Use of Nested Certificates for Efficient Dynamic, and Trust Preserving Public Key Infrastructure
Levi, A., Caglayan, M.U., & Koc, Cetin K. (2004). Use of Nested Certificates for Efficient Dynamic, and Trust Preserving Public Key Infrastructure. ACM Transactions on Information Security and System Security, 7, 21-59. Retrieved September 13, 2006, from The ACM Digital Library database.
The purpose of this article is to present the Nested Public Key Infrastructure (NPKI) model, an alternative to the existing Public Key Infrastructure (PKI). NPKI improves on PKI by providing a more efficient method for verifying certificates for public key distribution.
A PKI is a certificate network designed to enable verifiers to find the right public key for a user by following a path of certificates. Certificates are digitally signed bindings between a public key and attributes such as a name, e-mail address, URL or authorization of the owner. They are issued by trusted Certification Authorities (CAs). A verifier uses a certificate by verifying the digital signature of the CA over the certificate and then locating the public key for the user. In PKI, since there are several CAs and a verifier does not know the public key for each, a verifier, in order to get a public key, needs to take and verify a certificate path in order to locate the public key it is seeking. In doing so, it must verify each certificate along the way to find the public key of the next CA, and the CA’s public key is then used to verify the next certificate. The verifier must trust all CAs in the chain.
In order to avoid having to verify each certificate along a path just to locate a single public key, the authors proposed a new PKI, nested-certificate-based PKI (NPKI). NPKI utilizes nested certifications which are basically certificates for other certificates and can be used to determine certificate paths. In NPKI, both classical and nested certificates can be used together. Certification Authorities (CA’s) distribute nested certificates instead of the certificates given their children in the PKI allowing PKI to transition into NPKI. In this way, classical certificate paths are made into nested certificate paths without wrecking trust relationships or topology already in place. In practice, NPKI provides nested certificate paths in which the first certificate is verified cryptographically and the others by fast hashing thus increasing verification speed.
In order to improve verification time, many nested certificates must be issued resulting in a trade off between improvement in verifying and the overhead in nested certificate issuing. This trade off was studied by the authors with a generic balanced tree PKI model. It was seen that, although not distributed uniformly, for a 4-level, 20-ary tree shaped PKI, the average verification was sped up to between 2.41 and 2.50 times faster while the number of certificates increased by 3.85 times. The authors also noted that since nested certificates are not for users but for other certificates, the rules for revoking them are different. They propose that two or possibly even one revoking tool is enough for nested certification paths. As such, NPKI is better than PKI in certificate revocation.
Also, nested certificate paths are quick enough to be verifiable by wireless users.
The purpose of this article is to present the Nested Public Key Infrastructure (NPKI) model, an alternative to the existing Public Key Infrastructure (PKI). NPKI improves on PKI by providing a more efficient method for verifying certificates for public key distribution.
A PKI is a certificate network designed to enable verifiers to find the right public key for a user by following a path of certificates. Certificates are digitally signed bindings between a public key and attributes such as a name, e-mail address, URL or authorization of the owner. They are issued by trusted Certification Authorities (CAs). A verifier uses a certificate by verifying the digital signature of the CA over the certificate and then locating the public key for the user. In PKI, since there are several CAs and a verifier does not know the public key for each, a verifier, in order to get a public key, needs to take and verify a certificate path in order to locate the public key it is seeking. In doing so, it must verify each certificate along the way to find the public key of the next CA, and the CA’s public key is then used to verify the next certificate. The verifier must trust all CAs in the chain.
In order to avoid having to verify each certificate along a path just to locate a single public key, the authors proposed a new PKI, nested-certificate-based PKI (NPKI). NPKI utilizes nested certifications which are basically certificates for other certificates and can be used to determine certificate paths. In NPKI, both classical and nested certificates can be used together. Certification Authorities (CA’s) distribute nested certificates instead of the certificates given their children in the PKI allowing PKI to transition into NPKI. In this way, classical certificate paths are made into nested certificate paths without wrecking trust relationships or topology already in place. In practice, NPKI provides nested certificate paths in which the first certificate is verified cryptographically and the others by fast hashing thus increasing verification speed.
In order to improve verification time, many nested certificates must be issued resulting in a trade off between improvement in verifying and the overhead in nested certificate issuing. This trade off was studied by the authors with a generic balanced tree PKI model. It was seen that, although not distributed uniformly, for a 4-level, 20-ary tree shaped PKI, the average verification was sped up to between 2.41 and 2.50 times faster while the number of certificates increased by 3.85 times. The authors also noted that since nested certificates are not for users but for other certificates, the rules for revoking them are different. They propose that two or possibly even one revoking tool is enough for nested certification paths. As such, NPKI is better than PKI in certificate revocation.
Also, nested certificate paths are quick enough to be verifiable by wireless users.
posted by Dr. Adam Norten at 5:04 PM
0 Comments:
Post a Comment
<< Home