Contribución a la validación de certificados en arquitecturas de autenticación y autorización
Visualitza/Obre
10.5821/dissertation-2117-94357
Inclou dades d'ús des de 2022
Cita com:
hdl:2117/94357
Càtedra / Departament / Institut
Universitat Politècnica de Catalunya. Departament d'Enginyeria Telemàtica
Tipus de documentTesi
Data de defensa2007-03-09
EditorUniversitat Politècnica de Catalunya
Condicions d'accésAccés obert
Tots els drets reservats. Aquesta obra està protegida pels drets de propietat intel·lectual i
industrial corresponents. Sense perjudici de les exempcions legals existents, queda prohibida la seva
reproducció, distribució, comunicació pública o transformació sense l'autorització del titular dels drets
Abstract
Authentication and authorisation architectures based on certificates have not been widely accepted due to their cost, inflexibility and difficult management.
The complexity of the Public Key Infrastructure (PKI) is increased by the certification path validation process that involves: discovering the path, retrieving the certificates, verifying their digital signature and checking that none of the certificates have expired or have been revoked. This process demands certain processing and storage capacity from the verifier that can exceed the features of some devices, such as mobile phones and smart cards.
In this thesis, we evaluate the computational cost and the storage capacity required by a verifier to carry out the path validation process and determine that they are critical factors for constrained devices. In addition, we introduce two proposals that contribute to simplify the path validation process from the verifier's point of view: TRUTHC and PROSEARCH.
TRUTHC uses two hash chains to establish an alternative trust relationship among the different entities of a hierarchical PKI. Thus, the signature verification operations are replaced by hash operations, what contributes to decrease the computational cost of the verifier. The path verification is carried out by a Verification Authority (VA). TRUTHC is compatible with the X.509 certificates and its security depends on a large extent of the seeds' confidentiality. TRUTHC can be used in environments where devices have limited processing capacity and it is necessary to delegate the validation process in other entity, such as mobile networks with validation servers.
On the other hand, PROSEARCH establishes a virtual hierarchy in a mesh PKI, based on the trustworthiness level of the participant entities. This protocol facilitates the certification path discovery since in a hierarchical model the trust relationships are unidirectional and there is a single path between each pair of entities.
PROSEARCH does not establish new trust relationships among the entities but it takes the existing relationships to establish the hierarchy. Thus, it is not necessary to issue new certificates or adjust the trust points.
In addition, PROSEARCH is adaptable to entities with limited processing and storage capacities, since hierarchy is established considering a maximum certification path length.
The fast execution of PROSEARCH makes possible its use in different environments such as critical scenarios and ad-hoc networks.
Although the hierarchy found by our protocol is not always the best solution, in our opinion this is not an important drawback since simulation results show that in most cases an acceptable hierarchy is found, especially considering that the simplicity of the protocol makes it easy-to-implement even for constrained devices.
The complexity of the Public Key Infrastructure (PKI) is increased by the certification path validation process that involves: discovering the path, retrieving the certificates, verifying their digital signature and checking that none of the certificates have expired or have been revoked. This process demands certain processing and storage capacity from the verifier that can exceed the features of some devices, such as mobile phones and smart cards.
In this thesis, we evaluate the computational cost and the storage capacity required by a verifier to carry out the path validation process and determine that they are critical factors for constrained devices. In addition, we introduce two proposals that contribute to simplify the path validation process from the verifier's point of view: TRUTHC and PROSEARCH.
TRUTHC uses two hash chains to establish an alternative trust relationship among the different entities of a hierarchical PKI. Thus, the signature verification operations are replaced by hash operations, what contributes to decrease the computational cost of the verifier. The path verification is carried out by a Verification Authority (VA). TRUTHC is compatible with the X.509 certificates and its security depends on a large extent of the seeds' confidentiality. TRUTHC can be used in environments where devices have limited processing capacity and it is necessary to delegate the validation process in other entity, such as mobile networks with validation servers.
On the other hand, PROSEARCH establishes a virtual hierarchy in a mesh PKI, based on the trustworthiness level of the participant entities. This protocol facilitates the certification path discovery since in a hierarchical model the trust relationships are unidirectional and there is a single path between each pair of entities.
PROSEARCH does not establish new trust relationships among the entities but it takes the existing relationships to establish the hierarchy. Thus, it is not necessary to issue new certificates or adjust the trust points.
In addition, PROSEARCH is adaptable to entities with limited processing and storage capacities, since hierarchy is established considering a maximum certification path length.
The fast execution of PROSEARCH makes possible its use in different environments such as critical scenarios and ad-hoc networks.
Although the hierarchy found by our protocol is not always the best solution, in our opinion this is not an important drawback since simulation results show that in most cases an acceptable hierarchy is found, especially considering that the simplicity of the protocol makes it easy-to-implement even for constrained devices.
CitacióSatizábal Echevarria, I.C. Contribución a la validación de certificados en arquitecturas de autenticación y autorización. Tesi doctoral, UPC, Departament d'Enginyeria Telemàtica, 2007. ISBN 9788469056141. DOI 10.5821/dissertation-2117-94357. Disponible a: <http://hdl.handle.net/2117/94357>
Dipòsit legalB.26577-2007
ISBN9788469056141
Altres identificadorshttp://www.tdx.cat/TDX-0329107-123022
Col·leccions
Fitxers | Descripció | Mida | Format | Visualitza |
---|---|---|---|---|
01ICse01de01.pdf | 1,504Mb | Visualitza/Obre |