下载文档原格式
英文翻译Publicly airtight key systemThe publicly airtight key password system is the most important the invention and the progress that the modern password learn.General comprehend a password to learn(Cryptography) be the secret that protects an information to deliver.But this is an aspect that the password learns topic nowadays only.Send out and receive the verification of[with] the person's true identity to the information,to send out/receive an information and can't deny in the after the event and the integrity of the guarantee data is a modern password to learn topic on the other hand.Problems of the publicly airtight key password system to this both side all give outstanding solution, and is continue to produce many new thoughts and project.Encrypt an airtight key to differ from to decrypt an airtight key in the male key system.People will encrypt airtight key Mr. of in many, who can use;But decrypt an airtight key to decrypt a person only by himself[herself] to know.Up to the present of in all male key password systems, usage most the most extensive a kind.Put forward the public and airtight key password system in 1976, its principle encrypted an airtight key to reach agreement airtight key separation.So, a concrete customer can encrypt what oneself design the airtight key and the calculate way Mr. is various in many, but keep secret to decrypt an airtight key.Anyone makes use of this to encrypt the airtight key and calculate way toward that customer to send out of encrypt an information, that customer all can restore it.The advantage of the public and airtight key password is to don't need to was deliver by safe outlet airtight key, simplified an airtight key management consumedly.Its calculate way sometimes also is called the publicly airtight key calculate way or brief name as male key calculate ways.Put forward the concreteimplement project of the public and airtight key password in 1978, namely RSA project.The DSA calculate way that put forward in 1991 is also a kind of public and airtight key calculate way, there is bigger application advantage in the numerical signature.Airtight key is become right in according to the safe system of the male key system born of, each is constitute by a male key and a private key to airtight keys.In physically appliedly, private key from own an oneself conservancy, but the male key then need to be announce in many.For making to can apply extensively according to the business(if electronic commerce etc.) of the male key system, the problem of a foundation key is a male key to distribute with the management.The male key has no marking, only from the male key can't distinguish the host of the male key is who.In the pimping scope, for example the AN and B such two people is small collective, they it trusts mutually, exchanging a male key, on the Internet communication, have no problem.This is collective again slightly a little bit big, perhaps each other trust also not a problem, but speaks from the law angle this kind of trust also has problems.Such as again a little bit big, contacting host's name of the male key and male key together, asking again an everyone to can believe to have prestige of fair,the authority organization confirm, and plus the signature of this authority organization.This became a certificate.There is the signing of the authority organization on the certificate, so everyone thinks the contents of the certificate in the book is trusty;Again because there is the host's name on the certificate etc. the identity information, the other people very easily know who the host of the male key are.The authority organization that mentions before is the electronics visa organization.(namely CA)The CA also owns a certificate(contain a male key), certainly, it also has an own private key, so it has the ability of the signing.The public customer of the net passes a signing of verify the CA to trust CA thus, anyone should be able to get a CAcertificate(contain a male key), verifying its the certificate countersign in order to.If a customer wants to discriminate another certificate of true false, he uses a CA male key to carry on a verification(such as front say, the CA signing actually is through CA the private key encrypt of information, the process of[with] the signing verification still accompanies with a male key of the usage CA to decrypt of process) to the signing of that certificate in the book, once the verification pass, that certificate is think to be valid.CA in addition to countersigning a certificate, one of its important function is a certificate with the management of the airtight key.Be showed from this, the certificate is a customer is personal ID card at the electronics on the net, use in the daily life together of personal ID card function is similar.CA equal to on-line police department, issue exclusively,the verification ID card.The safe foundation of most password calculate ways is according to some mathematics hard nut to cracks, these hard nut to crack the experts think in the short date to be impossibly solve.Because some problems(if the factor resolves a problem) have already been up to now for several thousand years. The RSA safety depends on to resolve, but deny to equal in the big number big number the decomposition has been can not get to prove theoretically, also do not prove to break a difficulty of translate the RSA from the theories with big number resolve difficulty etc. price.Because have no certificate to crack RSA to certainly need to make big number decomposition.Suppose to exist a kind of calculate way that needs not to resolve a big number, that its affirmation can modify to become a big number to resolve calculate way.Then the RSA important blemish is to can't hold it to keep secret from the theories how function is, and the password educational circles most personages incline toward the factor decomposition isn't a NPC problem.Currently, RSA some mutation calculate ways have already been prove etc. the price resolves in the big number.Aught, resolve the n attackstones a method most obviously.Now, people have already can resolve more than 140s ten enter big prime number of make.Therefore, mold the few ns have to choose big and some, settle because of concretely applying acircumstance.The RSA calculate way keeps secret strength, the length increment of the therewith airtight key but strengthen.But, the airtight key is more long, it adds to decrypt time consume also more long.Therefore, the sensitive degree and aggressor that want to be according to the information protect crack want to spend of the price value is unworthy to synthesize to consider decision with reaction time request by system.It is more such to the business information realm particularly.The publicly airtight key password system compared with the symmetry and airtight key password system really have it not commutable advantage, but its amount of operation be far larger than the latter, more than several hundredfolds,several 100000% even around ten thousand times, complications have to be many.All deliver a confidential information with the publicly airtight key password system on the network, have no necessity, is also not realistic.Have already used the symmetry and airtight key password system in the calculator system for many years, current more simple and dependable of, long method that pass through test, such as take DES(the data encrypt standard) as the representative's cent piece to encrypt calculate way(and its enlargement DESX and TripleDES);also have some new methods to announce, such as is develop by the Rivest of the RSA company of have calculate way RC2,RC4,RC5 etc.ses particularly, among them the RC2 and RC5 is the pieces encrypt calculate way separately, the RC4 is a data to flow to encrypt calculate way.Be delivering the network customer of confidential information both parties, if use a certain and symmetry and airtight key password system(for example DES), use the RSA dissymmetry airtight key password system in the meantime to deliver a DES airtight key, can be comprehensive to develop two kinds of advantages of password systems, namely the DES high-speed simple and RSA the airtight key manage of the convenience and the safety.The RSA calculate way has already canned apply extensively in manyways in of the Internet, including in the safety to connect the application of a people's layer(SSL) standard(should be standard is the Internet conjunction of the network browser establishment safety have to use of) aspect.Encrypt system to have a data to encrypt according to the male key of the RSA calculate way,the numeral signature(DigitalSignature),the information source identify and the airtight key exchange etc. function.Currently, the RSA encrypts system to be mainly more applied than a safe product of the intelligence IC card and network.The reason that chooses to encrypt main calculate way of system with the public key of the RSA calculate way conduct and actions is the calculate way safety good.At the mold N enough long time, there is a prime number that the size nears to in the N in each integral.At the mold is long is a 1024 bits, can think the RSA password system can choose airtight key piece enough many, can get random,the airtight key of the safety to.The public key encrypts system to used for the distribute type calculation environment more, the airtight key allotment and management are easy to a realization, the part attackstone hard bring threat to the whole safeties of systemses.Haven't yet offend so far example of break the physically applied system.The RSA calculate way applied for patent in the United States, but had no patent in other nations.The American patent has already expired on September 20th in 2000.American September 6th at local time, public and airtight key system in the United States the safe company(the RSA also calls safe limited company of data) decides to waive rights publicly it to keep secret strictly of encrypt a rule technique.The public and airtight key of the RSA company's encrypting rule is one category encrypt rule in the numerical type of"c= memodn", the public and airtight key encrypts rule is think is insure the great majority net top electronic commerce safety to encrypt technical standard rule with the password. The American national patent bureau call that encrypt the correspondence system and the technique patent serial number asNo.4405829s, that patent right gave to M.I.T. on September 20th in 1983, afterward that patent from public and airtight key the safe company buysto break completely, the patent legal power will expire on September 20th in 2000.And the circumstance likeness of the RedHat company public Linux system resources and other companies public technique resources, this action that encrypts rule publicly will make its rival be able to imbed and should encrypt technique rule in own product.The RSA company announces it to encrypt calculate way publicly, any development works all can use that calculate way.Can sell in the United States completely and at liberty according to the product and solution of that calculate way.This technique development that makes all companies free according to it safe solution.This calculate way has already been used for in the browser of the Netscape and the IE browser of the Microsoft company, is the main and safe technique of the on-line bargain currently.The RSA company the representative's Holahan avowal call, the patent of that company has already passed to build up dependable safe standard to provide help to the electronic commerce.Now public this patent technique will bring the safe product of the industry new variety.People have been work hard the establishment publicly airtight key password system is on other difficult problems be unlikely once some mathematics hard nut to cracks are resolve hereafter, have no available password calculate way, so appear a great deal of publicly airtight key password calculate way, include:The shoulder bag system, the POHLIG-Hellman calculate way, the Rabin calculate way, the ElGamal calculate way, the SCHNORR calculate way, the ESIGN calculate way, the McEliece calculate way, the OKAMOTO calculate way, can also on the oval curve establishment RSA of the limited area, ElGamal calculate way etc..We think the RSA calculate way are the best password calculate way currently, it not only can conduct and actions encrypt the calculate way usage, and can used to a numerical signature with the airtight key allotment and the management, but the DSA suit to make a signature, and the safe strength and speed all not equal to RSA, the publicly airtight key password system of the oval curve the safe strength depend on in the choice and system of the curve, we believe it will have higher safe strength, 200 more oval than specialfeatures' curve password systems have already had very high safe strength currently.Involve to the big number to operate all and prime number to choose in almost all practical publicly airtight key password systems, the prime number tests the general adoption Rabin-Miller calculate way, also ising other plain sex test calculate way to use to choose big prime number, if the Solovag-Strassen test method, Lehmann test method etc.. Because the male key doesn't need to be keep secret, so at black guest the male key that will pretend to be others with their own male key probably carry on an attack, this is the main risk of this kind of mode.For guarding against the occurrence of this kind of attack, we adopt a male key certificate.Certificate is a set of provision have something to do with particular and male key of single the calculator or host name of the numeral turn a data.The name is subjected to with airtight keys all a worthy of trust the third square is additional of the numeral sign of protection:Then the certificate organization.(or CA)Male key realm the mostly main factories all can become the certificate organization, they can install their credentials(credentials) in the Web browser.Other organizations can request these factories to have already tasted to countersign a certificate, while use standard browser, these certificates will take effect.Moreover, the business enterprise can also purchase software an oneself to countersign a certificate.However, is use and have to install in any demand verify the software(such as the Web browser) of these certificates to the credentials of give these certificate signatures.Moreover, male key a problem of[with] existence is the repeal of the airtight key over a long period of time.The male key is easy to establish and countersigns very much.Its cost mainly is output in the repeal the process of the airtight key.Because male key while countersign do not need to be keep secret, so the customer can make duplicate and countersign them at liberty, so other customers while need can get them.However, if need to replace a male key, so his can pretend to be the proprietor of the airtight key and cheat any usage should the person of the male key.If the proprietor is aware of this problem, and try to replacea private key, he have to in a certain way the contact has ever got the owner of the old male key with insure others to no longer use an old male key.The mostly male key system all depends on the male key that the repeal detailed list identifies and shouldn't use again now.These detailed lists are similar in past the credit card special contract seller use of very thick brochure:Listed all cards numbers of the credit cards that throw to lose or is steal in the brochure, these sellers will look into brochure, checking whether actually a certain credit card is steal or not.Although the other on-line certificate verification technique has already appear, hasn't yet been satisfied with completely of the solution apply to to practice medium.译文原文公开密钥体系公开密钥密码体制是现代密码学的最重要的发明和进展。
公钥密码标准(Public-Key Cryptography Standards)Hanyil整理编写 保留版权由于公钥密码被广泛接受已成为事实,如果要将其发展成为广泛应用的技术,就必须有支持互操作的标准。
即便是所有的用户都认同公钥密码技术,使各种不同的实现版本相兼容也是必然的。
互操作性要求严格按照一个获得认可的标准格式来传输数据,这里所描述的标准就为互操作性提供了基础。
这里描述的标准被称为公钥密码标准(Public-Key Cryptography Standards,PKCS)。
这个标准涵盖了RSA密码、Diffie-Hellman 密钥交换、基于口令的加密、扩展证书语法、密码报文语法、私钥信息语法、认证请求语法、选择性属性,密码令牌以及椭圆曲线密码等内容。
公钥密码标准PKCS是由RSA实验室与其它安全系统开发商为促进公钥密码的发展而制订的一系列标准,是最早的公钥密码标准,也是公钥密码发展过程中最重要的标准之一。
自1991年作为一份会议结果,由早期的公钥密码使用者公布以来,PKCS文档已经被广泛引用和实现。
许多正式和非正式工业标准部分内容的制订都参照了PKCS,如ANSI X9, PKIX, SET, S/MIME, 和SSL等。
RSA实验室在标准制订过程中起了很重要的作用:发布了认真撰写的标准描述文档;保持了标准制订过程的决策权威;负责收集其它开发者所提出的修改和扩充意见;适时发布标准的修订版;提供了实现该标准的参考资料和指导。
PKCS目前共发布过15个标准,每个标准都经过数次修订,部分文档还在不断的修改和制订中。
15个标准如下:•PKCS #1: RSA Cryptography Standard RSA密码标准•PKCS #2:已合并入1。
•PKCS #3: Diffie-Hellman Key Agreement Standard DH密钥交换标准•PKCS #4:已并入1。
•PKCS #5: Password-Based Cryptography Standard基于口令的密码标准•PKCS #6: Extended-Certificate Syntax Standard证书扩展语法标准•PKCS #7: Cryptographic Message Syntax Standard密文信息语法标准•PKCS #8: Private-Key Information Syntax Standard私钥信息语法标准•PKCS #9: Selected Attribute Types•PKCS #10: Certification Request Syntax Standard认证请求语法标准•PKCS #11: Cryptographic Token Interface Standard密码令牌接口标准•PKCS #12: Personal Information Exchange Syntax Standard个人信息交换语法标准•PKCS #13: Elliptic Curve Cryptography Standard椭圆曲线密码标准•PKCS #14: Random Number Generation Standards (伪随机数生成标准)• PKCS #15: Cryptographic Token Information Format Standard 密码令牌信息格式 PKCS #标准 13 5678910111215其它标准 自由算法语法:数字签名信息 xx 数字信封加密信息 x认证请求 x x数字证书X.509, RFC 1422 扩展证书 x x证书撤销列表X.509, RFC 1422 私钥加密信息x x 密码令牌x x 个人交换信息x 密钥交换信息 [ISO90a], [ISO90b]特定算法语法: RSA 公钥 xRSA 私钥 x算法: 消息摘要:MD2, 5 RFCs 1319, 1321私钥加密:DES RFC 1423, [NIST92a] 公钥加密:RSA x签名:MD2,4,5w/RSA x基于口令的加密 x D-H 密钥交换 xPKCS 与其它标准对比PKCS#1 RSA 密码标准1.0 – 1.3版是为参加RSA 数据安全公司1991年2月和3月的公开密钥密码标准会议而发布的。
x509与PKI公钥基础设施(PublicKeyInfratructure,简称PKI)是利用公钥理论和技术建立的提供加密和数字签名等安全服务的基础设施。
它以公开密钥密码算法为基础,结合对称密码算法、摘要算法等,通过数字签名、数字证书等技术来保证网络传输数据的机密性、完整性、不可否认性NOREPUDIATION以及身份鉴别等。
1.PKI的基础协议PKI的基础协议有很多,如ITU-T某.680AbtractSynta某NotationOne(语法符号标准ASN.1)、ITU-T某.690ASN.1EncodingRule (数据编码标准)和ITU-T某.500系列标准等。
而国际电信联盟ITU某.509协议,是PKI技术体系中应用最为广泛、也是最为基础的一个协议。
它主要目的在于定义一个规范的数字证书格式,以便为基于某.500协议的目录服务提供一种认证手段。
一个标准的某.509数字证书是由用户公开密钥与用户标识符组成,此外还包括版本号、证书序列号、CA标识符、签名算法标识、签发者名称、证书有效期等。
最初的数字证书某.509v1版1988年发布,1993年国际电信联盟ITU公布某.509v2,增强了对目录存取控制和鉴别的支持。
某.509v3版(1997年发布)支持扩展的概念,以提供更多的灵活性及特殊环境下所需的信息传送。
某.509v3定义的公钥证书比某.509v2证书增加了多项预留扩展域,如:发证证书者或证书用户的身份标识,密钥标识,用户或公钥属性等。
同时某.509v3对CRL结构也进行了扩展。
最新的第四版某.509v4于2000年5月发布。
某.509v4在扩展某.509v3的同时,提出了特权管理基础设施PMI(PrivilegeManagementInfratructure)和授权模型。
PMI是建立在PKI提供的可信的身份认证服务的基础上,通过属性证书AC(AttributeCertificate),来对用户的访问进行授权管理。
四45五3六57十4十一34十二47没做“信息安全理论与技术”习题及答案教材:《信息安全概论》段云所,魏仕民,唐礼勇,陈钟,高等教育出版社第一章概述(习题一,p11)1.信息安全的目标是什么?答:信息安全的目标是保护信息的机密性、完整性、抗否认性和可用性;也有观点认为是机密性、完整性和可用性,即CIA(Confidentiality,Integrity,Availability)。
机密性(Confidentiality)是指保证信息不被非授权访问;即使非授权用户得到信息也无法知晓信息内容,因而不能使用完整性(Integrity)是指维护信息的一致性,即信息在生成、传输、存储和使用过程中不应发生人为或非人为的非授权簒改。
抗否认性(Non-repudiation)是指能保障用户无法在事后否认曾经对信息进行的生成、签发、接收等行为,是针对通信各方信息真实同一性的安全要求。
可用性(Availability)是指保障信息资源随时可提供服务的特性。
即授权用户根据需要可以随时访问所需信息。
2.简述信息安全的学科体系。
解:信息安全是一门交叉学科,涉及多方面的理论和应用知识。
除了数学、通信、计算机等自然科学外,还涉及法律、心理学等社会科学。
信息安全研究大致可以分为基础理论研究、应用技术研究、安全管理研究等。
信息安全研究包括密码研究、安全理论研究;应用技术研究包括安全实现技术、安全平台技术研究;安全管理研究包括安全标准、安全策略、安全测评等。
3. 信息安全的理论、技术和应用是什么关系?如何体现?答:信息安全理论为信息安全技术和应用提供理论依据。
信息安全技术是信息安全理论的体现,并为信息安全应用提供技术依据。
信息安全应用是信息安全理论和技术的具体实践。
它们之间的关系通过安全平台和安全管理来体现。
安全理论的研究成果为建设安全平台提供理论依据。
安全技术的研究成果直接为平台安全防护和检测提供技术依据。
平台安全不仅涉及物理安全、网络安全、系统安全、数据安全和边界安全,还包括用户行为的安全,安全管理包括安全标准、安全策略、安全测评等。
Rsas网络安全RSAS (Rivest-Shamir-Adleman)是一种非对称加密算法,被广泛应用于网络安全领域。
它使用了两个密钥,一个用于加密数据,称为公钥(public key),另一个用于解密数据,称为私钥(private key)。
RSAS算法保证了数据的机密性和完整性,同时也提供了数字签名和认证的功能,可用于建立安全的通信。
首先,RSAS算法通过生成一对密钥来实现数据加密和解密。
公钥是公开的,用于加密数据,而私钥是保密的,用于解密数据。
只有拥有私钥的人才能解密从公钥加密的数据,这样即使数据被截获,也无法还原原始数据。
RSAS算法基于数学问题的难解性来保证数据的安全性。
它利用大素数的因数分解问题来构建加密算法。
通常,生成密钥对时,需要选择两个大素数,并根据它们进行一系列复杂的计算得到公钥和私钥。
由于因数分解问题的困难性,只有正确的私钥才能有效地解密数据。
RSAS算法的另一个重要特点是数字签名。
数字签名可以验证数据的发送者,确保数据的完整性和真实性。
发送者使用私钥对数据进行签名,接收者使用公钥验证签名的合法性。
如果数据在传输过程中被篡改,数字签名将无效,接收者可以立即发现这一点。
此外,RSAS算法还可用于建立安全的通信连接。
双方可以交换公钥,并使用对方的公钥对数据进行加密。
这确保了仅有拥有私钥的接收者才能解密数据,从而保护数据的机密性。
然而,RSAS算法也存在一些局限性。
由于生成密钥对的计算量较大,在大规模应用中可能会导致性能问题。
因此,通常会使用较短的密钥长度以提高性能,但这可能会降低安全性。
此外,RSAS算法仅能保证数据的机密性和完整性,对于数据的可用性保护较弱。
在某些情况下,可能需要结合其他的加密算法和安全机制来满足整体的安全需求。
总之,RSAS算法是一种非对称加密算法,广泛应用于网络安全领域。
它通过使用公钥对数据加密,私钥对数据解密,保证了数据的机密性和完整性。
同时,RSAS算法还提供数字签名和认证的功能,确保数据的真实性和发送者的合法性。
SSLhandshakefailed:SSL错误:在证书中检测到违规的密钥⽤法。
问题:在WINDOWS中创建的SVN Server,在Linux client中⽆法连接。
原因:WINDOWS中的证书⽆法被Linux正确识别,因此需要修改证书,以使双⽅都可以正确识别。
修改⽅法如下:(在⽹上搜到的解决办法,特放在这⾥以备忘。
)NoteGnuTLS library is an alternative to OpenSSL. Most Subversion clients for Windows are built against OpenSSL and are not affected by this issue. While some Subversion packages (available mostly on Linux-based operating systems such as Ubuntu and Debian) are built against GnuTLS and are affected.Technical backgroundDuring the initial setup VisualSVN Server 2.5 generates a self-signed certificate and adds it to the Trusted Root Certification Authorities store on the local machine. To avoid possible security issues, VisualSVN Server makes this self-signed certificate to be valid for server authentication only (by specifying the 'Key Usage' extension). Subversion clients built against GnuTLS don't recognize such certificate and the error occurs.WorkaroundIt's not recommended to use a self-signed certificate in a production environment. We advise to use a certificate issued by your domain or a third-party certificate authority instead of a self-signed one.If you have to use a self-signed certificate please follow the instruction to generate a cerificate without specifying 'Key Usage' extension: 1、Add the following registry value to the Windows registry:for 32-bit system:[HKEY_LOCAL_MACHINE\SOFTWARE\VisualSVN\VisualSVN Server]"CreateGnuTLSCompatibleCertificate"=dword:00000001for 64-bit system:[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\VisualSVN Server] "CreateGnuTLSCompatibleCertificate"=dword:000000012、Start VisualSVN Server Manager.3、Go to Action | Properties | Certificate.4、Click Change certificate... and follow the wizard instructions to generate a new self-signed certificate.The certificate will be generated without the 'Key Usage' extension and will be compatible both with GnuTLS and OpenSSL.。
Windowed Key Revocation in Public Key InfrastructuresPatrick McDaniel Sugih JaminElectrical Engineering and Computer Science DepartmentUniversity of MichiganAnn Arbor,MI48109-2122pdmcdan,jamin@October12,1998AbstractA fundamental problem inhibiting the wide acceptance of a Public Key Infrastructure(PKI)in the Internet is the lack of a mechanism that provides scalable certificate revoca-tion.In this paper,we propose a novel mechanism called Windowed Revocation.In windowed revocation,certifi-cate revocation is announced for short periods in periodic Certificate Revocation Lists(CRLs).Due to the assur-ances provided by the protocol over which certificates are retrieved,we bound the amount of time that any certificate is cached by users.Thus,we can limit the announcement of revocation only to the time in which the certificate may be cached;not until its expiration.Because the time in which certificate are announced is short,CRLs are sim-ilarly small.By limiting the size of CRLs,we are able to integrate other mechanisms that increase the scalability of the PKI.One such mechanism is the use of“pushed”CRLs using multicast.We include a proof of the correct-ness of our approach.1IntroductionOver the past several years,the use of distributed ap-plications has grown immensely.These applications al-low geographically distant users to communicate,leading to social,educational,and commercial interactions that were previously impossible.Unfortunately,because of the openness of the Internet,the form and content of these interactions is vulnerable to attack.Limiting these vulner-abilities is essential to the future success of these applica-tions.A popular approach to securing communication over large networks is to use public keys.Researchers and standards bodies have argued at great length over possi-ble architectures for providing an authentication service under which public key certificates can be securely dis-tributed.A central point of contention in these discussions is the mechanisms over which public keys are revoked.A certificate is a data structure that defines an associ-ation between an entity(the principal)and a public key.A trusted authority,called a Certificate Authority(CA), states its belief in the validity of the association by digi-tally signing the certificate.Certificate revocation is the mechanism under which a CA can revoke the association before its documented expiration.The CA may wish to revoke a certificate because of the loss or compromise of the associated private key,in response to a change in the owner’s access rights,or strictly as a precaution against cryptanalysis.As stated by the CA,the revocation state of a certificate indicates the validity or cancellation of its association.A verifier determines the revocation state through the verification of the certificate.In this paper we investigate windowed revocation,a novel approach to certificate revocation within a global certificate distribution service,called a Public Key Infras-tructure(PKI).The central design objectives of windowed revocation are:1.Correctness-All entities within the PKI must beable to correctly determine the revocation state of a certificate within well-known(time)bounds.2.Scalability-The costs associated with the manage-ment,retrieval,and verification of certificates should increase at a slower rate than the size of the serviced community.3.Flexibility-Windowed revocation must be able tosupport mechanisms consistent with existing secu-rity policies and requirements.As with many security solutions,certification revoca-tion mechanisms are subject to the fundamental tradeoff between security and scalability.Solutions with strict security objectives require more resources than systems with more relaxed security objectives.Thus,security re-quirements have a direct influence on scalability.Our pro-posed architecture provides aflexible framework for man-aging this tradeoff by incorporating the following design principles into the key revocation mechanism:1.Revocation window:By bounding the time overwhich the revocation of a certificate is announced, we limit the size of such announcements.2.Push delivery:With limited revocation announce-ment size,we can contemplate the active delivery of this information to verifiers.This reduces the load on the CAs by curtailing the number of verifier initiated retrievals.3.Certificate caching:A cached certificate may beused until it expires,is revoked,or the issuer speci-fied TTL is reached.The expiration of a time-to-live indicates that the associated entity’s policy requires the certificate to be re-validated.4.Scheduled Announcement:By stipulating that CAsgenerate revocation announcements at a documented schedule,we allow verifiers to detect lost announce-ments.5.Multicast delivery:Given verifiers’ability to detectmissing revocation announcements,we can use unre-liable transport protocol without sacrificing the secu-rity of certificate revocation.This allows us to use IP multicasting,where available,to further reduce the bandwidth requirements of the revocation mech-anism.zy verification:Verification of a cached certifi-cate’s revocation state may be postponed until the certificate is to be used.7.Revocation aggregation:Revocation announce-ments from multiple sources are aggregated by higher level authorities.In the next section,we discuss the design tradeoffs of revocation mechanisms in general and outline the advan-tages of our windowed revocation mechanism over other approaches proposed in the literature.In Section3we de-scribe the working of windowed revocation and provide a formal proof of the correctness of the mechanism.Sec-tion4discusses protocol issues and presents windowed revocation as a X.509v3[HFPS98]extension.Section5 gives a brief overview of related work.We conclude this paper in Section6.2Design TradeoffsWe recognize two fundamental approaches used to dis-tribute revocation state:explicit and implicit.Systems us-ing explicit revocation require all parties to verify the state each time a certificate is used.In X.500based systems, such as Privacy Enhanced Mail(PEM)[Ken93],each CA periodically generates a list of certificates that have been revoked,but have not yet expired.The presence of the certificate in the list,1called a Certificate Revocation List (CRL),explicitly states revocation.Verifiers retrieve and cache the latest CRL during the certificate verification process.Thus,the frequency with which the CA generates CRLs bounds the time in which a revoked certificate can be used.A revoked certificate is included in a CRL from the time it is revoked until it ex-pires.Because the length of time a certificate may be valid is commonly measured in years,CRLs can become large. In an effort to reduce the costs of CRL processing,some systems present revocation information in authenticated dictionaries[NN98,Koc98,Mic96].Using authenticated dictionaries,verifiers interactively construct a proof of the presence or absence of the certificate in the CRL.They need not retrieve the entire CRL,but request only enough information to validate the certificate.However,these ap-proaches are not without cost;they often involve heavy-weight cryptographic operations,long interactive proto-cols,and/or significant CA resources.In PKI architectures that employ implicit revocation, the revocation state is implicitly stated in a verifier’s abil-ity to retrieve the certificate.Any certificate retrieved from the issuing CA is guaranteed to be valid at the time of retrieval.Associated with each certificate is the TTL which represents the maximum time the certificate may be cached.This bounds the time that a revoked certifi-cate may be used without detection.The Secure DNS (DNSSec)[Gal96,EK99]architecture uses implicit key revocation.A central parameter to PKIs employing implicit revo-cation is the length of the certificate TTL.PKI adminis-trators must trade-off security(as stated by the bound on revoked certificate use)with the frequency of retrieval.A long TTL may expose the verifier to a revoked certificate.A short TTL requires the verifier to retrieve the certifi-cate frequently,thus limiting the scalability of the PKI.In extant systems,each retrieval requires heavyweight oper-ations by the verifier,the CA,or both.Windowed revocation uses a hybrid of both explicit and implicit revocation.Similar to explicit approaches, windowed revocation uses CRLs to announce revocation. CRLs are generated at a documented rate,and revocation is indicated by the presence of the certificate’s associated serial number.Similar to implicit approaches,windowed revocation requires the successful retrieval of a certificate to implicitly state the validity and freshness of the cer-tificate.Also similar to implicit approaches,windowed revocation allows verifiers to re-acquire certificates at fre-quencies commensurate with their security requirements.Explicit Revocation (Traditional CRL)Windowed Revocation8 )Revocation Implicit RevocationPeriodic CRL Figure 1:Implicit,explicit,and windowed revocation in PKI architectures.Different from implicit approaches,windowed revo-cation does not require re-acquisition of certificates at fixed intervals.Instead,windowed revocation allows for the freshness of a certificate to be re-asserted with each statement of its validity via CRL.Different from explicit approaches,windowed revocation limits the period over which a certificate’s revocation is announced.In win-dowed revocation,the size of a certificate’s revocation window is assigned by the issuing authority and is doc-umented within the certificate.By bounding the time that each revoked certificate must be included in the periodic CRLs,we reduce the size of each individual CRL.Be-cause of the small CRL size,we can actively deliver CRLs to verifiers.We illustrate implicit,explicit,and windowed revoca-tion in Figure 1.In the figure we show the lifetime of a certificate ,which has a documented validity period from notBefore ()to notAfter ().At time ,is revoked.Assume is verified at times and in each example.In implicit revocation,the user securely retrieves andcachesat time .No further verification is performed between and .After the freshness TTL expires at time ,the certificate is dropped.The certificate need not be re-acquired until it is needed again at time .Because verification is performed only during retrieval,the revo-cation of will not be discovered until it is dropped at time and re-acquired afterward.We call the bound on the longest time a revoked certificate may be used the win-dow of vulnerability .For implicit revocation,the window of vulnerability is exactly the freshness TLL ().In explicit revocation,the certificate and last gener-ated CRL is retrieved at time .Each subsequent use ()of the certificate requires that the most recent CRL be checked for a revocation announcement.Because acached certificate is only authenticated as required by use,there is no bound on the time in which a CRL will be re-trieved by the user.Therefore,the CA must announce the revocation from the CRL immediately following the re-vocation until the certificate expires (to ).Because CRLs are the only medium from which revocation state can be obtained,the window of vulnerability in explicit revocation is equal to the periodicity of CRL publication (see Section 3.4for a correctness proof).Windowed revocation bounds the time at which a cer-tificate may be cached through the revocation window .When the certificate is retrieved ()it is guaranteed to be fresh and unrevoked.After revocation (),the CA need only include the certificate in the CRL for the revocation window (to ).The CA knows that one of the follow-ing cases occurred for every host caching the certificate:1)a CRL was received within the revocation window,and was dropped,or 2)the revocation window has expired,and was dropped.In either case,windowed revocation stipulates that the certificate will no longer be cached by any host at the end of the revocation window,hence the CA can discontinue announcing the revocation.After the revocation window has been reached,the CA may remove the revoked certificate from its internal lists.No master list of revoked certificates is required.Similar to explicit revocation,the window of vulnerability in windowed re-vocation is equal to the periodicity of CRL publication.For reasons of policy or inter-operability,a CA may wish to provide exclusively implicit or explicit revocation.These requirements can be met by the proper manipula-tion of the revocation window.By setting the revocation window equal to or greater than the validity period of a certificate,explicit revocation can be achieved.A con-verse manipulation of the window yields strictly implicit revocation.We detail the operation and implications of revocation window configuration in Section 3.5.2.3ArchitectureIn this section we describe the design and operation of our key revocation mechanism.For investigative and il-lustrative purposes,we define a simple Public Key In-frastructure architecture called Key Distribution Hierar-chy (KDH).While we study the operation of windowed revocation within KDH,windowed revocation is not de-pendent on KDH.3.1Key Distribution HierarchyThe hierarchy of KDH is similar to the ICE-TEL [CY97]PKI,but avoids many of the complexities of its con-struction.We provide a more thorough comparison of KDH and ICE-TEL,as well as a thorough description ofFigure2:Internet Level Architecture the architecture,the certificate retrieval protocol,and re-lated policy issues in[MJ98].KDH introduces a two level hierarchy consisting of thekeyserver level and the enterprise level.The keyserverlevel contains a set of servers from which enterprise andkeyserver certificates can be retrieved.The enterpriselevel contains independent hierarchies of end users.InICE-TEL parlance,each keyserver corresponds to a PCA,and each enterprise corresponds to a security domain.Fig-ure2describes an Internet-centric view of one possibleconfiguration of the architecture.In thefigure,a link be-tween two entities represents an exchange of digital signa-tures,where each end-point signs and permanently cachesthe other’s certificate.The exchange of certificates andsignatures is called registration.KDH stipulates that keyservers form a fully-connectedgraph of peers,where all keyservers have exchanged cer-tificates with all others.By mandating a fully-connectedgraph,we limit the length of certification path used inthe retrieval and verification of a certificate.An authen-ticated certificate of any keyserver can be retrieved fromany other keyserver.2each enterprise contains only one enterprise root.In largerenterprises,it may be necessary to replicate this service.As determined by need,users and hosts may belong tomultiple enterprises.For example,users may belong todifferent enterprises in which they perform professionaland personal related activities.All certificates for entitieswithin an enterprise are permanently stored at the enter-prise root.When a local host registers its public key withthe enterprise,they mutually authenticate and sign eachother’s certificates.When an external entity requests acertificate for one of these hosts,the enterprise root willrespond with the stored certificate.If the root is properlyplaced(e.g.at a network border),very little traffic shouldbe generated by external requests on the enterprise net-work.Hosts internal to the enterprise directly contact the lo-cal service(enterprise root)to make requests for internalor external certificates.Retrieved certificates are cachedat the enterprise root and each end user host.Detection ofthe revocation of cached certificates is described in Sec-tion3.3.While in the preceding architectural overview we havedescribed each CA as a single entity,in practice it con-sists of two components:a CA3and a directory service[BAN90].The CA performs the mission critical duties ofcertificate signing and CRL generation,communicatingonly with the directory service.The directory service actsas the distribution point for certificates and CRLs.Whenretrieving certificates,verifiers assume complete trust inthe CA,and a limited form of trust in the directory ser-vice.The directory is trusted to correctly advertise cer-tificates and CRLs,and the CA is trusted to comply withprocedures outlined in its policy statement.We see policycompliance failures[Dav96]as orthogonal to our investi-gation.For ease of exposition and without loss of correct-ness,we continue to treat the CA and directory as a singlelogical entity in the remainder of this paper.3.2Certificate Retrieval ProtocolAs is the case with most PKIs,certificate retrieval inKDH is accomplished by the collection and authentica-tion of signed certificates.The verifier logically traversesa graph representing signature exchanges between the en-terprises and keyservers,collecting certificates at eachhop.Each certificate’s signatures is verified and the ap-propriate CRLs are consulted.If all certificates are au-thentic and unrevoked,the user is free to use them.Wenow present a step by step description of this process.4We note the possibility of reducing the number of round-trips duringthe retrieval/verification process by consolidating requests.For clarity,the operational descriptions below will treat each request independently.tain and authenticate the certificate of a host in enter-prise.begins by requesting from the certifi-cate of(step1in Figure3).forwards the request to,returning the re-sults to(steps2-4).then determines that the cer-tificate of is needed,and repeats the request pro-cess,specifying that the certificate be retrieved from the keyserver(steps5-8).Based on the keyserver in-formation returned in the request,notes that both enterprises shared the keyserver.As stated in the local host policy,determines that this is an acceptable rela-tionship because they share a common keyserver,which it trusts.Finally,requests and receives the certificate for keyserver(steps9and10in Figure3).Having as-sembled all the certificates,recursively authenticates the digital signatures.Based on the results of the authenti-cation,may initiate some secure action using the cer-tificate.In[MJ98],we discuss the cases when the enterprise of a verifier host and the enterprise of the requested certifi-cate do not share a common keyserver(in terms of reg-istration)and when more than one certificate for a single target is received with valid signatures.For brevity,we do not include the discussion of these cases here.3.3Certificate Revocation ProtocolIn windowed revocation,we use explicit notification as the primary revocation mechanism.CRLs are generated per the schedule documented in the associated certificate. These CRLs are then delivered on keyservers’announce-ment groups.We require each entity holding a cached certificate to listen for revocation announcement from the corresponding keyserver.We explore two other CRL dis-tribution mechanisms and evaluate their potential scala-bility problems in Section3.5.1.The generation and delivery of CRLs from source en-terprise to verifier host is demonstrated through the fol-lowing example.The key distribution hierarchy used in the previous example is depicted in Figure4along with the keyserver’s announcement group.The hierarchy con-sists of a keyserver,two enterprises(), and two hosts(of enterprise and of). Continuing with the example in the previous section,at some point after host acquired certificate,is revoked.Subsequent to the revocation of,requests for’s certificate will return either a newly generated (with a unique serial number),or an error if no new certificate for has been created.Whether a new certifi-cate for is generated or not,the next scheduled CRL from will include the revocation of the old. Each CRL generated by is reliably unicast to all keyservers with which it has registered,which in this ex-ample is only(step1).The keyserver stores theFigure4:Certificate revocation delivery.After its revoca-tion,certificate is included in subsequent CRLs gen-erated for the local enterprise().Each CRL is reliably unicast by the enterprise root()to all keyservers with which the enterprise has registered().The en-terprise CRL is summarized(with CRLs from other en-terprises)and included in the keyserver CRL.The result-ing keyserver CRL is multicast to all interested parties.CRL from enterprise in preparation for the publication of the next keyserver CRL(see Section3.3.1).When the next keyserver CRL is generated,the CRL from enterprise containing the revocation of is in-cluded.The keyserver then multicasts the CRL over the keyserver announcement address(step2).The scalabil-ity of traditional PKIs is limited by the requirement that verifiers actively retrieve CRLs.We use push delivery in windowed revocation to enable passive verification.If a pushed CRL is lost in transit and it is required by a veri-fier,the verifier may retrieve it from the CA(or refresh the certificate by re-acquiring it).Hence CRL delivery may use unreliable transport protocol,such as IP multicasting. Note that the use of unreliable transport protocol does not affect the security of CRL delivery(see Sections3.5.1and 4.1).Revoked certificates are included in the scheduled CRLs for a period equal to its revocation window.The revocation window of each certificate is documented in the certificate.The revocation window limits the length of time a certificate may be cached without the holder of the cached certificate receiving an associated CRL.Be-cause revocation is explicitly stated in the CRL only for this period,the verifier will have no means of determin-ing the correct revocation state afterwards.Therefore,if a verifier does not receive an associated CRL during the revocation window,it must drop the certificate from its cache.When the CRL associated with a certificate cannot be obtained,the certificate must be re-acquired.As CAs are prohibited from advertising revoked certificates,and the retrieval process is freshness protected(see Section4.1), all retrieved certificates are guaranteed to be both fresh and unrevoked.Therefore,if a recent CRL cannot be ob-tained,the revocation state can be determined by the direct acquisition of the certificate.By providing low cost delivery of CRLs in the aver-age case(multicast keyserver CRL delivery),we avoid the vast amount of active CRL retrievals normally asso-ciated with traditional PKI architectures.In the aberrant case,where the most recent CRL has not been received, we provide a means of recovery through direct retrieval. The CRL publication period and revocation window are documented as additionalfields in all certificates within the PKI.The CRL publication period is the length of time, in minutes,between each new CRL publication.The re-vocation window is the number of CRL publications in which a revocation is included.Additionally,keyserver certificates contain a CRL announcement address.The CRL announcement address is the identity of the group over which CRLs are delivered(see Section4.2).In the following sections,we outline the Windowed Revocation protocol and supporting features.The next two sub-sections describe CRL generation and distribu-tion within KDH.We conclude this sub-section by outlin-ing the cache management policy.3.3.1Keyserver CRL GenerationTraditional CRL revocation requires hosts wishing to val-idate certificates from potentially many CAs to retrieve and validate as many CRLs as the number of CAs in-volved.In attempting to address this and other limita-tions,the IETF Public Key Infrastructure Working Group (PKIX)provides the Indirect CRL extension[HFPS98]. Using Indirect CRLs,a CA may delegate CRL generation to other entities.We extend this approach by stipulating a priori indirect CRLs.Keyservers aggregate CRLs by collecting all the CRLs of enterprises that have registered with them.After the authenticity of each enterprise CRL has been verified,the enterprise revocation information is incorporated into the keyserver CRL.By allowing the keyserver to authenticate enterprise revocation informa-tion,verifiers need not collect or verify each enterprise CRL.5Each keyserver generates CRLs at the documented CRL publication period.The keyserver CRL contains re-vocation state of certificates belonging to enterprise roots that have been registered with the keyserver,summary in-tt+1t+6timeCRL Publication Periodfor C 1 and C 2Certificate C 1revokedCertificate C revoked CRL <none> <none><none>C 1 C 1 ,C 2 C 1 ,C 2 C 2C 1 C 2Figure 5:Example CRL generation -In this example,we show the revocation of certificates andand theirinclusion in subsequent CRLs.1.If the last published CRL has been received from the CA and the certificate has not been revoked,it can continue to be used.2.If the last published CRL has not been received:(a)If the difference between the current time and the last received CRL is less than the revocation window,the last published CRL is retrieved.Once retrieved,the CRL is used to determine the revocation state of the certificate.(b)If the difference between the current time and the last received CRL is greater than the revo-cation window,the certificate is dropped and must be re-acquired.The expiration of a cer-tificate window indicates that revocation an-nouncements for the associated certificate may have been lost.(c)If the last published CRL cannot be retrieved,the certificate is dropped from the cache,andmust be re-acquired from the CA.At the time of retrieval,two timers are associated witheach cached certificate.For host and enterprise certifi-cates,the clean timer is set to the CRL publication pe-riod of the enterprise ()plus the publication period of the keyserver ().This ensures that all hosts listening to the keyserver announcement address receive keyserver CRLs before the clean timers expire.The revocation windowtimer is set to the revocation window ()multiplied bythe enterprise CRL publication period.The time of the enterprise CRL publication is denoted .As CRLs arrive,the clean timer associated with each un-revoked certificate are reset to .After receiving a CRL,revocation window timer is reset to .Re-voked certificates are removed from the cache.As clean timers expire,the associated entries aremarked “dirty”.In the normal case,keyserver CRLs are received regularly,and cached certificates will never bemarked dirty.Certificates not marked dirty were not re-voked at the time the last CRL was generated,and may continue to be used.When a dirty certificate is requested by a verifier and the certificate’s revocation window timer has not expired,the host attempts to validate the certificate by retrievingthe most recent CRL.If the CRL is successfully retrieved,all relevant cache entries are updated,and the certificate is returned to the end-user.If the CRL cannot be re-trieved,the entry is dropped from the cache,and must be re-acquired using the certificate retrieval protocol de-scribed in Section 3.2).If the revocation window timer of a certificate has ex-pired,hosts can not determine the revocation state of thiscertificate using the latest CRL.In this case,the certificateis dropped from the cache,and must be re-acquired.We now illustrate the certificate cache management process with an example.In Figure 5,we describe a series of events involving a certificate caching host.In this ex-ample,the CRL publication period for the CA associatedwith certificatesand is equal to 1(where a CRL is generated at).The revocation window documented in each certificates and is 2(periods).Between and ,cer-tificate is revoked.Between and ,certificate is revoked.The CRLs published by the CA at time and will contain the revocation of certificate ,while the revocation state of certificate will be in-。
