{"title":"证书撤销保护(CRG):一种有效的证书撤销检查机制","authors":"Qinwen Hu, M. R. Asghar, N. Brownlee","doi":"10.1109/LCN.2016.84","DOIUrl":null,"url":null,"abstract":"In the Public Key infrastructure (PKI) model, digital certificates play a vital role in securing online communication. Communicating parties exchange and validate these certificates, the validation fails if a certificate has been revoked. In this paper we propose the Certificate Revocation Guard (CRG) to efficiently check certificate revocation while minimising bandwidth, latency and storage overheads. CRG is based on OCSP, which caches the status of certificates locally. CRG could be installed on the user's machine, at the organisational proxy or even at the ISP level. Compared to a naive approach (where a client checks the revocation status of all certificates in the chain on every request), CRG decreases the bandwidth overheads and network latencies by 95%. Using CRG incurs 69% lower storage overheads compared to the CRL method. Our results demonstrate the effectiveness of our approach to improve certificate revocation.","PeriodicalId":6864,"journal":{"name":"2016 IEEE 41st Conference on Local Computer Networks (LCN)","volume":"139 1","pages":"527-530"},"PeriodicalIF":0.0000,"publicationDate":"2016-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":"{\"title\":\"Certificate Revocation Guard (CRG): An Efficient Mechanism for Checking Certificate Revocation\",\"authors\":\"Qinwen Hu, M. R. Asghar, N. Brownlee\",\"doi\":\"10.1109/LCN.2016.84\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the Public Key infrastructure (PKI) model, digital certificates play a vital role in securing online communication. Communicating parties exchange and validate these certificates, the validation fails if a certificate has been revoked. In this paper we propose the Certificate Revocation Guard (CRG) to efficiently check certificate revocation while minimising bandwidth, latency and storage overheads. CRG is based on OCSP, which caches the status of certificates locally. CRG could be installed on the user's machine, at the organisational proxy or even at the ISP level. Compared to a naive approach (where a client checks the revocation status of all certificates in the chain on every request), CRG decreases the bandwidth overheads and network latencies by 95%. Using CRG incurs 69% lower storage overheads compared to the CRL method. Our results demonstrate the effectiveness of our approach to improve certificate revocation.\",\"PeriodicalId\":6864,\"journal\":{\"name\":\"2016 IEEE 41st Conference on Local Computer Networks (LCN)\",\"volume\":\"139 1\",\"pages\":\"527-530\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"10\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE 41st Conference on Local Computer Networks (LCN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/LCN.2016.84\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 41st Conference on Local Computer Networks (LCN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LCN.2016.84","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Certificate Revocation Guard (CRG): An Efficient Mechanism for Checking Certificate Revocation
In the Public Key infrastructure (PKI) model, digital certificates play a vital role in securing online communication. Communicating parties exchange and validate these certificates, the validation fails if a certificate has been revoked. In this paper we propose the Certificate Revocation Guard (CRG) to efficiently check certificate revocation while minimising bandwidth, latency and storage overheads. CRG is based on OCSP, which caches the status of certificates locally. CRG could be installed on the user's machine, at the organisational proxy or even at the ISP level. Compared to a naive approach (where a client checks the revocation status of all certificates in the chain on every request), CRG decreases the bandwidth overheads and network latencies by 95%. Using CRG incurs 69% lower storage overheads compared to the CRL method. Our results demonstrate the effectiveness of our approach to improve certificate revocation.