Abstract
Certificate status validation is a hard problem in general but it is particularly complex in Mobile Ad-hoc Networks (MANETs) because we require solutions to manage both the lack of fixed infrastructure inside the MANET and the possible absence of connectivity to trusted authorities when the certification validation has to be performed. In this sense, certificate acquisition is usually assumed as an initialization phase. However, certificate validation is a critical operation since the node needs to check the validity of certificates in real-time, that is, when a particular certificate is going to be used. In such MANET environments, it may happen that the node is placed in a part of the network that is disconnected from the source of status data at the moment the status checking is required. Proposals in the literature suggest the use of caching mechanisms so that the node itself or a neighbour node has some status checking material (typically on-line status responses or lists of revoked certificates). However, to the best of our knowledge the only criterion to evaluate the cached (obsolete) material is the time. In this paper, we analyse how to deploy a certificate status checking PKI service for hybrid MANET and we propose a new criterion based on risk to evaluate cached status data that is much more appropriate and absolute than time because it takes into account the revocation process.
This work is funded by the Spanish Ministry of Science and Education under the projects CONSOLIDER-ARES (CSD2007-00004), SECCONET (TSI2005-07293-C02-01), ITACA (TSI2007-65393-C02-02), P2PSEC (TEC2008-06663-C03-01) and, by the Government of Catalonia under grant 2005 SGR 01015 to consolidated research groups.
Chapter PDF
References
Corson, S., Macker, J.: Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations. RFC 2501 (Informational) (January 1999)
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)
Capkun, S., Buttyan, L., Hubaux, J.P.: Self-organized public-key management for mobile ad hoc networks. IEEE Transactions on Mobile Computing (2003)
Hubaux, J.-P., Buttyan, L., Capkun, S.: The quest for security in mobile ad hoc networks. In: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking and Computing, MobiHOC 2001 (2001)
Zsako, J.: PGP Authentication for RIPE Database Updates. RFC 2726 (Proposed Standard) (December 1999)
Almenárez, F., Marín, A., Campo, C., García, C.: Managing ad-hoc trust relationships in pervasive environments. In: Proceedings of the Workshop on Security and Privacy in Pervasive Computing SPPC (2004)
Zhou, L., Haas, Z.J.: Securing ad hoc networks. IEEE Networks 13(6), 24–30 (1999)
Zhou, L., Schneider, F.B., Renesse, R.V.: Coca: A secure distributed on-line certification authority. ACM Transactions on Computer Systems 20(4), 329–368 (2002)
Yi, S., Kravets, R.: Moca: Mobile certificate authority for wireless ad hoc networks. In: Proceedings of the 10th IEEE International Conference on Network Protocols, ICNP 2002 (2002)
Pkix chapter of the ietf, http://www.ietf.org/html.charters/pkix-charter.html
Yin, L., Cao, G.: Supporting cooperative caching in ad hoc networks. IEEE Transactions on Mobile Computing 5(1), 77–89 (2006)
Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459 (Proposed Standard), Obsoleted by RFC 3280 (January 1999)
Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. RFC 3820 (Proposed Standard) (June 2004)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (Proposed Standard) (June 1999)
Go, H.W., Chan, P.Y., Dong, Y., Sui, A.F., Yiu, S.M., Hui, L.C.K., Li, V.O.K.: Performance evaluation on crl distribution using flooding in mobile ad hoc networks (manets). In: Proceedings of the 43rd annual southeast regional conference on ACM Southeast Regional Conference archive, Kennesaw, Georgia, vol. 2, pp. 75–80 (2005)
Forné, J., Muñoz, J.L., Esparza, O., Hinarejos, F.: Certificate status validation in mobile ad hoc networks. IEEE Wireless Communications 16(11), 55–62 (2009)
Marias, G.F., Papapanagiotou, K., Tsetsos, V., Sekkas, O., Georgiadis, P.: Integrating a trust framework with a distributed certificate validation scheme for manets. Wireless Communications and Networking 1155(10), 1–18 (2006)
Marias, G.F., Papapanagiotou, K., Tsetsos, V., Sekkas, O., Georgiadis, P.: Integrating a trust framework with a distributed certificate validation scheme for manets. EURASIP Journal on Wireless Communications and Networking 2006(2), 1–18 (2006)
Deacon, A., Hurst, R.: The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments. RFC 5019 (Proposed Standard) (September 2007)
Arnes, A.: Public key certificate revocation schemes, Queen’s University. Ontario, Canada. Master Thesis (February 2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Muñoz, J.L., Esparza, O., Gañán, C., Parra-Arnau, J. (2009). PKIX Certificate Status in Hybrid MANETs. In: Markowitch, O., Bilas, A., Hoepman, JH., Mitchell, C.J., Quisquater, JJ. (eds) Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous Networks. WISTP 2009. Lecture Notes in Computer Science, vol 5746. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03944-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-03944-7_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03943-0
Online ISBN: 978-3-642-03944-7
eBook Packages: Computer ScienceComputer Science (R0)