Efficient authentication and verification of certificate status within public-key infrastructures

The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI\u2019s users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied

An efficient and secure alternative to OCSP for public-key certificate revocation

This paper presents an on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The proposed method has been devised as an alternative to the well-known Online Certificate Status Protocol (OCSP): it exhibits the same positive features of as regards scalability, security, timeliness and expressive power while significantly reducing the directory computational load, a particularly remarkable benefit especially in high-traffic scenarios, where performance bottlenecks could be exploited to induce a denial-of-service over the directory. This key feature has been achieved by means of a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, which permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable shows that the devised method allows reducing the computational load up to an order of magnitude under normal operating conditions of the PKI in which it is deployed, and, for very intensive query activity, even to fix an upper bound independent from the rate PKI users perform certificate status verification operations