Certificate Revocation Research Articles

Self-Sovereign Identity (SSI) is a recent development in identity and access management that is based on Distributed Ledger Technology (DLT) and offers individuals and organizations control over their data. In contrast, Open Radio Access Networks (O-RAN) provide a platform for sharing radio infrastructure and data between users and mobile network operators (MNOs). Therefore, the integration of SSI with O-RAN provides an opportunity for decentralized, secure identity management that promotes a more transparent, efficient, and user-centric network environment. First, we propose the general architecture and perform a detailed threat model and security analysis, in which we identify the potential vulnerabilities and explain how our multi-layered security strategy mitigates these risks. The authentication process is also strengthened by the integration of Quantum Key Distribution (QKD) to ensure quantum-resistant security. We have carried out simulations to evaluate the efficiency of our system for credential operations, revealing that the average time for most credential operations is within a reasonable range (between 39- 750 ms), even when the request volume increases to 100,000. The proposed system efficiently maintains credential offering, presentation, connection creations, signing, and credential revocation times, which emphasizes its ability to effectively balance security and performance. In addition, our QKD simulations show several key management performance metrics. In the impact discussions, we address the potential integration of QKD into the authentication process to significantly increase security, with the system effectively managing key management and authentication times in a scalable manner. In addition, at the end of the paper, we discuss challenges, rationales, and technical aspects in O-RAN environments.

As a new generation of mobile communication networks, 6G security faces many new security challenges. Vehicle to Everything (V2X) will be an important part of 6G. In V2X, connected and automated vehicles (CAVs) need to frequently share data with other vehicles and infrastructures. Therefore, identity revocation technology in the authentication is an important way to secure CAVs and other 6G scenario applications. This paper proposes an efficient credential revocation scheme with a four-layer architecture. First, a rapid pre-filtration layer is constructed based on the cuckoo filter, responsible for the initial screening of credentials. Secondly, a directed routing layer and the precision judgement layer are designed based on the consistency hash and the dynamic RSA accumulator. By proposing the dynamic expansion of the RSA accumulator and load-balancing algorithm, a smaller and more stable revocation delay can be achieved when many users and terminal devices access 6G. Finally, a trusted storage layer is built based on the blockchain, and the key revocation parameters are uploaded to the blockchain to achieve a tamper-proof revocation mechanism and trusted data traceability. Based on this architecture, this paper also proposes a detailed identity credential revocation and verification process. Compared to existing solutions, this paper’s solution has a combined average improvement of 59.14% in the performance of the latency of the cancellation of the inspection, and the system has excellent load balancing, with a standard deviation of only 11.62, and the maximum deviation is controlled within the range of ±4%.

In today’s fast-evolving threat landscape, ransomware attacks have become more sophisticated, faster, and more destructive leaving traditional Security Operations Center (SOC) response strategies struggling to keep pace. Traditional SOC workflows struggle to match the speed and complexity of modern ransomware attacks. Manual processes like alert triage, incident scoping, and containment often consume critical hours giving adversaries ample opportunity to encrypt data, exfiltrate assets, and demand ransoms. AI-optimized SOC playbooks are redefining this paradigm by automating the entire investigation lifecycle. Leveraging machine learning, LLMs, and real-time telemetry analysis, these systems rapidly identify high-fidelity threats, enrich alerts with contextual intelligence, and scope incidents with minimal analyst input reducing response time from hours to mere minutes. Generative AI further accelerates this shift by auto-generating attack summaries, mapping indicators to known threat tactics, and recommending or initiating containment actions such as isolation or credential revocation. These playbooks evolve continuously by learning from analyst feedback and past events, improving both accuracy and efficiency over time. The result is a measurable reduction in mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR), while empowering SOC analysts to focus on strategic analysis over repetitive triage. As ransomware campaigns grow faster and more autonomous, adopting AI-driven SOC playbooks has become a mission-critical step for organizations seeking proactive, resilient security operations.

The use of Verifiable Credentials under the new eIDAS Regulation introduces privacy concerns, particularly during revocation status checks. This paper proposes a privacy-preserving revocation mechanism tailored to the European Digital Identity Wallet and its Architecture and Reference Framework. Our method publishes a daily randomized revocation list as a cascaded Bloom filter, enhancing unlinkability by randomizing revocation indexes derived from ARF guidelines. The implementation extends open-source components developed by the European Committee. This work demonstrates a practical, privacy-centric approach to revocation in digital identity systems, supporting the advancement of privacy-preserving technologies.

Ensuring secure and efficient authentication in Vehicular Ad Hoc Networks (VANETs) is vital for real-time communication and network resilience. However, traditional authentication mechanisms, such as Elliptic Curve Cryptography (ECC) and Public Key Infrastructure (PKI), face significant challenges, including high computational overhead, complex certificate revocation, and vulnerability to quantum attacks. To overcome these limitations, we propose a lattice-based authentication protocol that integrates post-quantum cryptography (PQC), zero-knowledge proofs (ZKPs), and fog computing for secure Vehicle-to-Roadside (V2R) communication. Our protocol offers quantum resistance, decentralized authentication, and dynamic pseudonym updates, enhancing both security and privacy in VANETs. Performance evaluations demonstrate that our approach achieves lower message delay (0.8), reduced packet loss ratio (0.6), minimal communication overhead (0.7), and the fastest authentication delay (0.5) compared to ECC and Physically Unclonable Function (PUF)-based methods. Additionally, formal security analysis confirms that our scheme effectively mitigates impersonation, replay, tracking, and quantum attacks, ensuring a scalable and future-proof authentication mechanism for next-generation VANETs.

Intelligent Transport Systems (ITS) leverage cutting edge technology to enhance the reliability, protection and effectiveness of transportation. Dedicated Short Range Communication (DSRC) is the mean by which Vehicular Ad Hoc Networks (VANETs) provide connectivity among vehicles in form of vehicles to vehicle (V2V) and vehicle to roadside infrastructure (V2I). Maintaining safe connections in VANETs is a major issue due to malicious behavior of unlawful vehicles. Therefore, in order to protect VANETs, malicious vehicles should be revoked, for this purpose Certificate Revocation List (CRL) is distributed by the authorities among the VANETs users. However, due to the passage of time CRL size increased and becomes large, which produces delays in checking and verification of messages and results in disruption. Therefore, dissemination, updating, and searchable processes of traditional CRL techniques face latency and scalability problems. This paper aims to overcome these challenges by eliminating dependency on CRLs, introducing efficient revocation verification, and enabling a self-sufficient revocation mechanism. A novel ERMV approach is proposed, in which Bad-Hash is applied only to pseudonym certificates of revoked vehicles, which facilitates onboard, independent certificate status verification without the need to distribute, obtain or check CRLs. The proposed technique ensures rapid certificate status verification with minimal computational and communication overheads. The results show that the proposed technique can verify over 900 messages in a 300millisecond time frame, which illustrates that the proposed technique can work efficiently in sparse and dense scenarios with less computational and communication overheads.

ABSTRACTSelf‐sovereign identity management systems operate in open network environments and face security threats from semi‐trusted or malicious adversary models. In such environments, verifiable credentials are susceptible to attacks such as theft and forgery. In response to the privacy risks associated with verifiable credentials during issuance and revocation, this article proposes a privacy protection scheme for user information during the issuance and revocation processes of verifiable credentials in self‐sovereign identity management based on blockchain technology. First, a privacy‐preserving method that does not rely on a single identity provider and resists Sybil attacks has been designed using secure multi‐party computation cryptographic techniques. Second, the consortium blockchain committee nodes act as the issuer of verifiable credentials. By combining attribute commitments and zero‐knowledge proof techniques, the user's identity information is hidden, achieving the privacy protection goal during the issuance of verifiable credentials. Furthermore, in order to protect user privacy during the revocation of verifiable credentials (VCs), we employ a cryptographic accumulator technique to implement the revocation operation. This approach ensures the security of user privacy while effectively managing the revocation of credentials. Finally, this paper conducts a security analysis and performance evaluation of the proposed scheme. The results show that our scheme strikes a balance between security needs and time efficiency.

A group signature scheme allows a user to sign a message anonymously on behalf of a group and provides accountability by using an opening authority who can “open” a signature and reveal the signer’s identity. Group signature schemes have been widely used in privacy-preserving applications, including anonymous attestation and anonymous authentication. Fully dynamic group signature schemes allow new members to join the group and existing members to be revoked if needed. Symmetric-key based group signature schemes are post-quantum group signatures whose security rely on the security of symmetric-key primitives, and cryptographic hash functions. In this paper, we design a symmetric-key based fully dynamic group signature scheme, called DGMT, that redesigns DGM (Buser et al. ESORICS 2019) and removes its two important shortcomings that limit its application in practice: (i) interaction with the group manager for signature verification, and (ii) the need for storing and managing an unacceptably large amount of data by the group manager. We prove security of DGMT (unforgeability, anonymity, and traceability) and give a full implementation of the system. Compared to all known post-quantum group signature schemes with the same security level, DGMT has the shortest signature size. We also analyze DGM signature revocation approach and show that despite its conceptual novelty, it has significant hidden costs that makes it much more costly than using the traditional revocation list approach.

The emergence of intelligent transportation systems and the widespread deployment of connected and autonomous vehicles (CAVs) have introduced unprecedented security demands in vehicular communication networks. Authentication, as a foundational security service, ensures trust among vehicles, infrastructure, and external entities. However, traditional methods such as Public Key Infrastructure (PKI) often fail to meet the stringent requirements of vehicular environments, including real-time responsiveness, scalability, and user privacy. This paper presents a comprehensive review of novel authentication systems designed for vehicular communication. We classify and analyze state- of-the-art approaches including lightweight cryptographic protocols, group-based schemes, blockchain-integrated authentication, AI-driven behavioral methods, pseudonym-based privacy-preserving mechanisms, and post-quantum crypto- graphic frameworks. Each system is evaluated in terms of latency, privacy, scalability, real-time capability, and maturity level. We further identify key challenges such as certificate revocation, interoperability, and ethical implications. Finally, the paper highlights emerging research directions including federated authentication, quantum-safe security, context-aware mechanisms, and hybrid blockchain-AI solutions. Our analysis serves as a roadmap for researchers and practitioners aiming to develop secure, efficient, and scalable authentication systems for next-generation vehicular networks.

As technology advances rapidly, a diverse array of Internet of Things (IoT) devices finds widespread application across numerous fields. The intelligent nature of these devices not only gives people more convenience, but also introduces new challenges especially in security when transmitting data in fog-based cloud environments. In fog computing environments, data need to be transmitted across multiple devices, increasing the risk of data being intercepted or tampered with during transmission. To securely share cloud ciphertexts, an alleged proxy re-encryption approach is a commonly adopted solution. Without decrypting the original ciphertext, such a mechanism permits a ciphertext intended for user A to be easily converted into the one intended for user B. However, to revoke the decryption privilege of data users usually relies on the system authority to maintain a user revocation list which inevitably increases the storage space. In this research, the authors come up with a fog-based proxy re-encryption system with revocable identity. Without maintaining the traditional user revocation list, the proposed scheme introduces a time-updated key mechanism. The time-update key could be viewed as a partial private key and should be renewed with different time periods. A revoked user is unable to obtain the renewed time-update key and hence cannot share or decrypt cloud ciphertexts. We formally demonstrate that the introduced scheme satisfies the security of indistinguishability against adaptively chosen identity and chosen plaintext attacks (IND-PrID-CPA) assuming the hardness of the Decisional Bilinear Diffie-Hellman (DBDH) problem in the random oracle model. Furthermore, compared with similar systems, the proposed one also has lower computational complexity as a whole.

Short-lived certificates (SLC) are a comparatively new approach to improving software systems' security, performance, and effectiveness. A typical certificate validity can range anywhere between 12 months to multiple years. Short-lived certificates dramatically reduce the validity period to months, sometimes days, and, for some situations, even hours. By reducing the validity, they minimize the scope of damages if the private key is ever compromised. This paper examines the benefits of short-lived certificates, which include but are not limited to improved security posture and reduced reliance on certificate revocation infrastructure and mechanisms. We will approach the automation and infrastructure changes that made this new approach practical. We will explore methods of implementing such a system at scale. We will analyze the trade-offs between security, reliability, performance, and operational complexity. We will additionally cover the network and infrastructure changes that might be necessary for a reliable implementation of Short-lived certificates infrastructure.

A revocable and comparable attribute-based signature scheme from lattices for IoMT

Shared group session key-based conditional privacy-preserving authentication protocol for VANETs

This research aims to analyze the responsibility of business actors towards ingredients that do not yet have a halal label according to positive law and to analyze the inhibiting factors in the responsibility of business actors towards self-declared food products. which does not have a halal label in Mataram City. By using empirical normative legal research methods. The results of this research show that to protect consumer rights, the Consumer Protection Law Number 8 of 1999 and other laws and regulations apply administrative and criminal sanctions to business actors, if business actors are proven to have violated the regulations that have been established in carrying out their activities. or offer its products. Materials that do not yet have a halal label according to positive law, as in Article 8 paragraph (1) letter h UUPK, stipulate that business actors are prohibited from producing and/or trading goods. As stated in the "halal" statement on the label. And Article 4 of Law Number 33 of 2014 concerning Halal Product Guarantees states that products entering, circulating and being traded in Indonesian territory must be halal certified. With this article, all products circulating in Indonesia must have a halal certificate, without exception, products from Micro, Small Enterprises (UMK) which should also have a halal certificate because they are already circulating on the market. Legal responsibility for business actors who do not yet have a halal label for their products. Administrative/administrative sanctions are given , namely sanctions imposed due to administrative violations or legal provisions of an administrative nature, up to fines, revocation of certificates and/or permits, temporary suspension of administrative services up to reduction of production quotas. Inhibiting factors in the responsibility of business actors for self-declared food products which do not have a halal label in Mataram City, the inhibiting factors consist of two factors, namely: a. Internal factors consist of business actors' knowledge of halal certification, knowledge of halal certification obligations and certification costs. b. External factors consist of lack of socialization from the Halal Center Institute at UIN Mataram and lack of consumer awareness.

This paper proposes and analyzes a ticket-based OCSP protocol for efficient certificate revocation checking in vehicle communication systems. The IEEE WAVE standard for vehicular networks requires real-time processing of Basic Safety Messages (BSMs) exchanged between vehicles. Traditional OCSP revocation checking can introduce delays. The proposed approach distributes OCSP responses as tickets valid for a road section. Vehicles use shorter keys extracted from the tickets for faster cryptographic processing. Experiments compare processing times for signature generation and verification with different elliptic curves. The results show the proposed technique provides faster revocation checking. This allows time-critical vehicle-to-vehicle message processing at high rates under computational constraints. The ticket-based OCSP mechanism enhances security while meeting real-time requirements in vehicular networks.

Ensuring the quality and safety of medicinal products is of paramount importance to the pharmaceutical industry. Good manufacturing practice (GMP) regulations are part of a pharmaceutical manufacturer’s quality management system and ensure that medicinal products are manufactured, imported and controlled consistently to quality standards appropriate to their intended use. The aim of the present study is to analyze the non-compliant operations identified during GMP inspections carried out by national competent authorities (NCA) in the EU/EEC between 2013 and 2022. A retrospective analysis of non-compliance reports published in the EudraGMDP database between 2013 and 2022 was performed. Overall, 99 reports by 21 national competent authorities were analyzed presenting the results of inspections in 19 countries. A total of 1458 deficiencies were identified, of which 544 (37%) were classified as major and 127 (9%) as critical. The most common non-compliant operations were the manufacturing of active substances (49 deficiencies) and the preparation of non-sterile products (47 deficiencies). In 41 cases, the NCA recommended suspension or voiding of the certificate of suitability (CEP) and in 36 cases revocation of the GMP certificates. The observed deficiencies highlight the importance and need for continuous monitoring and improvement of manufacturers’ production processes and quality management systems.

A vehicular ad hoc network is a capable method of making possible road well-being, traffic supervision, as well as information distribution for driving users and travelers. One definitive objective in the blueprint of this type of network is to refuse to accept a variety of malevolent mistreatment and security assaults. The paper analyzed the existing procedure, which has covered the ways of offering security duties and conserving user solitude in the context of wireless access in vehicular environments (WAVE) applications. To make the standards more realistic, it considers techniques of certificate revocation and conditional privacy preservation. These techniques are found to be the most promising ones in vehicular ad hoc networks (VANET). Therefore, a group of narrative security methods is proposed for the safe implementation of the techniques of certificate revocation and conditional privacy preservation. For enhancement of security, the paper proposes that the message should be encapsulated with a proper certificate and be duly signed. For faster communication, we propose the use of optical wireless communication (OWC) between an onboard unit (OBU) and a roadside unit (RSU).

Abstract Access control is a security technique that can restrict access to protected resources, and data to only authorized users. In this paper, we design a blockchain-based access control scheme for cloud storage that is enabled by revocation. First, initialize blockchain to generate global parameters, generate complete user encryption keys and decryption keys, and perform data encryption. When the blockchain receives a user’s access request, the authorization contract determines if it is on the revocation list. If not, the key is checked. Then, it determines abnormal access and adds its identity to the revocation list, preventing further access to the database. The access control model is created by combining attribute-based encryption. After the security analysis and operational efficiency test, it can be considered that the model meets the security features, such as IND-CPA security. Regarding the time overhead of generating encryption keys, the computational overhead of this paper is the lowest, and the time required to generate encryption keys for 10 attributes is only 0.09 seconds, and for 100 attributes is only 1.62 seconds, which is better than the performance of the two attribute-based access control schemes, FIFC and AACE. The user access time overhead for 10 to 100 attributes at user encryption time is 1.38, 1.56, 1.98, 2.1, 2.53, 2.76, 3.03, 3.27, 3.66, and 3.94 seconds, respectively. The lowest decryption time consumed ensures data security and a good access experience. This study achieves fine-grained access control while protecting data privacy.

Cloud computing offers abundant computing resources and scalable storage, but data leakage in the cloud storage environment is a common and critical concern due to inadequate protection measures. Revocable-attribute-based encryption (RABE) is introduced as an advanced form of identity-based encryption (IBE), which encrypts sensitive data while providing fine-grained access control and an effective user revocation mechanism. However, most existing RABE schemes are not resistant to quantum attacks and are limited in their application scenarios due to the revocation model. In this paper, we propose a RABE scheme constructed from lattices. Our scheme has several advantages, including a near-zero periodic workload for the key generation center (KGC), ensuring scalability as the number of users increases. Additionally, the encryptor is relieved from managing a revocation list. Moreover, our scheme guarantees the confidentiality and privacy of other ciphertexts even if the decryption key for a specific period is compromised. We validated the correctness of our scheme and demonstrated its security under the assumption of learning with errors (LWE), which is widely believed to be resistant to quantum attacks. Finally, we provide an application example of our RABE scheme in the electronic healthcare scenario.

The rise of online courses and certifications has created new opportunities for individuals to enhance their skills. However, this digital transformation has also given rise to coun- terfeit certificates. To address this multifaceted issue, we present a comprehensive certificate management system founded on blockchain technology and strengthened by smart contracts. Our innovative system comprises three pivotal components: certificate generation, authenticity verification, and a user-centric digital locker for certificate storage. Blockchain technology underpins the entire system, ensuring the immutability and integrity of each certificate. The inclusion of a cryptographic hash for each certificate is a fundamental aspect of our design. Any alteration in the certificate’s data will yield a distinct hash, a powerful indicator of potential tampering. Furthermore, our system includes a secure digital locker based on cloud storage that empowers users to efficiently manage and access all their certificates in one place. Moreover, our project is committed to providing features for certificate revocation and updating, thereby enhancing the system’s flexibility and security. Hence, the blockchain and smart contract-based certificate management system offers a robust and one-stop solution to the escalating problem of counterfeit certificates in the digital era