Computer Communications, vol. 26, no. 16, Elsevier, pp. 1826-1838, 2003. (I.F.: 0.508)
The certificate paradigm is applied recursively to obtain the public keys of a number of Certification Authorities and, accordingly, to obtain the public keys of a number of final entities. Thus, validation of the authorized public key of a party in a network transaction is commonly based on processing the certificate chain descended from a trusted root issuer, involving non-negligible time and cost. Those chains become long in communications between large organizations, which is the typical case of e-commerce and e-government applications. The process of validation of extensive chains introduces performance problems in two aspects: signature verification and revocation checking. That is, the repeated processing of long chains of certificates creates severe efficiency problems. This fact causes that most of the advantages provided by Public Key Infrastructures (PKIs) are not conveniently exploited. In this paper we analyze the scenarios in which large volumes of digitally signed transactions between commercial entities exist. These cases require of interoperation among PKIs. We show that solutions available in those scenarios still involve processing of too long chains of certificates, either at the receiving computer or by an outsourced entity. For this reason, we propose new concepts of virtual certificate and synthetic certificate for faster and less costly processing of certificate chains. In this way, communications in a certificate-based intercommunity can be highly improved. We also show how these types of certificates can be applied in practice.
First International Workshop on Security in Information Systems (SIS’02), pp. 61-71, April, 2002.
Authentication between protocol agents is widely studied in the cryptographic protocol analysis area. It is essential in a virtual environment to rely on protocol parties’ identity. In the academic literature there are many protocols that provide the authentication property. We present in this paper a new mechanism to verify authentication using SDL, general purpose specification language. We have defined a generic schema in SDL that allow us to specify a security system and check system behavior when a malicious agent ( the intruder ) is present. We have used the EKE authentication protocol to illustrate how the mechanism works.