120 likes | 284 Views
X.509 standard and CA’s operation Certificate path validation. Dec. 18, 2001 2001824 C&IS lab. Vo Duc Liem. Contents. 1. Introduction 2. Previous Works 3. Proposed method 4. Assessment 5. Conclusion and further work. Root CA. Cross ?. CA-A. CA-B. A. B. Introduction.
E N D
X.509 standard and CA’s operationCertificate path validation Dec. 18, 2001 2001824 C&IS lab. Vo Duc Liem
Contents • 1. Introduction • 2. Previous Works • 3. Proposed method • 4. Assessment • 5. Conclusion and further work
Root CA Cross ? CA-A CA-B A B Introduction • Certificate path validation • A & B has certificate from different CA • A trust CA-B? • CA-A & CA-B cross certificate easy! • Not Cross validation path from CA-B to “most trusted” CA by A • A spend time & power for verifying
Previous work Method of certificate path validation • Full path validation • Computation O(n) • Delegation certificate path validation • O(1) • Simple Certificate Validation Protocol • O(1) • Offline Path Validation* • O(1) or no cost *: Method is presented in IWAP01
Proposed method Assumption • Number of CA’s not huge as user • CA is stable entity and play right role, • CA is responsible in law • The trust between CA’s: • CA trust his child
Root CA List of valid CAs (May sign by rootCA) CA ECA1 CA CA-B ECA CA-A User B User A Validating Process Cert. of CA-B Cert. of B
List of Valid CA • ECA1: produce list of its child CA’s, sign and send to ECA2 • ECA2 verifies ECA1 signature; sign on list • … • Root CA: check signature and sign Exp. List of valid CA
Steps of validation • A check in CRL for B certificate • If not, verify by public key of CA-B (ECA) • Check existence of CA-B in the list of valid CA of ECA1 • If exist, verify CA-B’s certificate by ECA1 public key • Verify the list of valid CA of ECA1 by public key of Root CA
Assessment • Correctness • Only right public key can verify signature made by respective private key • Security • No one can make fake certificate or change the list without knowing of private key • The list of valid CA does not need change frequently • Need 3 signature verification process • Reduce power computing for users.
Conclusion and further work • Understand X.509 and CA’s operation • Proposed method of Certificate path validation • For future: • Find out all possible attack • Consider cross-certificate at high level
References • Cryptography and Network Security: Principles and Practice, William Stalling, Prentice Hall 1998 • ITU-T X.509 v3 recommendation (1997) • IETF – RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, 1999 • IETF – RFC 2560, Internet X.509 Public Key Infrastructure Online Certificate Status Protocol – OCSP, 1999 • IETF – Internet drafts, Simple Certificate Validation Protocol, 2001 • NIST - Public key infrastructure study – Final report 1997 • Network Security: PRIVATE Communication in a PUBLIC World, C. Kaufman, R. Perlman, M, Speciner, Prentice Hall 1995. • Efficient offline path validation – Byoungcheon Lee, Kwangjo Kim, Moongseog Seo, Weonkeun Huh - IWAP 2001 document • On the complexity of Public-key Certificate Validation – Diana Berbecaru, Antonio Lioy, Marius Marian – ISC2001, LNCS 2200, p183-203, 2001