Certificate Revocation Research Articles

A Short Certificate-based Signature Scheme with Provable Security

Certificate-based signature (CBS) is an attractive paradigm since it simultaneously solves the certificate revocation problem in conventional signatures and the key escrow problem in ID-based signatures. In particular, short certificate-based signatures are useful in bandwidth reduction for communication due to their short signature lengths. However, it is still a challenging and open problem to design a secure short certificate-based signature (SCBS) scheme. Recently, to solve this problem, Li et al . proposed an efficient SCBS scheme. However, in this article, we will show that Li et al .’s scheme is insecure against Type I adversary (i.e. uncertified entity) under an accredited security model. Moreover, we propose a new SCBS scheme with provable security. Based on the computational Diffie–Hellman (CDH) assumption, we demonstrate that our SCBS scheme possesses existential unforgeability against adaptive chosen-message attacks under the same accredited security model. When compared with previous SCBS schemes, our scheme is the first provably secure SCBS scheme while retaining efficiency. DOI: http://dx.doi.org/10.5755/j01.itc.45.3.12814

Comprehensive Evaluation of the Localized Certificate Revocation in Mobile Ad Hoc Network

Voting-based certificate revocation is an interesting revocation method which tries to isolate the compromised nodes and attackers by cooperation of the network nodes. In this paper, we present a complete evaluation of the localized certificate revocation scheme proposed by Arboit et al. and indicate its limitations and weaknesses in revoking the malicious certificates. In these simulations we focus on the issues such as cooperative or non-cooperative malicious false accusers, false alarms and simultaneous accusations. Then we indicate that these problems can have negative impact on the voting-based certificate revocation and as a result the cooperation of more non-malicious nodes will be needed to revoke the malicious certificates. Moreover, we exhibit that when an intelligent attacker does not reveal its malicious behaviors to only a subset of the MANET nodes, the Arboit's scheme will not be able to revoke its certificate. The results of these evaluations highlight the future research directions in the localized certificate revocation context.

Towards Secure Localized Certificate Revocation in Mobile Ad-Hoc Networks

ABSTRACTVoting-based certificate revocation is an effective revocation method which is conducted by the collaboration of network nodes. In this paper, we focus on improving the localized certificate revocation scheme proposed by Arboit et al. for mobile ad-hoc networks. This scheme is a voting-based revocation method able to operate in the absence of any certificate authority. But it is vulnerable to false accusation problem which degrades the performance of revocation system and makes the revocation more difficult. Our main objective in this paper is to provide a reliable revocation method which is resilient against the multiple collaborative and non-collaborative false accusers. Simulation results demonstrate that our solution reduces the number of accusations required to reliably revoke a certificate.

A provably secure certificate-based encryption scheme against malicious CA attacks in the standard model

Certificate-based encryption (CBE) is a new public-key cryptographic paradigm that represents an interesting balance between conventional public-key encryption and identity-based encryption. It not only simplifies the certificate revocation problem in conventional public-key encryption, but also solves the key escrow problem inherent in identity-based encryption. In CBE, a certificate authority (CA) is employed to initialize the system and issue certificates for users. Each user needs both a private key and an up-to-date certificate to decrypt ciphertexts. In the previous concrete constructions of CBE, the CA is assumed to be honest-but-curious, that is, the CA always starts launching attacks only after it has initialized the system honestly. However, it seems that such an assumption does not necessarily reflect reality when we consider a malicious CA that is trying every effort to break the system. To show that the malicious CA attack exists in CBE, we present two concrete attacks against a previous CBE scheme. In both attacks, a malicious CA can easily break any user's confidentiality by implanting a trapdoor in the public system parameters. To fight against malicious CA attacks, we propose a new CBE scheme. The proposed CBE scheme is proven to be chosen-ciphertext secure against malicious CA attacks in the standard model. Performance comparison shows that it is efficient and practical.

A Frame Work to Estimate the Performance of Authentication Schemes in Mobile Ad Hoc Networks

increasing growth has been witnessed in the last few year with respect to development of wireless and mobile communication networks. In MANETs, nodes are able to communicate through the use of wireless mediums, constituting dynamic topologies. The certificate-based authentication has a positive edge in wired networks. It's a significantly arduous task to adapt a certificate based authentication protocols for mobile ad hoc networks due to absence of fixed infrastructure or centralized management. A traditional certificate-based authentication system depends on a fixed trusted Certificate Authority (CA). In this case Certificate Authority (CA) takes the responsibility for the establishment, distribution, renewing, and revocation of certificates. The consideration of the fixed centralized network is not practically possible in MANETs, because of issues such as regular link breakdown, node mobility, and inadequate wireless medium. The numbers of approaches have been introduced, which focus on the challenges to adapt certificate-based authentication in a distributed way in mobile ad hoc networks. In this paper, some issues related to performance analysis of exiting authentication schemes have been discussed. So, there is a need to construct a common frame work to evaluate the performance of certificate based authentication protocols for MANETs. This framework is based on two pillars. One is to survey some of the existing authentication mechanisms for MANETs and identify the needs of a secure authentication mechanism for MANETs in the context of distributed authentication. Second is the derivation of metrics to evaluate the performance of certificate based authentication schemes is done.

An Efficient Anonymous Batch Authentication Scheme Based on HMAC for VANETs

In vehicular ad hoc networks (VANETs), when a vehicle receives a message, the certificate revocation list (CRL) checking process will operate before certificate and signature verification. However, large communication sources, storage space, and checking time are needed for CRLs that cause the privacy disclosure issue as well. To address these issues, in this paper, we propose an efficient anonymous batch authentication scheme (ABAH) to replace the CRL checking process by calculating the hash message authentication code (HMAC). In our scheme, we first divide the precinct into several domains, in which road-side units (RSUs) manage vehicles in a localized manner. Then, we adopt pseudonyms to achieve privacy-preserving and realize batch authentication by using an identity-based signature (IBS). Finally, we use HMAC to avoid the time-consuming CRL checking and to ensure the integrity of messages that may get loss in previous batch authentication. The security and performance analysis are carried out to demonstrate that ABAH is more efficient in terms of verification delay than the conventional authentication methods employing CRLs. Meanwhile, our solution can keep conditional privacy in VANETs.

Effective certificate revocation scheme based on weighted voting game approach

Mobile ad hoc networks (MANETs) are wireless networks that have a wide range of applications because of their dynamic topologies and ease of deployment. Owing to the independent and dynamic nature of mobile nodes, the topology of a MANET often changes and is prone to various attacks. Therefore, substantial research in the area of security is required. Certificate revocation is an effective mechanism for providing network security services. However, the existing schemes are not well suited to MANETs because of their considerable overhead or low accuracy with respect to certificate revocation. In this study, the authors investigate a distributed certificate revocation protocol. On the basis of the game-theoretic model, they design a new voting-based security scheme. Their game-based security paradigm can provide the ability to practically respond to the current system conditions and is suitable for real MANET operations. Simulation results demonstrate the effectiveness and the efficiency of their scheme with respect to certificate revocation. Finally, they discuss the results of an evaluation provide an outlook on the future work in this field.

Secure Provenance for Data Forensics with Efficient Revocation of Anonymous Credentials in Cloud Computing

Privacy is a critical security requirement in mobile cloud computing. To address the dilemma of data forensics in privacy-preserving cloud environment, secure provenance that records the ownership ...

Secure vehicle traffic data dissemination and analysis protocol in vehicular cloud computing

Intelligent transportation systems seek to maximize the usage of data generated by the vehicles for road users assistance. Combining vehicular ad hoc network with cloud computing makes it easy for the fixed infrastructures along the roads to collect and analyze safety messages for the benefits of the road users and the transportation authorities. However, security features need to be fully assessed before the adoption of such applications. In this paper, we present a secure vehicle traffic data dissemination and analysis in vehicular cloud computing in which the identity privacy of the vehicles and their generated message is achieved through pseudonym techniques. We use anonymous credential to guarantee the authorization of service demanding vehicles. ID-based signature is applied to assure the authentication of the vehicles for given pseudonyms. The efficient verification of signature on the message and revoked vehicles are achieved through batch verification technique and pseudonymous revocation list, respectively. Traffic estimation methods are applied to mine coarse-grained data collected by road side infrastructures. The merits of the proposed protocol compared to existing ones are shown through extensive simulations.

Generating Correlated Digital Certificates: Framework and Applications

Bolstering public key authentication of networking entities, digital certificates are an entrenched part of Internet security. A digital certificate is an electronic document signed by a certificate authority (CA), vouching that the identified subject owns the declared public key (and the corresponding private key). In general, CAs are also responsible for certificate revocation as well as reissue, and certificates by nature are considered independent of each other. In this paper, we address the problem of certificate management and propose a flexible framework to create correlated certificates. We then apply it to implement the so-called multi-certificate public key infrastructure, which supports user self services, such as certificates’ spontaneous substitution as well as self-reissue after self-revocation. To the best of our knowledge, this is the first scheme for certificate users to achieve self-reissue. Another application of the proposed framework is the so-called anonymous digital certificate, which still binds a user’s identity to her public key, but in an anonymous yet user-controllable manner. That is, a user can reveal her identity-key binding only to her specified communication peers, while remaining anonymous to the general public, achieving privacy as these certificates are generally unlinkable.

Restricted usage of anonymous credentials in vehicular ad hoc networks for misbehavior detection

The automobile industry is entering a new era of digitalization with major impact on human mobility and transportation infrastructures. A result of such a convergence between the automobile and information technologies is vehicular ad hoc network (VANET), a type of mobile ad hoc networks that has recently enjoyed a lot of attention from the industry, the research community, lawmakers and privacy activists. In VANET, vehicles frequently broadcast various types of messages, including location data. This enables innovative applications and improvements in safety and driving experience. As messages broadcasted in the VANET are digitally signed and the receiver must be able to verify the sender's authentication and message integrity, there is a need to ensure broadcast authentication and protect driver's anonymity. However, communication in VANETs takes place with high frequency, and malicious vehicles can hide behind anonymity in order to duplicate packets and get advantage over other vehicles in the network. Indeed, state-of-the-art approaches to privacy-preserving messages broadcast in the VANET typically ensure that each vehicle has a number of pseudonymous certificates that are changed regularly in order to thwart an automated tracing of its activities. However, the possibility of uncontrolled simultaneous use of pseudonyms by misbehaving vehicles remain unaddressed. This paper proposes a set of anonymous credential system based protocols for VANET that enables the detection and limitation of pseudonym/credential overspending. The revocation of the misbehaving vehicle can be also achieved through the proposed solutions. With the prototypical implementation of the proposed protocols, it has been shown that the successful detection of fraud, i.e., pseudonyms overspending and the subsequent revocation of credentials are possible in VANET.

Revocation and update of trust in autonomous delay tolerant networks

A Delay Tolerant Network (DTN) is a dynamic, fragmented, and ephemeral network formed by a large number of highly mobile nodes. DTNs are ephemeral networks with highly mobile autonomous nodes. This requires distributed and self-organised approaches to trust management. Revocation and replacement of security credentials under adversarial influence by preserving the trust on the entity is still an open problem. Existing methods are mostly limited to detection and removal of malicious nodes. This paper makes use of the mobility property to provide a distributed, self-organising, and scalable revocation and replacement scheme. The proposed scheme effectively utilises the Leverage of Common Friends (LCF) trust system concepts to revoke compromised security credentials, replace them with new ones, whilst preserving the trust on them. The level of achieved entity confidence is thereby preserved. Security and performance of the proposed scheme is evaluated using an experimental data set in comparison with other schemes based around the LCF concept. Our extensive experimental results show that the proposed scheme distributes replacement credentials up to 35% faster and spreads spoofed credentials of strong collaborating adversaries up to 50% slower without causing any significant increase on the communication and storage overheads, when compared to other LCF based schemes.

ECPB: Efficient Conditional Privacy-Preserving Authentication Scheme Supporting Batch Verification for VANETs

In this paper, we introduce an efficient Conditional Privacy-Preserving authentication scheme (ECPB) based on group signature for vehicular ad hoc networks (VANETs). Although group signature is widely used in VANETs for security requirements, the existing schemes based on group signatures suffer longer computational delays in the certificate revocation list (CRL) checking and in the signature verification process, leading to lower verification efficiency. In our scheme, membership validity (a validity period) is required when a vehicle applies for a group member and this validity is used to check whether the vehicle is still a group member or not, which can be used as a substitute for the CRL checks. Neglecting the CRL checks will sharply decrease the costs incurred in the signatures verification. In addition, our proposed scheme also supports batch verification. Experimental analysis proves that our proposed scheme exhibit improved efficiency over the existing schemes, in terms of verification delay and average delay.

A Threshold Anonymous Authentication Protocol for VANETs

Vehicular ad hoc networks (VANETs) have recently received significant attention in improving traffic safety and efficiency. However, communication trust and user privacy still present practical concerns to the deployment of VANETs, as many existing authentication protocols for VANETs either suffer from the heavy workload of downloading the latest revocation list from a remote authority or cannot allow drivers on the road to decide the trustworthiness of a message when the authentication on messages is anonymous. In this paper, to cope with these challenging concerns, we propose a new authentication protocol for VANETs in a decentralized group model by using a new group signature scheme. With the assistance of the new group signature scheme, the proposed authentication protocol is featured with threshold authentication, efficient revocation, unforgeability, anonymity, and traceability. In addition, the assisting group signature scheme may also be of independent interest, as it is characterized by efficient traceability and message linkability at the same time. Extensive analyses indicate that our proposed threshold anonymous authentication protocol is secure, and the verification of messages among vehicles can be accelerated by using batch message processing techniques.

2FLIP: A Two-Factor Lightweight Privacy-Preserving Authentication Scheme for VANET

Authentication in a vehicular ad-hoc network (VANET) requires not only secure and efficient authentication with privacy preservation but applicable flexibility to handle complicated transportation circumstances as well. In this paper, we proposed a Two-Factor LIghtweight Privacy-preserving authentication scheme (2FLIP) to enhance the security of VANET communication. 2FLIP employs the decentralized certificate authority (CA) and the biological-password-based two-factor authentication (2FA) to achieve the goals. Based on the decentralized CA, 2FLIP only requires several extremely lightweight hashing processes and a fast message-authentication-code operation for message signing and verification between vehicles. Compared with previous schemes, 2FLIP significantly reduces computation cost by 100–1000 times and decreases communication overhead by 55.24%–77.52%. Furthermore, any certificate revocation list (CRL)-related overhead on vehicles is avoided. 2FLIP makes the scheme resilient to denial-of-service attack in both computation and memory, which is caused by either deliberate invading behaviors or jammed traffic scenes. The proposed scheme provides strong privacy preservation that the adversaries can never succeed in tracing any vehicles, even with all RSUs compromised. Moreover, it achieves strong nonrepudiation that any biological anonym driver could be conditionally traced, even if he is not the only driver of the vehicle. Extensive simulations reveal that 2FLIP is feasible and has an outstanding performance of nearly 0-ms network delay and 0% packet-loss ratio, which are particularly appropriate for real-time emergency reporting applications.

A Lighweight Certificate Revocation Scheme for Hybrid Mobile ad Hoc Networks

Hybrid mobile ad hoc networks have received increasing attentions due to some attractive features. However, these features such as wireless communication and dynamic topology make it face more challenges in providing secure network services. This paper focuses on the certificate revocation issue which is an important component of certificate management. The existing certificate revocation schemes for mobile ad hoc network either consume more time and accusation overhead to revoke a certificate or need to be improved in terms of revocation accuracy. In this paper, we propose a lightweight certificate revocation scheme for hybrid mobile ad hoc network to achieve a performance trade-off between efficiency and reliability. In particular, to improve the efficiency, the scheme revokes certificate when the accusation weight of the accuser is larger than the accused node; to guarantee the reliability, the revoked nodes are evaluated again by wrong revocation recovery mechanism, so the wrongly revoked nodes will be detected and recovered. Simulation results demonstrate the proposed scheme can achieve a performance trade-off between high accuracy obtained by voting-based scheme and other performance metrics like short revocation time and low overhead obtained by non-voting-based scheme.

A Regional Certificate Revocation List Distribution Method based on the Local Vehicle Location Registration for Vehicular Communications

A certificate revocation list(CRL) should be distributed quickly to all the vehicles in the network to protect them from malicious users and malfunctioning equipments as well as to increase the overall security and safety of vehicular networks. However, a major challenge is how to distribute CRLs efficiently. In this paper, we propose a novel Regional CRL distribution method based on the vehicle location registration locally to manage vehicle mobility. The method makes Regional CRLs based on the vehicles` location and distributes them, which can reduce CRL size and distribution time efficiently. According to the simulation results, the proposed method`s signaling performance of vehicle`s registration is enhanced from 22% to 37% compared to the existing Regional CRL distribution method. It`s CRL distribution time is also decreased from 37% to 67% compared to the existing Full CRL distribution method.

A Hierarchical Privacy Preserving Pseudonymous Authentication Protocol for VANET

Vehicular ad hoc network (VANET) is a technology that enables smart vehicles to communicate with each other and form a mobile network. VANET facilitates users with improved traffic efficiency and safety. Authenticated communication becomes one of the prime requirements of VANET. However, authentication may reveal a user's personal information such as identity or location, and therefore, the privacy of an honest user must be protected. This paper proposes an efficient and practical pseudonymous authentication protocol with conditional privacy preservation. Our protocol proposes a hierarchy of pseudonyms based on the time period of their usage. We propose the idea of primary pseudonyms with relatively longer time periods that are used to communicate with semi-trusted authorities and secondary pseudonyms with a smaller life time that are used to communicate with other vehicles. Most of the current pseudonym-based approaches are based on certificate revocation list (CRL) that causes significant communication and storage overhead or group-based approaches that are computationally expensive and suffer from group-management issues. These schemes also suffer from trust issues related to certification authority. Our protocol only expects an honest-but-curious behavior from otherwise fully trusted authorities. Our proposed protocol protects a user's privacy until the user honestly follows the protocol. In case of a malicious activity, the true identity of the user is revealed to the appropriate authorities. Our protocol does not require maintaining a CRL and the inherent mechanism assures the receiver that the message and corresponding pseudonym are safe and authentic. We thoroughly examined our protocol to show its resilience against various attacks and provide computational as well as communicational overhead analysis to show its efficiency and robustness. Furthermore, we simulated our protocol in order to analyze the network performance and the results show the feasibility of our proposed protocol in terms of end-to-end delay and packet delivery ratio.

Trust Based Certificate Revocation for Secure Routing in MANET

Many trust establishment solutions in mobile ad hoc networks (MANETs) rely on public key certificates. Therefore, they should be accompanied by an efficient mechanism for certificate revocation and validation. In order to reduce the hazards from nodes and to enhance the security of network we propose to develop a CA distribution and a Trust based threshold revocation method. Initially the trust value is computed from the direct and indirect trust values. And the certificate authorities distributes the secret key to al the nodes. Followed by this a trust based threshold revocation method is computed. Here the misbehaving nodes are eliminated.

Average-Case Analysis of Certificate Revocation in Combinatorial Certificate Management Schemes

Average-Case Analysis of Certificate Revocation in Combinatorial Certificate Management Schemes