Abstract
Electronic commerce is becoming more and more commonplace, but security is still a major concern. To provide security, a good public-key infrastructure (PKI) is needed. However, PKIs have been slow in developing, with one of the major difficulties being the creation of certification authorities (CAs), and in particular, dealing with the problem of certificate revocation. We propose a new solution to this problem.
Our solution is based on the idea that individually signed certificates provide little information over any significant time period, given that they may be revoked. That is, after a certain amount of time, a certificate is not useful without some more recent knowledge that it has not been revoked. In all previous work, this has either been handled by off-line/on-line schemes, which require costly updates by the CA for every outstanding certificate for every update period, or by certificate revocation lists/trees.
We propose a system called EFECT (Easy Fast Efficient Certification Technique), which combines the best properties of individual certificates and certificate revocation trees. We show that EFECT allows CAs to be more secure, even while providing more frequent freshness updates for certificates, and making certification verification extremely lightweight. We compare EFECT to previously proposed systems, including traditional X.509 certificates and Certificate Revocation Lists (CRLs), SDSI/SPKI, Micali’s Certificate Revocation System (CRS), Kocher’s Certificate Revocation Trees (CRTs), and Naor and Nissim’s 2-3 Certificate Revocation Trees (23CRTs). Finally, we discuss some novel qualities of EFECT that no previous solution possesses.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, R.: Why Cryptosystems Fail, Fairfax (1993)
Internet X. 509 Public Key Infrastructure, Certificate and CRL Profile, Internet Draft, PKIX Working Group, http://www.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part1-10.txt
Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)
Kohnfelder, L.: Towards a Practical Public-key Cryptosystem, Bachelor’s thesis. MIT, Cambridge (1978)
Even, S., Goldreich, O., Micali, S.: On-Line/Off-Line Digital Signatures. Journal of Cryptology, 35–67 (1996)
Frankel, Y., Gemmell, P., MacKenzie, P., Yung, M.: Proactive RSA. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 440–454. Springer, Heidelberg (1997)
Herzberg, A., Jakobsson, M., Jarecki, S., Krawczyk, H., Yung, M.: Proactive public key and signature systems. In: The 4-th ACM Symp. On Comp. and Comm. Security (April 1997)
Jutla, C., Yung, M.: PayTree: Amortized-Signature for Flexible MicroPayments. In: Second Usenix Workshop on Electronic Commerce (1996)
Kelsey, J., Schneier, B., Wagner, D.: Protocol Interactions and the Chosen Protocol Attack. In: CRYPTO 1998 (1998)
Kocher, P.: A Quick Introduction to Certificate Revocation Trees (CRTs), http://www.valicert.com/technology/
Merkle, R.: A Certified Digital Signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)
Micali, S.: Efficient Certificate Revocation, RSA Data Security Conference, San Francisco, California (January 1997)
Naor, M., Nissim, K.: Certificate Revocation and Certificate Update. In: Proceedings of Usenix 1998 (1998)
Internet X. 509 Public Key Infrastructure, PKIX Roadmap, Internet draft, PKIX Working Group, http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-00.txt
Internet X 509 Public Key Infrastructure, ATOMIC CERTIFICATES, Internet draft, Narayan Raghu, IBM Global Services India ltd., http://www.ietf.org/internet-drafts/draft-raghu-atomic-certificates-00.txt
Can We Eliminate Revocation Lists? In: Proceedings of Financial Cryptography (1998), A link to this paper can be found at http://theory.lcs.mit.edu/rivest/publications.html
Links to SDSI and SPKI materials can be found at http://theory.lcs.mit.edu/cis/sdsi.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gassko, I., Gemmell, P.S., MacKenzie, P. (2000). Efficient and Fresh Certification. In: Imai, H., Zheng, Y. (eds) Public Key Cryptography. PKC 2000. Lecture Notes in Computer Science, vol 1751. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-46588-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-46588-1_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66967-8
Online ISBN: 978-3-540-46588-1
eBook Packages: Springer Book Archive