Certificate Path Research Articles

Identity-based undetachable digital signature for mobile agents in electronic commerce

To enable mobile agents signing securely on potentially malicious hosts in electronic commerce and other applications, we proposed the definition and security notion of identity-based undetachable digital signature schemes. More importantly, we proposed a concrete identity-based undetachable digital signature scheme with provable security. In the scheme, mobile agents need not carry the private key when they generate digital signatures on behalf of the original signer, so the private key will not be compromised. The encrypted function is combined with the original signer’s requirement, so misuse of the signing algorithm can be prevented. Moreover, because the scheme is identity-based, verification of the signatures generated by mobile agents does not require either verification of the entire certificate path or communication with the certification authority. Therefore, compared with existing undetachable signature schemes, the cost of verification is reduced and even the dependence on a stable network connection is weakened.

P2PM-pay: Person to Person Mobile Payment Scheme Controlled by Expiration Date

In this paper, we propose P2PM-pay scheme which provides two key points. The first key point is related with the mobile cash. In P2PM-pay scheme, the mobile cash is controlled by the expiration date. The expiration date is embedded into the mobile cash by partial blind signature during the withdrawal date, and the bank does not hold information about the operation. Moreover, we have considered the effective date and deposit date for administrative purposes. The effective date is when customers use their mobile cash to pay for products, and the deposit date is when merchants receive the funds in their bank account. The other key point is related with the authentication process among participants. Although P2PM-pay uses WTLS protocol, we propose a wireless public key infrastructure with an efficient certificate path validation. Furthermore, the design of the proposed scheme achieves successfully the security requirements described in previous works. Consequently, P2PM-pay is secure against well-known attacks and efficient in terms of processing time.

CPTIAS: a new fast PKI authentication scheme based on certificate path trust index

A key bottleneck in electronic business is the need to fetch and validate the server certificate before a secure connection can be established. Most current studies assume that the certificate has the same level of risk and less consideration different users have different security requirements, and even the same users has different security requirements in different scenarios. So we propose a new and flexible PKI authentication scheme based on certificate path trust index (CPTI). Analysis and experimental results show that users can give a trade off between security and efficiency, and the scheme has a higher efficiency and no bottleneck when authenticating with the higher level CAs.

Creating Virtual Hierarchy in Peer-to-Peer PKI to Simplify Certificate Path Discovery

Peer-to-Peer Public Key Infrastructure (also called Mesh PKI) architecture is one of the most popular PKI trust models that is widely used in Mobile Ad-hoc networks(MANETs), but certificate path verification is very complex since there are multiple paths between users and the certification path is bidirectional. Unlike a Hierarchical PKI, in Mesh PKI, building a certificate path from a user‟s certificate to a trust point is nondeterministic. Certificate Path verification in Hierarchical PKI is simple and straightforward. In this paper, a novel method to establish a virtual hierarchy in Mesh PKI to simplify the certificate path discovery is proposed.

Certificate Path Discovery by Constructing VirtualHierarchy to Administer Trust Relationship using Peer toPeer PKI in MANETs

Due to unreliable wireless media and lack of infrastructure in MANETs, providing certificate path is a big challenge and also faces a big security problem [1]. MANETs are dynamic Peer-to-Peer PKIs and certification path can be built in case any part of the infrastructure that is temporarily not reachable. Hence efficient path discovery is very important. Path discovery is difficult since trust relationship is bidirectional. Certification paths are easy to find in case of hierarchical PKI since there is only one path among two entities. To obtain resilience and efficient path discovery among Peer- to –Peer trusted PKI’ s for issuing entities we use a tool to address these problems by overlying a virtual hierarchical architecture. Since it is executed for short time in a dynamic atmosphere this is suitable in case of MANETs. Proposed technique to establish a virtual hierarchy in a Peerto- Peer PKI, based on the trustworthiness of the participating neighbors. The upward approach is used to build the hierarchical structure i.e. from the leaves to the root. The main importance is given for the multi-rooted approach in case of building a hierarchy, depending upon the possibility. In addition the protocol does not require to issue new certificates among PKI entities, facilitates the certification path discovery process and the maximum path length can be adapted to the characteristics of the users with limited processing and Storage capacity.

Certificate Path Verification in Hierarchical and Peer-to-Peer Public Key Infrastructures

Authentication of users in an automated business transaction is commonly realized by means of a Public Key Infrastructure(PKI). A PKI is a framework on which the security services are built. Each user or end entity is given a digitally signed data structure called digital certificate. In Hierarchical PKI, certificate path is unidirectional, so certificate path development and validation is simple and straight forward. Peer-to-Peer(also called Mesh PKI) architecture is one of the most popular PKI trust models that is widely used in automated business transactions, but certificate path verification is very complex since there are multiple paths between users and the certification path is bidirectional. In this paper, we demonstrate the advantage of certificate path verification in Hierarchical PKI based on forward path construction method over reverse path construction method with respect to the time requirement. We also propose a novel method to convert a peer-to-peer PKI to a Depth First Search(DFS) spanning tree to simplify the certificate path verification by avoiding multiple paths between users, since the DFS spanning tree equivalent of peer-to-peer PKI contains only one path between any two Certification Authorities.

Secure overlay networks for federated service provision and management

This paper presents the components and formal information model enabling the dynamic creation and management of secure overlay networks. Special attention will be paid to the solution provided to two important open issues: the definition of a certificate path building and validation algorithm (to ease the trust establishment and negotiation processes) and the definition and negotiation of SLAs in inter-domain secure overlay scenarios. Given a set of already existing domains with certain trust relationships, each overlay network allows the secure sharing of some (or all) of its services. For this, the administrator of each administrative domain will define using a formal information model which services he wants to share with any other domain, and which ones is he expecting from these other domains. Time and other networking conditions can also be indicated allowing secure overlay networks to be dynamically and automatically established and managed.

Towards Certificate-Based Authentication for Future Mobile Communications

Certificate-based authentication of parties provides a powerful means for verifying claimed identities, since communicating partners do not have to exchange secrets in advance for authentication. This is especially valuable for roaming scenarios in future mobile communications where users authenticate to obtain network access—service access may potentially be based thereon in integrated approaches—and where the number of access network providers and Internet service providers is expected to increase considerably. When dealing with certificates, one must cope with the verification of complete certificate paths for security reasons. In mobile communications, additional constraints exist under which this verification work is performed. These constraints make verification more difficult when compared to non-mobile contexts. Mobile devices may have limited capacity for computation and mobile communication links may have limited bandwidth. In this paper, we propose to apply PKI servers—such as implemented at FhG-SIT—that allow the delegation of certificate path validation in order to speed up verification. Furthermore, we propose a special structure for PKI components and specific cooperation models that force certificate paths to be short, i.e., the lenghts of certificate paths are upper-bounded to certain small values depending on the conditions of specific cases. Additionally, we deal with the problem of users who do not have Internet access during the authentication phase. We explain how we solved this problem and show a gap in existing standards.

Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure

Certification is a common mechanism for authentic public key distribution. In order to obtain a public key, verifiers need to extract a certificate path from a network of certificates, which is called public key infrastructure (PKI), and verify the certificates on this path recursively. This is classical methodology. Nested certification is a novel methodology for efficient certificate path verification. Basic idea is to issue special certificates (called nested certificates) for other certificates. Nested certificates can be used together with classical certificates in PKIs. Such a PKI, which is called nested certificate-based PKI (NPKI), is proposed in this paper as an alternative to classical PKI. The concept of "certificates for other certificates" results in nested certificate paths in which the first certificate is verified cryptographically while others are verified by just fast hash computations. Thus, we can employ efficiently verifiable nested certificate paths instead of classical certificate paths. NPKI is a dynamic system and involves several authorities in order to add a new user to the system. This uses the authorities' idle time to the benefit of the verifiers. We formulate the trade-off between the nested certification overhead and the time improvement on certificate path verification. This trade-off is numerically analyzed for a 4-level 20-ary balanced tree-shaped PKI and it has been shown that the extra cost of nested certification is in acceptable limits in order to generate quickly verifiable certificate paths for certain applications. Moreover, PKI-to-NPKI transition preserves the existing hierarchy and trust relationships in the PKI, so that it can be used for PKIs with fixed topology. Although there are many certificates in NPKI, certificate revocation is no more of a problem than with classical PKIs. NPKI even has an advantage on the number of certificate revocation controls: at most two certificate revocation controls are sufficient independent of the path length. Nested certificates can be easily adopted into X.509 standard certificate structure. Both verification efficiency and revocation advantage of NPKI and nested certificates make them suitable for hierarchical PKIs of wireless applications where wireless end users have limited processing power.

Analytical performance evaluation of nested certificates

The classical certificate systems are computationally inefficient, since they use signature operations based on public key cryptosystems. The nested certificates (A. Levi, Design and performance evaluation of the nested certification scheme and its applications in public key infrastructures, Ph.D. Thesis, Department of Computer Engineering, Boğaziçi University, Istanbul, Turkey) are proposed to improve the performance of the certificate verification. A nested certificate is a certificate for another, say subject, certificate. The subject certificates can be classical or other nested certificates. A subject certificate can be verified without using the public key cryptosystem operations. In this way, the nested certificates improve the performances of the certificate and certificate path verification. In this paper, analytical formulations and graphical analyses of the computational performance improvement of the nested certificate usage are given for both single subject certificate verification and certificate path verification cases. Moreover, it is also shown that the usage of nested certificates always improves the computational performances of the verification of a single certificate and the verification of a certificate path.