Uma ICP baseada em certificados digitais autoassinados
Resumo
Infraestruturas de Chaves Públicas tem sido amplamente utilizadas em alguns contextos onde se deseja estabelecimento de confiança entre duas entidades. Em especial, seu uso é difundido no estabelecimento de confiança para acesso aos chamados “sites seguros”, através do SSL/TLS. Entretanto, com o advento de iniciativas como a ICP-Brasil e o uso crescente da certificação digital para assinatura digital de documentos eletrônicos, algumas limitações e dificuldades de implementação de ICPs tornaram-se mais evidentes. Este artigo discute a inversão de alguns conceitos de Infraestruturas de Chaves Públicas (ICP) para simplificar o processo de validação de uma assinatura digital. Alterando a forma que um certificado digital é emitido e modificando as responsabilidades de uma Autoridade Certificadora através da criação da Autoridade de Validação, que também substitui a principal função da Autoridade de Carimbo de Tempo, podemos reduzir o esforço de validação de uma assinatura digital. Propomos também um protocolo para interação com a Autoridade de Validação.
Referências
Adams, C., Cain, P., Pinkas, D., and Zuccherato, R. (2001). Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161 (Proposed Standard). Updated by RFC 5816.
Boyen, X. and Martin, L. (2007). Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems. RFC 5091 (Informational).
CG ICP-Brasil (2010). Infraestrutura de Chaves Públicas Brasileira. http://www.icpbrasil.gov.br.
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard).
Cooper, D. A. (1999). A Model of Certificate Revocation. In ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, page 256, Washington, DC, USA. IEEE Computer Society.
Custódio, R., Vigil, M., Romani, J., Pereira, F., and da Silva Fraga, J. (2008). Optimized Certificates – A New Proposal for Efficient Electronic Document Signature Validation, volume 5057 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999a). RFC2693: SPKI Certificate Theory. RFC Editor United States.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999b). SPKI Certificate Theory. RFC 2693 (Experimental).
Freeman, T., Housley, R., Malpani, A., Cooper, D., and Polk, W. (2007). Server-Based Certificate Validation Protocol (SCVP). RFC 5055 (Proposed Standard).
Gutmann, P. (2002). PKI: It’s Not Dead, Just Resting.
Hunter, B. (2002). Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses. In Database and Expert Systems Applications, 2002. Proceedings. 13th International Workshop on, pages 505–510.
Kocher, P. C. (1998). On Certificate Revocation and Validation. In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 172–177, London, UK. Springer-Verlag.
Laih, C.-S. and Yen, S.-M. (1995). Improved Digital Signature Suitable for Batch Verification. IEEE Transactions on Computers, 44:957–959.
Levi, A., Caglayan, M. U., and Koc, C. K. (2004). Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Transactions on Information and System Security (TISSEC), 7(1):21.
Lim, T.-L., Lakshminarayanan, A., and Saksen, V. (2008). A practical and efficient treelist structure for public-key certificate validation. In ACNS’08: Proceedings of the 6th international conference on Applied cryptography and network security, pages 392–410, Berlin, Heidelberg. Springer-Verlag.
Linn, J. (2004). An Examination of Asserted PKI Issues and Proposed Alternatives. Proceedings of the 3rd Annual PKI R&D Workshop.
Micali, S. (1995). Enhanced Certificate Revocation System. Massachusetts Institute of Technology, Cambridge, MA, pages 1–10.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocations Lists? In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 178–183, London, UK. Springer-Verlag.
Rivest, R. L. and Lampson, B. (1996). SDSI - A Simple Distributed Security Infrastructure.
Satizábal, C., Martínez-Peláez, R., Forné, J., and Rico-Novella, F. (2007). Reducing the Computational Cost of Certification Path Validation in Mobile Payment. In EuroPKI ’07: Proceedings of the 4th European PKI workshop: Theory and Practice on Public Key Infrastructure, pages 280–296, Berlin, Heidelberg. Springer-Verlag.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Boyen, X. and Martin, L. (2007). Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems. RFC 5091 (Informational).
CG ICP-Brasil (2010). Infraestrutura de Chaves Públicas Brasileira. http://www.icpbrasil.gov.br.
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard).
Cooper, D. A. (1999). A Model of Certificate Revocation. In ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, page 256, Washington, DC, USA. IEEE Computer Society.
Custódio, R., Vigil, M., Romani, J., Pereira, F., and da Silva Fraga, J. (2008). Optimized Certificates – A New Proposal for Efficient Electronic Document Signature Validation, volume 5057 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999a). RFC2693: SPKI Certificate Theory. RFC Editor United States.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. (1999b). SPKI Certificate Theory. RFC 2693 (Experimental).
Freeman, T., Housley, R., Malpani, A., Cooper, D., and Polk, W. (2007). Server-Based Certificate Validation Protocol (SCVP). RFC 5055 (Proposed Standard).
Gutmann, P. (2002). PKI: It’s Not Dead, Just Resting.
Hunter, B. (2002). Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses. In Database and Expert Systems Applications, 2002. Proceedings. 13th International Workshop on, pages 505–510.
Kocher, P. C. (1998). On Certificate Revocation and Validation. In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 172–177, London, UK. Springer-Verlag.
Laih, C.-S. and Yen, S.-M. (1995). Improved Digital Signature Suitable for Batch Verification. IEEE Transactions on Computers, 44:957–959.
Levi, A., Caglayan, M. U., and Koc, C. K. (2004). Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Transactions on Information and System Security (TISSEC), 7(1):21.
Lim, T.-L., Lakshminarayanan, A., and Saksen, V. (2008). A practical and efficient treelist structure for public-key certificate validation. In ACNS’08: Proceedings of the 6th international conference on Applied cryptography and network security, pages 392–410, Berlin, Heidelberg. Springer-Verlag.
Linn, J. (2004). An Examination of Asserted PKI Issues and Proposed Alternatives. Proceedings of the 3rd Annual PKI R&D Workshop.
Micali, S. (1995). Enhanced Certificate Revocation System. Massachusetts Institute of Technology, Cambridge, MA, pages 1–10.
Rivest, R. L. (1998). Can We Eliminate Certificate Revocations Lists? In FC ’98: Proceedings of the Second International Conference on Financial Cryptography, pages 178–183, London, UK. Springer-Verlag.
Rivest, R. L. and Lampson, B. (1996). SDSI - A Simple Distributed Security Infrastructure.
Satizábal, C., Martínez-Peláez, R., Forné, J., and Rico-Novella, F. (2007). Reducing the Computational Cost of Certification Path Validation in Mobile Payment. In EuroPKI ’07: Proceedings of the 4th European PKI workshop: Theory and Practice on Public Key Infrastructure, pages 280–296, Berlin, Heidelberg. Springer-Verlag.
Zimmermann, P. R. (1995). The official PGP user’s guide. MIT Press, Cambridge, MA, USA.
Publicado
11/10/2010
Como Citar
MOECKE, Cristian Thiago; CUSTÓDIO, Ricardo Felipe; KOHLER, Jonathan Gehard; CARLOS, Marcelo Carlomagno.
Uma ICP baseada em certificados digitais autoassinados. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 91-104.
DOI: https://doi.org/10.5753/sbseg.2010.20580.
