An Alternative to Short Lived Certificates

By

Vipul GoyalDepartment of Computer Science & Engineering

Institute of TechnologyBanaras Hindu University

Certificates• It is not possible for everyone to store everyone’s

public key

• Thus, everyone stores the public key of a single entity called Certificate Authority (CA)

• CA issues certificates to everyone. A certificate is a statement signed by the CA and containing

1) Identity of the person

2) Public key of the person

3) Serial number and validity period

Certificates thus can be used for verifying the digital signature of a person

Certificate Revocation

•There may be situations when a certificates should be declared invalid

•Reasons include – compromise of private key, Alice may leave or be fired from the company, Alice may change her identity by changing her last name etc.

•Especially important in e-commerce and payment systems to avoid fake digital signatures

Question

How should a verifier know that the signer’s certificates has been revoked ???

Answer

Certificate Revocation Techniques

Certificate Revocation Techniques

• Commonly used- CRLs, CRS, CRT, online techniques

• Online methods are the most timely and are the only ones offering real time revocation information. Disadvantages are high computational requirements

Short Lived Certificates

• Proposed by Rivest, recommended to be used in SPKI and SDSI

• issue a certificate for a small time period

• Simply issue and send a new certificate when the older one expires or when then the older one does not satisfy the recency policy of the acceptor

• Advantages: All validity evidence supplied by the sender, acceptor is able to set the recency requirements

• Disadvantages: Large bandwidth and computation required for renewal, requires trusted directories in case of a distributed system

Proposed Certificate Renewal Method

• Sender sends a certificate (optional, if not already cached) as well as a certificate renewal to the verifier

• Verifier makes sure that the time on the renewal satisfies her recency criteria. If not, it rejects the certificate and notifies the sender.

• If rejected, sender obtains a new certificate renewal from the CA as follows-• Sender queries the certificate renewal authority

(CRA) by just sending its certificate serial number• CRA checks the revocation status of this serial

number. If unrevoked, it creates a digitally signed renewal containing the certificate serial number and the current time stamp.

• Digital signature is done using the treesign technique discussed later.

Proposed Certificate Renewal Method Contd..

• Sender sends back the certificate (optional) as well as the new certificate renewal to the verifier

• Verifier again makes sure that the time on the renewal satisfies her recency criteria.

• Verifier checks the certificate signature (if not cached) and the renewal signature and accepts the certificate

General Advantages of the Proposed Technique

• Acceptor able to set recency requirements, not possible in CRLs, CRS etc

• Uniform load distribution, everyone doing his own work

• Uniform request distribution for CRA server• No latency of validation like in CRLs• Bandwidth consumption is low as individual proof of

validity are there

Comparison with Short Lived Certificates

• Network load is lower since-• Certificate renewal is significantly smaller than

the complete certificate• Certificates can be cached by the verifier

• Computational load-• No change for sender, somewhat lower for the

CRA• If certificate not cached, then higher for verifier,

else somewhat lower• Storage requirements for CRA is reduced. No need

of storing certificate attributes. This is an also an advantage if data specified on the certificate is sensitive and should be not be moved outside the organization e.g. client infomation

Comparison with Short Lived Certificates

• Security of CA key is increased since it need not be placed online, i.e. the certificate creation and renewal keys may be different. Failure of one system does not imply the failure of other

• Clean separation between creation and renewal and hence outsourcing is possible

Tree Signatures

• Uses the concept of hash trees also called merkle trees. Can be used to reduce load on the signature servers handling a large number of requests per unit time. But increases the signature sign and introduces a signing delay.

• The CRA collects a set of certificate renewals to be signed

• The H(renewals) to be signed are placed on the leaves of a tree

• Inner nodes of are tree are calculated as the hash of concatenation of its two children

• Finally we reach the root of the tree

Tree Signatures Contd …

• CRA signs the root using regular signature schemes like RSA

• The signature on the renewal is now -• the signature on the root, and• The path regeneration nodes from the renewal

leaf to the root. These nodes are the siblings of the path from the leaf to the root.

• This technique dramatically decreases computation as n number of messages may be signed using a single signature generation and 2n-1 hash function computations

Tree Signatures Contd …

• An idea of computation reduction-• A machine which was earlier able to sign 2

renewals per second can now sign 5000 renewals per second by introducing a response time delay of 1 second

• A machine which was earlier able to sign 20 renewals per second can now sign 50000 renewals per second by introducing a response time delay of 0.1 second

• Security can be proven with the following assumptions-• Hash function is collision resistance• Scheme used to sign root is secure

Thank you you