Edge-Cloud-Assisted Certificate Revocation Checking: An Efficient Solution Against Irresponsible Service Providers

Abstract

Certificate revocation checking (CRC) is a fundamental requirement in certificate-based public-key cryptographic systems. Most existing CRC schemes are not tailored for edgecloud computing systems, and directly applying these schemes would cause security and efficiency problems. In this paper, we first propose a two-layer edge-cloud-assisted CRC framework, dubbed ECA-CRC, where edge nodes utilizing a probabilistic checking algorithm serve as a first layer, and the cloud server utilizing a deterministic checking algorithm serves as a second layer. Both the edge nodes and the cloud server collaboratively provide verifiable CRC services for devices. The most prominent manifestations of ECA-CRC are that (1) most CRC requests can be processed with the probabilistic checking layer, which reduces the checking delay significantly while providing an accurate CRC service; (2) devices can detect the irresponsible behavior of the service provider, including using an incorrect revoked certificate set (RCS) to compute checking results or procrastinating on updating the RCS, as soon as possible.We then propose an efficient instantiation of ECA-CRC, dubbed eECACRC, by utilizing a Merkle hash tree (MHT) based homomorphic signature, Cuckoo filter, and Othello. We formally prove the security of eECA-CRC against the irresponsible service provider under the random oracle model. We implement an eECA-CRC prototype and conduct a comprehensive performance evaluation based on a public certificate database. Our results show that 95% of CRC requests are completed on the edge nodes, and only 5% of CRC requests need to be handled by the cloud server.