The present invention relates generally to secure communications and more particularly to schemes for certificate management.
In a digital signature scheme, each user U chooses a signing key SKu and a matching verification key, PKu. User U uses SKu to compute easily his digital signature of a message m, SIGu(m), while anyone knowing that PKu is U""s public key can verify that SIGu(m) is U""s signature of m. Computing the signature SIGu(m) without knowing SKU is practically impossible. On the other hand, knowledge of PKu does not give any practical advantage in computing SKu. For this reason, it is in U""s interest to keep SKu secret (so that only he can digitally sign for U) and to make PKu as public as possible (so that everyone dealing with U can verify U""s digital signatures). Indeed, SKu is often referred to as U""s secret key, and PKu as U""s public key.
Note that, to verify that SIGu(m) really is the digital signature of user U for the message m, not only should a verifier know PKU, but he should also know that PKu really is U""s public key. Thus, to ensure the smooth flow of business and communications in a world with millions of users, users"" public keys are digitally certified by proper authorities to belong to their legitimate users.
At the same time, it is also necessary to revoke some previously issued certificates (e.g., because the secret key corresponding to a given certified public key has been compromised). Unfortunately, this may not be easy. Indeed, a digital certificate cannot just be xe2x80x9ctaken away:xe2x80x9d such a certificate is, in essence, a number, and arbitrarily many copies of it may be made and illegitimately used. Current public-key infrastructures (PKIs) rely on Certificate Revocation Lists (CRLs) for handling certificate revocation. Unfortunately, CRLs are not very efficient in several scenarios.
A more efficient public-key infrastructure is provided by providing new technologies for convenient, secure, and cost-effective certificate revocation. To do this, we present three types of contributions:
1. We identify a structural problem potentially affecting traditional CRL-based PKIs , and suggesting a variety of ways for fixing it. Essentially we show that, in prior systems, an untrusted Directory cannot answer certain legitimate queries, leaving the systems vulnerable to denial-of-service attacks. Our fixes to this structural problem are quite simple to implement and do not require significant costs.
2. We suggest various improvements to traditional CRL design that yield certificate revocation systems more efficient than the original ones. These improvements do not dismiss CRL constructs, but optimize them (by simply adopting better encodings, utilizing a suitable subset of information, etc.).
3. We put forward totally new systems for certificate revocation that are much more efficient than traditional ones. These systems do not rely on CRLs at all.