blocks of a Publc Key Infrastructure (PKI). When a certfcate s ssued, the CA declares the perod of tme for whch the certfcate s vald. However, there may be stuatons when the certfcate must abnormally be declared nvald pror to ts expraton date. Ths s called certfcate revocaton. Ths can be vewed as blacklstng the certfcate. Ths means that the exstence of a certfcate s a necessary but not suffcent evdence for ts valdty. A method for revokng certfcates and dstrbutng ths revocaton nformaton to all the nvolved partes s thus a requrement n 1

PKI. The reasons for revokng a certfcate may be: suspected or detected key compromse, change of prncpal name, change of relatonshp between a prncpal and the CA (e.g., Alce may leave or be fred from the company) or end of CA s trust nto the prncple due to any possble reason. The revocaton mechansm should have an acceptable degree of tmelness,.e., the nterval between when the CA made a record of revocaton and when ths nformaton became avalable to the relyng partes should be small enough to be acceptable. Further, t s very mportant for the revocaton mechansm to be effcent as the runnng expenses of a PKI derves manly from admnsterng revocaton [Stu95]. Exstng Technques for Certfcate Revocaton. Certfcate Revocaton Lst (CRL) s the frst and the smplest method of certfcate revocaton. A CRL s a perodcally ssued and dgtally sgned lst contanng the seral number of all the revoked certfcates ssued by a partcular CA. However, t s wdely recognzed [Mc97, Goy04, Rv98] that CRLs are too costly and cannot provde a good degree of tmelness. Certfcate Revocaton System (CRS) [Mc96, Mc97, Mc02] was ntroduced by Mcal and could answer the user queres wth exceptonal effcency. The man problem wth CRS s that t s not sutable n case of a dstrbuted query answerng system. The CA to drectory communcaton 1 s too hgh shootng up the overall cost of the system [NN98, ALO98]. Aello et al [ALO98] proposed an mprovement to CRS amed at reducng ths communcaton but ther approach had problems as we dscuss n secton 2.2. Certfcate Revocaton Tree (CRT) [Koc98] s the thrd well known technque for certfcate revocaton. Though the CA to drectory communcaton s very low, the query cost s too hgh, agan shootng up the overall cost of the system. Another technque for certfcate revocaton s the Onlne Certfcate Status Protocol (OCSP) [OCSrg] desgned by IETF. In OCSP, the CA smply dgtally sgns the response to a certfcate status query. Thus, OCSP may provde very hgh degree of tmelness but s recognzed to be non-scalable snce the CA s requred to compute a sgnature for answerng every query. Further, OCSP has no dstrbuted mplementaton,.e., t cannot be used n the settngs where there should be a number of un-trusted drectores answerng the user queres. Usng technques from Identty based encrypton [BF01], Gentry [Gen03] proposed a new cryptosystem havng attractve propertes n terms of revocaton. However t was not a generc revocaton soluton and could not be used wth exstng cryptosystems (such as RSA). Other revocaton technques nclude [DBW01, BLL00, GGM00, MJ00]. See [Zhe03] for an analyss of these technques. Our Contrbuton. Motvated by the CA to drectory communcaton cost (CDCC) and the query cost (QC) mbalances n both CRS and CRT, we propose a new system amed at balancng the two. CRS and CRT are the two extremes, CDCC beng very hgh and QC beng extremely low n the former, and CDCC beng extremely low and QC beng too hgh n the latter. Our technque ams at strkng the rght balance between CDCC and QC to mnmze the system cost. The basc dea s to dvde the total certfcate space nto 1 The terms CA to drectory communcaton cost and drectory update cost are used nterchangeably n ths paper 2

several parttons. The number of parttons s a key parameter whch can be optmzed to reduce the overall communcaton cost. Each partton has a unque seral number, s dgtally sgned and contans the status of a set of certfcate. At the end of a tme slot, a partton may ether expre or be renewed dependng upon whether there was a status change for any of the certfcates covered by t or not. Renewng a partton s done by exposng a lnk of the hash chan whose tp s embedded n that partton. Our system s named CSPR (certfcate space parttonng wth renewals). As we show n secton 4, the overall communcaton cost of our system s less than the three wdely used revocaton technques,.e., CRL, CRS and CRT for many practcal values of the system parameters. Rest of the paper s organzed as follows: secton 2 gves a background on hash chans and common certfcate revocaton technques, secton 3 ntroduces the proposed system called CSPR, secton 4 evaluates the CSPR costs and compares t wth other technques n use, secton 5 concludes the paper. 2 Background 2.1 Hash Chans A hash chan of length L s constructed by applyng a one-way hash functon H(.) recursvely to an ntal seed value s. H L (s) = H (H (...H (s))) } {{ } L tmes The last element H L (s), also called the tp T of the hash chan, has the property that usng H L (s), H L 1 (s) can not be computed but ts correctness can be verfed. 2.2 Certfcate Revocaton Technques Certfcate Revocaton Lst (CRL) s the frst and the smplest method of certfcate revocaton. A CRL s smply a perodcally ssued, tme-stamped and dgtally sgned lst contanng the seral number of all the revoked certfcates ssued by a partcular CA. Certfcate revocaton status (CRS) was ntroduced by Mcal [Mc96, Mc97, Mc02]. It was also patented and commercalzed. The basc dea s as follows. For certfcate creaton, the CA chooses two random numbers Y 0 and N 0 and computes Y = H 365 (Y 0 ) and N = H(N 0 ). These two felds are ncluded n the certfcate and are sgned along wth the other usual felds. The number 365 denotes the number of days n the year. On the th day, 1. f the certfcate s revoked, the CA releases N 0, whch can be verfed by hashng and comparng wth N specfed n the certfcate. 2. f the certfcate s stll vald, the CA releases H 365 (Y 0 ) whch can be verfed by hashng tmes and comparng wth Y specfed n the certfcate. 3

Aello et al [ALO98] extended CRS by reducng the overall CA to drectory communcaton whle stll mantanng the same tny query communcaton. Ths s done by ncludng log 2 (N) hash chan tps n each certfcate, N beng the number of certfcates n the system. Although the reducton n CDCC was hgh for low revocaton rates, the same cannot be sad for system wth hgher revocaton rates. Further, ths mprovement comes at the prce of a sgnfcant ncrease n the certfcate transmsson costs due to ncrease n the certfcate sze. Certfcate Revocaton Tree (CRT) was ntroduced by Kochar [Koc98, NN98]. A CRT s based on a Merkle hash tree [Mer89] contanng certfcate seral number ranges as the tree leaves. The root of the hash tree s sgned by the CA. Now, the certfcate status proof for a certfcate wth seral number s conssts of the path node sblngs from the root to the approprate leaf (havng s n ts range), n addton to the sgnature on the root of the tree. 3 The Proposed Technque We start by explanng a few notatons to be used n the rest of the paper. N The total number of certfcates handled by the CA R The estmated number of certfcates (out of N) that wll eventually be revoked pror to expraton T The number of tme slots for whch a certfcate s ssued. One tme slot s the duraton between two certfcate status nformaton releases by the CA (e.g., for a weekly CRL, tme slot s one week). It represents the maxmum amount of tme between when a certfcate gets revoked by the CA and when the new status s made avalable to the relyng partes. q Estmated average number of queres per day handled by the system T Representaton of the th absolute tme slot,.e., the th tme slot after the CA has started operaton P The number of parttons n whch the total certfcate space of N certfcates s dvded. P s the key parameter n our scheme. We dscover later the technque to fnd out the optmal value of P for a gven set of system parameters. S The seral number of the th partton n The number of certfcates whose status s contaned n one partton. We have n P = N P j The verson of the th partton created and released at the begnnng of jth tme slot T j. We talk more about versons of a partton later. D Number of drectores n the system U Number of updates to the drectores per day. Hence, U s equal to the number of tme slots n one day. S CA (M) Sgnature on the message M wth the prvate key of the CA. L SR The number of bts needed to hold a seral number (of a certfcate or partton) L H The length of the hash functon output n bts The length of a dgtal sgnature n bts L S 4

L P L T The length of a partton n bts The number of bts needed to hold a tme slot number 3.1 Creatng Parttons Unlke CRS and lke CRT and CRL, our soluton works for non custom bult certfcates. Whle CRS requres the certfcates to have two addtonal felds Y and N, our technque can be used wth any set of certfcates havng seral numbers. Ths may be especally mportant whle mgratng an exstng PKI from one certfcate revocaton soluton to another. As dscussed before, the basc dea s to dvde the certfcate space nto a number of parttons, each partton contanng revocaton status of the certfcates wth seral numbers n a partcular range. Note that a partton may have several versons. When a certfcate contaned n a partton changes status (.e., gets revoked), the current verson of that partton s sad to have expred and a new verson, reflectng the new certfcate status, s created and released by the CA at the begnnng of the next tme slot. If none of the certfcates n a partcular partton gets revoked durng a tme slot, the same verson s renewed by the CA by exposng a hash chan lnk at the begnnng of the next tme slot. The detals follow. The CA dvdes the whole certfcate space nto P parttons 2, each partton contanng the status nformaton of n certfcates havng consecutve seral numbers. Each partton s gven a unque seral number whch s one less than the seral number of the frst certfcate n that partton. Hence, a partton havng seral number S contans the revocaton status of certfcates wth seral numbers from S + 1 to S + n. Each partton contans a feld called Certfcate Status Data (CSD). Ths feld contans the revocaton status of all the certfcates n that partton. The jth bt of the CSD of the th partton s 0 f the certfcate wth seral number S + j s revoked and s 1 otherwse. Clearly, the sze of ths feld s n bts, one bt each for holdng the status of one certfcate. We represent the CSD feld of the th partton as CSD. For creatng a verson P j of the th partton to be released at the begnnng of T j, a hash chan of length L wth seed k j s constructed and ts tp s specfed n the partton. We talk more about the choce of L later. The seed k j s chosen randomly by the CA. We have: P j = S CA (T ( ) ) j, S, H L k j, CSD (1) Where CSD s the certfcate status data at the begnnng of T j. It s also possble to later add more certfcates to the already exstng set of certfcates by addng new parttons. Snce certfcates may not always be added n chunks of n, we allow the new partton beng added to have some non-exstent certfcates also. More precsely, a new partton wll be created wth all of ts n CSD bts as 1. It s possble that there may not yet exst certfcates wth some of the seral numbers lyng n the seral number range of that partton. Consequently, as more and more certfcates are later added, there wll be no need to add more parttons untl there are no non-exstent certfcates n that partton. 2 We dscuss how to select P optmally later on 5

3.2 System Operaton At the begnnng of the tme slot T k, the CA does the followng: 1. For all the parttons for whch there was no change n the certfcate status data (.e., none of the certfcates n that partton were revoked) durng tme slot T k 1, the CA reveals the next lnk of the hash chan. For partton P j, the lnk HL (k j) (k j ) s revealed. All the drectores n the system are updated wth ths new hash chan lnk. Hash chan traversal technques [Jak02, CJ02, Sel03] may be used by the CA to effcently compute the next lnk to be revealed. Note that CSD need not be changed for a certfcate whch expred (but was not revoked) durng the tme slot T k 1. Hence, t s perfectly possble that the status of a certfcate s 1 even after t has expred. 2. For all the parttons for whch the certfcate status data changed durng tme slot T k 1, a new verson s released by the CA. The new verson P k for P j s created as follows: P k = S CA (T ( ) ) k, S, H L k k, CSD Where CSD s the new certfcate status data for ths partton. As an optmzaton, the CA need not send the whole new partton verson to the drectores. Instead, only the nformaton whch enables the drectores to create the new partton verson usng the older verson s sent. We call ths nformaton the partton update nformaton (PUI). For a partton, the seral number of all the certfcates revoked from t along wth the new hash chan tp and the new sgnature suffce as PUI. Now, durng tme slot T k, a drectory answers a user certfcate status query for a seral number s by frst locatng the approprate partton and then sendng that partton and the latest hash chan lnk revealed for that partton to the user. More precsely, the drectory fnds an S s.t. (S +1) s (S +n), locates ts current (un-expred) verson P j, and then sends back P j along wth H L (k j) (k j ). Note that there s no need to trust the drectory for sendng the un-expred versons only. A drectory wll be unable to produce the hash chan lnk H L (k j) (k j j ) for a verson P whch expred pror to the begnnng of tme slot T k. The verfer can verfy the status of the certfcate from the response by: 1. makng sure that (S + 1) s (S + n) and the (s S ) th bt of the CSD contaned n the sent P j s 1, 2. verfyng the CA sgnature on P j, 3. verfyng that hashng the sent hash chan lnk (current tme slot tme slot number T j specfed n P j j ) tmes matches wth the hash chan tp specfed n P. Now we comment on the choce of L, the length of the hash chan. If a partton does not expre due to changes n ts CSD, t wll automatcally expre when ts hash chan lnks are exhausted. At ths pont, a new verson wll have to be created by the CA. Thus, smply, L should be large enough to ensure that the probablty of the hash chan lnks 6

beng exhausted before the partton expres s reasonably low. A good choce for L seems to be T, the total number of tme slots for whch a certfcate s vald. Assumng L = T, by the tme the hash chan gets exhausted, all the certfcates n the partton would have already expred. 3.3 System Costs Now we determne the average daly cost of the proposed system n terms of bts. We have the followng. CA to Drectory Communcaton Cost per Update (CDCCPU). CA to drectory communcaton per update s comprsed of the hash chan lnks for the unexpred parttons and the PUI for the expred parttons. The aggregate of all PUIs conssts of the seral numbers of all the certfcates revoked durng the prevous tme slot plus the new hash chan tp and sgnature for all the expred parttons. Clearly, the average number of certfcates revoked per tme slot s R/T. Assumng E to be the average number of parttons exprng per tme slot, we have the followng: Or, CDCCP U = (P E) L H + R T.L SR + E (L H + L S ) CDCCP U = P.L H + R T.L SR + EL S (2) E s clearly upper bounded by the number of certfcates beng revoked per tme slot,.e., R/T. However, snce multple revoked certfcates may be from the same partton, E may actually be lesser than ths value. E s equal to the number of bns havng at least one ball when R/T balls are thrown nto P bns. Hence, E may be computed as follows: Probablty of the th bn not havng the ball when a ball s thrown nto P bns = (1 1 P ) Probablty of the th bn not havng a ball when R/T balls are thrown nto P bns = (1 1 P ) R T Expected number of bns havng at least one ball = Total number of bns Expected number of bns havng no balls Or, E = P P ( 1 1 )R / T P (3) Drectory Query Cost per Day (QC). A query response conssts of the approprate partton plus a hash chan lnk ndcatng the proof of renewals. Hence, the daly query cost QC s QC = q. (L P + L H ) 7

Total System Cost per Day (TC). Total daly cost TC of the system conssts of updatng each of the D drectores U tmes plus the query costs. Hence, we have: T C = U.D. (P.L H + RT ).L SR + EL S + q. (L P + L H ) Further, from (1), we have: Thus, L P = L T + L SR + L H + N P + L S T C = U.D. (P.L H + RT ) (.L SR + EL S + q. L T + L SR + 2.L H + N ) P + L S (4) 3.4 Optmal Number of Parttons In ths secton, we determne the optmal value of P to mnmze the total daly system cost. As wll be clear n the next secton, the total number of parttons P would usually be much hgher than the number of certfcates exprng per tme slot. Hence, to smplfy our analyss, we approxmate E by R/T. We put ths approxmaton of E n equaton (4) and compute the mnma of ts R.H.S. usng dfferentaton. Dfferentatng R.H.S. of (4) w.r.t. P and puttng the result equal to zero, we get: U.D.L H + q ( NP ) 2 = 0 or, N.q P = (5) U.D.L H The above equaton also gves useful nsghts on the ssue of PKI expanson. As more and more certfcates are added to the PKI to ncrease N, the number of queres per day,.e. q, s also expected to ncrease by the same factor. Ths s because the number of daly verfcatons of a certfcate (and hence the queres pertanng to t) s ndependent of N. q s also expected to ncrease lnearly wth N n the Rvest s model [Rv98] of Certfcate holder supples all valdty evdences to the verfer n whch, nstead of the verfer, the holder sends perodc queres to obtan recent valdty evdence for ts certfcate. Thus from (5), along wth q, P also ncreases lnearly wth N. Ths means that the optmal sze of (or the number of certfcates n) a partton,.e., n (=N/P ) remans unaltered as the PKI expands. Hence, no extra efforts are needed to mantan optmalty as the sze of the PKI changes. The above argument may not hold n some specalzed PKIs. It s stll possble to mantan optmalty n such systems by perodcally re-computng the optmal value of n and settng t as the partton sze for new parttons beng created. As certfcates expre, older parttons wll contnue to get removed from the system 3. Hence, the system forever keeps mgratng to the (currently) optmal value of the partton sze. 3 A partton wll be removed from the system when all the certfcates n t get expred. 8

4 Evaluaton and Comparson Followng the framework of CRS [Mc96] and CRT [NN98], we evaluate the cost of the proposed system called CSPR from hereon. The followng values of the parameters are assumed. N = 3 10 6, R = 3 10 5, q = 3 10 6, T = 365 U, L H = 160, L S = 1000, L SR = 30, L T = 20 The above values are mostly taken from [NN98]. The evaluatons are done for the values of D between 0 and 10,000 and U between 1 and 100. Observe the value of T, the number of tme slots. Snce we assume that a certfcate s ssued for one year; T s equal to the number of days n one year (365) multpled by the number of tme slots n one day (U). The comparson s done wth CRL, CRS and CRT. Before gong further, we compute the daly communcaton cost of each of these technques. Certfcate Revocaton Lsts Daly Cost. Average CRL Sze = R 2.L SR + L S ( ) ( ) R R Total Daly Cost = D.U 2.L SR + L S + q 2.L SR + L S (6) Certfcate Revocaton System Daly Cost. Total Daly Cost = D.U (N.L H ) + q.l H (7) Certfcate Revocaton Tree Daly Cost. CA to Drectory Communcaton per update conssts of the seral numbers of the certfcates revoked durng the prevous tme slot and the new sgnature on the root of the Merkle tree. Query response conssts of tree path node sblngs from the approprate leaf to the root along wth the root sgnature. Hence, we have: ( ) ( R Total Daly Cost = D.U T.L SR + L S + q L H log R ) 2 + L S (8) Table 1 summarzes the total daly system costs n bts for CRL, CRS and CRT usng (6), (7) and (8) respectvely and for CSPR usng (4) wth optmal number of parttons found usng (5). The values are computed for varous choces of D and U. The mprovement of CRS due to [ALO98] appears n parenthess. It should be stated here that ths mprovement comes at the cost of ncreasng the certfcate sze by 3.5 KB. Assumng one certfcate transmsson per revocaton status query, the ncrease n certfcate transmsson costs comes out to be 1.1 10 10 bts per day (not added n the table). Table 2 lsts the optmal values of P and the correspondng n found usng (5). 9

CRL CRS CRT CSPR D = 0 1.3 10 13 4.8 10 8 (4.8 10 8 ) 1.1 10 10 4.1 10 9 D = 10, U = 1 1.3 10 13 5.3 10 9 (2.3 10 9 ) 1.1 10 10 4.3 10 9 D = 100, U = 1 1.3 10 13 4.8 10 10 (1.8 10 10 ) 1.1 10 10 4.9 10 9 D = 100, U = 10 1.3 10 13 4.8 10 11 (1.8 10 11 ) 1.1 10 10 6.6 10 9 D = 100, U = 100 1.4 10 13 4.8 10 12 (1.8 10 12 ) 1.1 10 10 1.2 10 10 D = 1000, U = 100 1.4 10 13 4.8 10 13 (1.8 10 13 ) 1.1 10 10 2.9 10 10 D = 10, 000, U = 100 1.8 10 13 4.8 10 14 (1.8 10 14 ) 1.3 10 10 8.8 10 10 Table 1: Daly System Costs n Bts for Common Revocaton Technques Number of Parttons P Certfcates per partton n D = 0 3.0 10 6 1 10 0 D = 10, U = 1 7.5 10 4 4.0 10 1 D = 100, U = 1 2.4 10 4 1.2 10 2 D = 100, U = 10 7.5 10 3 4.0 10 2 D = 100, U = 100 2.4 10 3 1.2 10 3 D = 1000, U = 100 7.5 10 2 4.0 10 3 D = 10000, U = 100 2.4 10 2 1.2 10 4 Table 2: Optmal Values of P and the correspondng n for varous values of D and U Remark 1. As demonstrated by the above values, CRS and CRT are the two extremes, CRS havng unbeatable query costs but havng CA to Drectory Communcaton as bottleneck and CRT havng unbeatable CA to Drectory Communcaton but havng query costs as the bottleneck. The proposed technque s able to balance the two costs by optmally choosng the number of parttons P and thus mnmzng the overall cost of the system. Hence, P s the key parameter for CSPR. Remark 2. The formula for the total cost of the system may be modfed by assgnng sutable weght to CDCC and QC. For example, n some low budget systems, CDCC may be assgned more weght to prevent CA from becomng the communcaton bottleneck, whle n others, QC may be assgned more weght to mprove the user experence. Accordngly, the formula for P s modfed (by takng the weght durng dfferentaton) and P s stll able to play the role of cost balancer between CDCC and QC. Remark 3. The computaton requred to valdate a certfcate status proof s smlar n CRL, CRT and CSPR (domnated by a sgnature verfcaton). For lower update rates, CRS has an advantage as t does not requre a sgnature verfcaton. However, as update rate ncreases, the computaton starts becomng comparable to others. Ths s because the average number of hash functon evaluatons requred for valdatng one certfcate status proof n CRS s 365 U/2. 10

Dstrbuton Degree and System Tmelness CRS CRT CSPR Centralzed system or a system havng very Sutable QC Hgh QC Hgh low dstrbuton degree Moderately low to moderately hgh tmelness CDCC Hgh QC Hgh Sutable or dstrbuton degree Very hgh tmelness or dstrbuton degree CDCC Hgh Sutable TC Hgh Table 3: Revocaton Technque Selecton Future Work. An nterestng observaton n the proposed system s that the parttons (wthout hash chans) may actually be treated as ordnary certfcates and our scheme may be recursvely appled. The noton of partton expry may be replaced wth the noton of partton revocaton. Level 2 parttons may be created whch wll contan the status of a number of level 1 (ordnary) parttons havng consecutve seral numbers. A Level 2 partton wll have hash chans as the renewal mechansm and wll expre as soon as any of the level 1 parttons n t expres (gets revoked). Smlarly, level 3 parttons and so on are possble, the extreme beng a tree of parttons of dfferent levels. The above approach may be worth explorng n envronments where the number of drectores or updates per day s hgh. Ths s because t may reduce the CA to drectory communcaton costs whch are qute hgh n such envronments, though at the prce of ncreasng the query costs. 5 Conclusons We conclude by summarzng the sutablty of varous revocaton schemes under dfferent values of D and U n Table 3. D s an ndcator of the dstrbuton degree of the system whle U s an ndcator of system tmelness. References [ALO98] [BF01] Wllam Aello, Sachn Lodha, and Rafal Ostrovsky. Fast dgtal dentty revocaton (extended abstract). In CRYPTO, pages 137 152, 1998. Dan Boneh and Matthew K. Frankln. Identty-based encrypton from the wel parng. In Joe Klan, edtor, CRYPTO, volume 2139 of Lecture Notes n Computer Scence, pages 213 229. Sprnger, 2001. [BLL00] Ahto Buldas, Peeter Laud, and Helger Lpmaa. Accountable certfcate management usng undenable attestatons. In ACM Conference on Computer and Communcatons Securty, pages 9 17, 2000. [CJ02] Don Coppersmth and Markus Jakobsson. Almost optmal hash sequence traversal. In Fnancal Cryptography, pages 102 119, 2002. 11

[DBW01] Gene Tsudk Dan Boneh, Xuhua Dng and Ch Mng Wong. A method for fast revocaton of publc key certfcates and securty capabltes. In The 10th USENIX Securty Symposum, pages 297 308, 2001. [Gen03] Crag Gentry. Certfcate-based encrypton and the certfcate revocaton problem. In El Bham, edtor, EUROCRYPT, volume 2656 of Lecture Notes n Computer Scence, pages 272 293. Sprnger, 2003. [GGM00] Irene Gassko, Peter Gemmell, and Phlp D. MacKenze. Effcent and fresh cerfcaton. In Publc Key Cryptography, pages 342 353, 2000. [Goy04] Vpul Goyal. Certfcate revocaton lsts or onlne mechansms. In Eduardo Fernández-Medna, Julo César Hernández Castro, and L. Javer García-Vllalba, edtors, WOSIS, pages 261 268. INSTICC Press, 2004. [Jak02] M. Jakobsson. Fractal hash sequence representaton and traversal, 2002. ISIT 02; avalable at http://eprnt.acr.org/2002/001 and www.markus-jakobsson.com. [Koc98] Paul C. Kocher. On certfcate revocaton and valdaton. In Fnancal Cryptography, pages 172 177, 1998. [Mer89] Ralph C. Merkle. A certfed dgtal sgnature. In CRYPTO, pages 218 238, 1989. [Mc96] Slvo Mcal. Effcent certfcate revocaton. Techncal Report MIT/LCS/TM- 542b, 1996. [Mc97] Slvo Mcal. Effcent certfcate revocaton. In Proceedngs 1997 RSA Data Securty Conference, 1997. [Mc02] [MJ00] [NN98] [OCSrg] Slvo Mcal. Novomodo: Scalable certfcate valdaton and smplfed pk management. In 1st Annual PKI Research Workshop - Proceedng, 2002. Patrck Drew McDanel and Sugh Jamn. Wndowed certfcate revocaton. In INFOCOM, pages 1406 1414, 2000. Mon Naor and Kobb Nssm. Certfcate revocaton and certfcate update. In Proceedngs 7th USENIX Securty Symposum (San Antono, Texas), Jan 1998. Onlne certfcate status protocol, verson 2. In Workng document of the Internet Engneerng Task Force (IETF), RFC 2560, Avalable from http://www.etf.org. [Rv98] Ronald L. Rvest. Can we elmnate certfcate revocatons lsts? In Fnancal Cryptography, pages 178 183, 1998. [Sel03] [Stu95] Yaron Sella. On the computaton-storage trade-offs of hash chan traversal. In Fnancal Cryptography, pages 270 285, 2003. Stuart Stubblebne. Recent-secure authentcaton: Enforcng revocaton n dstrbuted systems. In Proceedngs 1995 IEEE Symposum on Research n Securty and Prvacy, pages 224 234, May 1995. 12

[Zhe03] Pefang Zheng. Tradeoffs n certfcate revocaton schemes. Computer Communcaton Revew, 33(2):103 112, 2003. 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information