Authentication and authorisation architectures based on certificates have not been widely accepted due to their cost, inflexibility and difficult management.The complexity of the Public Key Infrastructure (PKI) is increased by the certification path validation process that involves: discovering the path, retrieving the certificates, verifying their digital signature and checking that none of the certificates have expired or have been revoked. This process demands certain processing and storage capacity from the verifier that can exceed the features of some devices, such as mobile phones and smart cards. In this thesis, we evaluate the computational cost and the storage capacity required by a verifier to carry out the path validation process and determine that they are critical factors for constrained devices. In addition, we introduce two proposals that contribute to simplify the path validation process from the verifier's point of view: TRUTHC and PROSEARCH.TRUTHC uses two hash chains to establish an alternative trust relationship among the different entities of a hierarchical PKI. Thus, the signature verification operations are replaced by hash operations, what contributes to decrease the computational cost of the verifier. The path verification is carried out by a Verification Authority (VA). TRUTHC is compatible with the X.509 certificates and its security depends on a large extent of the seeds' confidentiality. TRUTHC can be used in environments where devices have limited processing capacity and it is necessary to delegate the validation process in other entity, such as mobile networks with validation servers.On the other hand, PROSEARCH establishes a virtual hierarchy in a mesh PKI, based on the trustworthiness level of the participant entities. This protocol facilitates the certification path discovery since in a hierarchical model the trust relationships are unidirectional and there is a single path between each pair of entities. PROSEARCH does not establish new trust relationships among the entities but it takes the existing relationships to establish the hierarchy. Thus, it is not necessary to issue new certificates or adjust the trust points. In addition, PROSEARCH is adaptable to entities with limited processing and storage capacities, since hierarchy is established considering a maximum certification path length. The fast execution of PROSEARCH makes possible its use in different environments such as critical scenarios and ad-hoc networks. Although the hierarchy found by our protocol is not always the best solution, in our opinion this is not an important drawback since simulation results show that in most cases an acceptable hierarchy is found, especially considering that the simplicity of the protocol makes it easy-to-implement even for constrained devices.
Identifer | oai:union.ndltd.org:TDX_UPC/oai:www.tdx.cat:10803/7039 |
Date | 09 March 2007 |
Creators | Satizábal Echevarria, Isabel Cristina |
Contributors | Forné Muñoz, Jordi, Universitat Politècnica de Catalunya. Departament d'Enginyeria Telemàtica |
Publisher | Universitat Politècnica de Catalunya |
Source Sets | Universitat Politècnica de Catalunya |
Language | Spanish |
Detected Language | English |
Type | info:eu-repo/semantics/doctoralThesis, info:eu-repo/semantics/publishedVersion |
Format | application/pdf |
Source | TDX (Tesis Doctorals en Xarxa) |
Rights | ADVERTIMENT. L'accés als continguts d'aquesta tesi doctoral i la seva utilització ha de respectar els drets de la persona autora. Pot ser utilitzada per a consulta o estudi personal, així com en activitats o materials d'investigació i docència en els termes establerts a l'art. 32 del Text Refós de la Llei de Propietat Intel·lectual (RDL 1/1996). Per altres utilitzacions es requereix l'autorització prèvia i expressa de la persona autora. En qualsevol cas, en la utilització dels seus continguts caldrà indicar de forma clara el nom i cognoms de la persona autora i el títol de la tesi doctoral. No s'autoritza la seva reproducció o altres formes d'explotació efectuades amb finalitats de lucre ni la seva comunicació pública des d'un lloc aliè al servei TDX. Tampoc s'autoritza la presentació del seu contingut en una finestra o marc aliè a TDX (framing). Aquesta reserva de drets afecta tant als continguts de la tesi com als seus resums i índexs., info:eu-repo/semantics/openAccess |
Page generated in 0.002 seconds