Signature-efficient real time credentials for OCSP and distributed OCSP

Abstract

Providing information about digital certificate validity includes ascertaining digital certificate validity status for each of a plurality of digital certificates in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificate of the plurality of digital certificates, where at least one of the messages indicates validity status of more than one digital certificate and digitally signing the artificially pre-computed messages to provide OCSP format responses that respond to OCSP queries about specific digital certificates in the set of digital certificates, where at least one digital signature is used in connection with an OCSP format response for more than one digital certificate. Generating and digitally signing may occur prior to any OCSP queries that are answered by any of the OCSP format responses. Ascertaining digital certificate validity status may include obtaining authenticated information about digital certificates.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This application claims priority to U.S. provisional application 60 / 535,666 filed on Jan. 9, 2003, and on U.S. provisional application 60 / 536,817 filed on Jan. 15, 2003, both of which are incorporated by reference herein.BACKGROUND OF THE INVENTION [0002] 1. Technical Field [0003] This application relates to the field of digital certificates, and more particularly to the field of verifying and validating digital certificates and other information. [0004] 2. Description of Related Art [0005] Digital signatures provide an effective form of Internet authentication. Unlike traditional passwords and PINs, digital signatures authenticate transactions in a way that is universally verifiable. Thus, it is very difficult, if not impossible, to repudiate a transaction that has been digitally signed. Digital signatures are produced via a signing key, SK, and verified via a matching verification key, PK. A user U keeps his own SK secret so that only...

AI Technical Summary

Benefits of technology

[0038] The system described herein is a cost-effective, secure, scalable, and overall efficient credential / privilege validation system, that significantly enhances conventional OCSP-like method. The system described herein, even when exercising the option of maintaining compatibility with the OCSP standards, provide significant advantages over conventional OCSP, so as to offer qualitatively superior security and scalability.

[0046] The system described herein provides all validation trust into a single authority (or small number of authorities) while distributing the query load across an arbitrary number of unprotected responders. The system described herein does not decrease security even in distributed implementations relying on a relatively large number of responders even though the responders are unprotected. The system described herein improves the response time to a query. The system described herein does not delegate trust to foreign responders in heterogeneous environments.

Problems solved by technology

Thus, it is very difficult, if not impossible, to repudiate a transaction that has been digitally signed.

Fortunately, key PK does not “betray” the matching key SK; that is, knowledge of PK does not provide any practical advantage in computing SK.

According to such a revocation rate, a system having ten million certificates would generate a CRL containing one million serial numbers, which could make the CRL unwieldy.

Though this problem can be lessened by more recently introduced CRL-partition techniques, the basic strategy of bundling together the revocation information of many certificates is still likely to generate inconvenience and cost.

This may be unacceptable in certain situations such as, for example, a wireless transaction, where having to transmit this many bits (as protection against future disputes and potential legal claims) may be impractical.

Of course, a malicious / compromised OCSP responder may provide arbitrary signed answers about the certificates of a given CA, with or without consulting any CRL's.

There are significant drawbacks to OCSP.

In the first place, digital signatures are computationally intensive operations.

The digital signature created by a conventional OCSP responder on each OCSP response is generated at the time of the request, and may be the most computationally intensive part of the validation operation.

Even if a conventional OCSP responder caches a digital signature about a digital certificate C after being asked the first time about C and then sent the cached signature when asked about C afterwards, still the answer to the first user asking about C may be significantly-delayed due to generation of the initial digital signature.

In addition, if there is a single OCSP responder, then all certificate-validity queries would, eventually, be routed to the single OCSP responder, which then may become a major network bottleneck and cause considerable congestion and delays.

If huge numbers of honest users suddenly queried this OCSP responder, then a disrupting denial of service situation could ensue.

However, for OCSP, load distribution may introduce additional problems because, in order to provide signed responses to the certificate-validity queries, each of the one hundred distributed conventional OCSP responders would have its own secret signing key.

Thus, compromising any of the one hundred servers could effectively compromise the entire organization.

Unfortunately, this is a costly option.

A truly secure vault, meeting all the requirements of—say—a financial CA, may cost over one million dollars to build and one million dollars a year to operate.

In addition, even if an organization were willing to pick up such expenses, vaults can not be built overnight.

Thus if a CA needed a few more vaults to lessen the load of its current conventional OCSP responders, there may be a delay of months before new properly-vaulted OCSP responders could be constructed.

Moreover, incurring the costs of multiple vaults may not solve the OCSP security problems.

Furthermore, there are difficulties associated with OCSP with respect to servicing certificate validity requests originating from different security domains.

For instance, conventional OCSP responders run by organization A may easily provide responses about the status of certificates of the CA of organization A, but OCSP responders run by another organization may not have enough information to provide responses about “foreign” certificates.

First, the relying parties from organization B could obtain from the responders from organization A the status of certificates from the CA of organization A. This limits performance however, since the OCSP responders from organization A may be geographically distant from relying parties of organization B, so network times may greatly slow overall validation processing.

This second alternative may provide better scalability and performance, but it muddies the security and trust flow between the two organizations.

If the OCSP responder 44 makes an incorrect response for any reason (misconfiguration, hostile attack, or straightforward dishonesty), the OCSP responder 44 may thus negatively impact the organization of the CA 64.

This type of delegation-of-trust between organizations may be acceptable in some cases, but it is not a generally useful alternative for any large-scale heterogeneous deployment of traditional OCSP.

Images