Uma ICP baseada em certificados digitais autoassinados
Abstract
Public Key Infrastructures have been used in some scenarios were there is a need to stabilish trust between two entities. Specially, its use is common in the stabilishment of trust to access the so called “secure websites” using SSL/TLS. However, with new iniciatives like ICP-Brasil (Brazilian PKI) and the growing use of digital certification to sign eletronic documents, some limitations of PKI have become more clear. This paper discusses the inversion of some concepts of Public Key Infrastructures (PKI) to simplify the process of digital signature validation. Changing the form that the user certificate is issued and modifying the responsibilities of a Certification Authorities by creating a Validation Authority, that also replaces the main function of Time Stamping Authority on digital signatures, we can reduce the effort spent on the process of digital signature validation. We also propose a simple protocol to interact with the Validation Authority.
References
Adams, C., Cain, P., Pinkas, D., and Zuccherato, R. (2001). Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161 (Proposed Standard). Updated by RFC 5816.
Boyen, X. and Martin, L. (2007). Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems. RFC 5091 (Informational).
CG ICP-Brasil (2010). Infraestrutura de Chaves Públicas Brasileira. http://www.icpbrasil.gov.br.
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard).
Cooper, D. A. (1999). A Model of Certificate Revocation. In ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, page 256, Washington, DC, USA. IEEE Computer Society.
Custódio, R., Vigil, M., Romani, J., Pereira, F., and da Silva Fraga, J. (2008). Optimized Certificates – A New Proposal for Efficient Electronic Document Signature Validation, volume 5057 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999a). RFC2693: SPKI Certificate Theory. RFC Editor United States.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999b). SPKI Certificate Theory. RFC 2693 (Experimental).
Freeman, T., Housley, R., Malpani, A., Cooper, D., and Polk, W. (2007). Server-Based Certificate Validation Protocol (SCVP). RFC 5055 (Proposed Standard).
Gutmann, P. (2002). PKI: It’s Not Dead, Just Resting.
Hunter, B. (2002). Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses. In Database and Expert Systems Applications, 2002. Proceedings. 13th International Workshop on, pages 505–510.
Kocher, P. C. (1998). On Certificate Revocation and Validation. In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 172–177, London, UK. Springer-Verlag.
Laih, C.-S. and Yen, S.-M. (1995). Improved Digital Signature Suitable for Batch Verification. IEEE Transactions on Computers, 44:957–959.
Levi, A., Caglayan, M. U., and Koc, C. K. (2004). Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Transactions on Information and System Security (TISSEC), 7(1):21.
Lim, T.-L., Lakshminarayanan, A., and Saksen, V. (2008). A practical and efficient treelist structure for public-key certificate validation. In ACNS’08: Proceedings of the 6th international conference on Applied cryptography and network security, pages 392–410, Berlin, Heidelberg. Springer-Verlag.
Linn, J. (2004). An Examination of Asserted PKI Issues and Proposed Alternatives. Proceedings of the 3rd Annual PKI R&D Workshop.
Micali, S. (1995). Enhanced Certificate Revocation System. Massachusetts Institute of Technology, Cambridge, MA, pages 1–10.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocations Lists? In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 178–183, London, UK. Springer-Verlag.
Rivest, R. L. and Lampson, B. (1996). SDSI - A Simple Distributed Security Infrastructure.
Satizábal, C., Martínez-Peláez, R., Forné, J., and Rico-Novella, F. (2007). Reducing the Computational Cost of Certification Path Validation in Mobile Payment. In EuroPKI ’07: Proceedings of the 4th European PKI workshop: Theory and Practice on Public Key Infrastructure, pages 280–296, Berlin, Heidelberg. Springer-Verlag.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Boyen, X. and Martin, L. (2007). Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems. RFC 5091 (Informational).
CG ICP-Brasil (2010). Infraestrutura de Chaves Públicas Brasileira. http://www.icpbrasil.gov.br.
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard).
Cooper, D. A. (1999). A Model of Certificate Revocation. In ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, page 256, Washington, DC, USA. IEEE Computer Society.
Custódio, R., Vigil, M., Romani, J., Pereira, F., and da Silva Fraga, J. (2008). Optimized Certificates – A New Proposal for Efficient Electronic Document Signature Validation, volume 5057 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999a). RFC2693: SPKI Certificate Theory. RFC Editor United States.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999b). SPKI Certificate Theory. RFC 2693 (Experimental).
Freeman, T., Housley, R., Malpani, A., Cooper, D., and Polk, W. (2007). Server-Based Certificate Validation Protocol (SCVP). RFC 5055 (Proposed Standard).
Gutmann, P. (2002). PKI: It’s Not Dead, Just Resting.
Hunter, B. (2002). Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses. In Database and Expert Systems Applications, 2002. Proceedings. 13th International Workshop on, pages 505–510.
Kocher, P. C. (1998). On Certificate Revocation and Validation. In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 172–177, London, UK. Springer-Verlag.
Laih, C.-S. and Yen, S.-M. (1995). Improved Digital Signature Suitable for Batch Verification. IEEE Transactions on Computers, 44:957–959.
Levi, A., Caglayan, M. U., and Koc, C. K. (2004). Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Transactions on Information and System Security (TISSEC), 7(1):21.
Lim, T.-L., Lakshminarayanan, A., and Saksen, V. (2008). A practical and efficient treelist structure for public-key certificate validation. In ACNS’08: Proceedings of the 6th international conference on Applied cryptography and network security, pages 392–410, Berlin, Heidelberg. Springer-Verlag.
Linn, J. (2004). An Examination of Asserted PKI Issues and Proposed Alternatives. Proceedings of the 3rd Annual PKI R&D Workshop.
Micali, S. (1995). Enhanced Certificate Revocation System. Massachusetts Institute of Technology, Cambridge, MA, pages 1–10.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocations Lists? In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 178–183, London, UK. Springer-Verlag.
Rivest, R. L. and Lampson, B. (1996). SDSI - A Simple Distributed Security Infrastructure.
Satizábal, C., Martínez-Peláez, R., Forné, J., and Rico-Novella, F. (2007). Reducing the Computational Cost of Certification Path Validation in Mobile Payment. In EuroPKI ’07: Proceedings of the 4th European PKI workshop: Theory and Practice on Public Key Infrastructure, pages 280–296, Berlin, Heidelberg. Springer-Verlag.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Published
2010-10-11
How to Cite
MOECKE, Cristian Thiago; CUSTÓDIO, Ricardo Felipe; KOHLER, Jonathan Gehard; CARLOS, Marcelo Carlomagno.
Uma ICP baseada em certificados digitais autoassinados. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 91-104.
DOI: https://doi.org/10.5753/sbseg.2010.20580.
