Certificate Path Verification in Hierarchical and Peer-to-Peer Public Key Infrastructures
Keywords:PKI Hierarchical PKI, peer to peer PKI, Certification authority, certification verification, open SSL
“Authentication of users in an automated business transaction is commonly realized by means of a Public Key Infrastructure(PKI). A PKI is a framework on which the security services are built. Each user or end entity is given a digitally signed data structure called digital certificate. In Hierarchical PKI, certificate path is unidirectional, so certificate path development and validation is simple and straight forward. Peer-to-Peer(also called Mesh PKI) architecture is one of the most popular PKI trust models that is widely used in automated business transactions, but certificate path verification is very complex since there are multiple paths between users and the certification path is bidirectional. In this paper, we demonstrate the advantage of certificate path verification in Hierarchical PKI based on forward path construction method over reverse path construction method with respect to the time requirement. We also propose a novel method to convert a peer-to-peer PKI to a Depth First Search(DFS) spanning tree to simplify the certificate path verification by avoiding multiple paths between users, since the DFS spanning tree equivalent of peer-to-peer PKI contains only one path between any two Certification Authorities.
Adams, S. and Farrell, S. (1999) ‘Internet X.509 Public Key Infrastructure Certificate Management Protocols, Network Working Group Request for Comments 2510’ (online). Available from http://www.ietf.org/rfc/rfc2510.txt
Boeyen, S. et.al. (1999) ‘Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2’, Network working group, RFC 2559
Cooper, M. et. al. (2005) ‘Internet X.509 Public Key Infrastructure: Certification Path Building’, Network Working Group, RFC 4158.
Cronin, E., Malkin, T. et.al (2003) ‘On the Performance, Feasibility and use of Forward-Secure Signatures’, CCS’03, Washington, DC, USA.
Guo, Z., Okuyama, T., et.al. (2005) ‘A New Trust Model for PKI Interoperability’, Proceedings of the Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services (ICAS/ICNS 2005), IEEE.
Huang, H. (2005) ‘On the Protection of Link State Routing and Discovery of PKI Certificate Chain in MANET’, A Ph.D thesis submitted to the Graduate Faculty of North Carolina State University.
Kaliski, B. (1993) ‘A Survey of Encryption Standards’, RSA Laboratories, IEEE Micro.
Koga, S. and Sakurai, K. (2004), ‘A Merging Method of Certification Authorities Without Using Cross-Certifications’, Proceedings of the International Conference on Advanced Information Networking and Application (AINA’04), IEEE
Lloyd, S. et. al. (2001) ‘CA-CA Interoperability’, PKI Forum (online). Available from http://www.pkiforum.org/pdfs/ca-ca interop.pdf
Mazaher, S. and Roe, P. (2003) A survey of state of the Art in Public Key Infrastructure, Norway,Norsk Regnesentral.
Pez, R. Satizbal, C. et. al. (2006) ‘Building a Virtual Hierarchy for Managing Trust Relationships in a Hybrid Architecture’, Journal of Computers, 1:7, 60-68.
Pinkas, D. (2001) ‘Delegated Path Validation and Delegated Path Discovery Protocols’, Internet Draft.
Saxena, A. (2004) Public Key Infrastructure Concepts, Design and Deployment, New Delhi, Tata McGraw Hill.
Serranoa, J.H., Satizbal, C. et.al (2007) ‘Building a virtual hierarchy to simplify certification path discovery in mobile ad-hoc networks’, Computer Communications, 30: 7, 1498-1512.
Thales (2000), ‘Elliptic Curve Cryptography’, e-security white paper.
Weise, J. (2001) ‘Public Key Infrastructure Overview’, Sun BluePrints™.
Wiener, M.J. (1998) ‘Performance comparison of public-key cryptosystems’, CryptoBytes, 4(1).
Zuccherato, R. (2003) ‘Using a PKI Based Upon Elliptic Curve Cryptography-Examining the Benefits and Difficulties’, Entrust-Securing Digital Identities and Information.