PPREM: Privacy Preserving REvocation Mechanism for Vehicular Ad Hoc Networks

One of the critical security issues of Vehicular Ad Hoc Networks (VANETs) is the revocation of misbehaving vehicles. While essential, revocation checking can leak potentially sensitive information. Road Side Units (RSUs) receiving the certificate status queries could infer the identity of the vehicles posing the query. An important loss of privacy results from the RSUs ability to tie the checking vehicle with the query's target. We propose a Privacy Preserving Revocation mechanism (PPREM) based on a universal one-way accumulator. PPREM provides explicit, concise, authenticated and unforgeable information about the revocation status of each certificate while preserving the users' privacy.     

EPA: An efficient and privacy-aware revocation mechanism for vehicular ad hoc networks

Security is vital for the reliable operation of vehicular ad hoc networks (VANETs). One of the critical security issues is the revocation of misbehaving vehicles. While essential, revocation checking can leak private information. In particular, repositories receiving the certificate status queries could infer the identity of the vehicles posing the query and the target of the query. An important loss of privacy results from this ability to tie the checking vehicle with the query’s target, due to their likely willingness to communicate. In this paper, we propose an Efficient and Privacy-Aware revocation Mechanism (EPA) based on the use of Merkle Hash Trees (MHT) and a Crowds-based anonymous protocol, which replaces the time-consuming certificate revocation lists checking process. EPA provides explicit, concise, authenticated and unforgeable information about the revocation status of each certificate while preserving the users’ privacy. Moreover, EPA reduces the security overhead for certificate status checking, and enhances the availability and usability of the revocation data. By conducting a detailed performance evaluation, EPA is demonstrated to be reliable, efficient, and scalable.     

Certificate revocation system implementation based on the Merkle hash tree

Public-key cryptography is widely used to provide Internet security services. The public-key infrastructure (PKI) is the infrastructure that supports the public-key cryptography, and the revocation of certificates implies one of its major costs. The goal of this article is to explain in detail a certificate revocation system based on the Merkle hash tree (MHT) called AD–MHT. AD–MHT uses the data structures proposed by Naor and Nissim in their authenticated dictionary (AD) [20]. This work describes the tools used and the details of the AD–MHT implementation. The authors also address important issues not addressed in the original AD proposal, such as responding to a request, revoking a certificate, deleting an expired certificate, the status checking protocol for communicating the AD–MHT repository with the users, verifying a response, system security, and, finally, performance evaluation.     

Ad Hoc网络中的新型分布式证书撤销方案

分析Ad Hoc网络中一些证书撤销方案的优缺点,提出一种新的分布式证书撤销方案,节点证书的有效性由节点的权值控制,使用单向哈希链认证控诉消息,利用自恢复区域方法广播控诉消息。不依赖于任何集中式或外部节点即可有效地撤销恶意节点的证书、防止合法节点证书的误撤销。定量分析了方案的可靠性。     

证书吊销的线索二叉排序Hash树解决方案

提出了公钥基础设施(publickeyinfrastructure,简称PKI)中证书吊销问题的一个新的解决方案--线索二叉排序Hash树(certificaterevocationthreadedbinarysortedhashtree,简称CRTBSHT)解决方案.目前关于证书吊销问题的主要解决方案有X.509证书系统的证书吊销列表(certificaterevocationlist,简称CRL)、Micali的证书吊销系统(certificaterevocationsystem,简称CRS)、Kocher的证书吊销树(certificaterevocationtree,简称CRT)及Naor-Nissm的2-3证书吊销树(2-3CRT),这些方案均不完善.在CRT系统思想的基础上,利用线索化二叉排序树及Hash树给出的新方案,既继承了CRT证明一个证书的状态(是否被吊销)不需要整个线索二叉树,而只与其中部分相关路径有关的优点,又克服了CRT在更新时几乎需要对整个树重新构造的缺点,新方案在更新时仅需计算相关部分路径的数值.新方案对工程实现具有一定的参考价值.     

车载Ad Hoc网络中证书快速撤销机制研究

证书撤销是保障车载Ad Hoc网络安全的难点问题之一,但传统的CRL发布方式由于网络规模大,车辆机动性强等原因并不适用。结合车载Ad Hoc网络中节点移动规律和速度等特性,在提出降解CRL规模的方法的基础上,进一步提出一种基于车辆速度证书快速撤销方案。分析表明在证书有效期较短的情况下,该方案要优于传统方案。     

一个新的证书吊销列表设计方案

通过对证书员销列表中吊销证书条目字段重新编码在，结合分段的思想，提出一个新的证书吊销信息分发方案Compact CRL，新方案大大简化了CRL的大小，节省了证书吊销信息分发所需要的带宽。     

基于单向哈希链和多重证书的网格安全方案

本文分析了网格安全基础设施（Grid Security Infrastructure、GSI）中传统的证书撤销机制存在的问题,并提出了一种新的联合证书撤销方案。该方案使用单向哈希链和多重证书来改进证书撤销机制,CA的部分功能被分散到其它网格节点,避免了网格环境下的拥塞和单点失败。不同CA颁发的证书能够进行交叉认证,用户可以验证证书的有效性而无需从该证书的颁发CA重新获得撤销信息。因此该方案可以保证证书撤销的实时性。为了研究方案性能,和其他三种传统的证书撤销方案进行了对比实验。结果表明,相对传统的证书撤销机制本文所提出的联合证书撤销方案能使峰值请求率降低、峰值带宽变窄、安全风险降低．     

基于单向散列链的公钥证书撤销机制

证书撤销是公钥基础设施（PKI，Public Key Infrastructure）研究和应用的难点问题．本文首先讨论了当前应用最广泛的两类证书撤销机制一证书撤销列表（CRL，Certificate Revocation List）和在线证书状态罅议（OCSP，Online Certificate Status Protocol），剖析了这两种机制各自存在自的不足．在此基础上，提出了一种基于单向散列链的证书撤销机制．     

基于P2P技术的安全凭证回收方法

安全凭证回收的实现是公钥基础设施(PKI)所面临的一个主要的问题。许多种回收策略已经被提出,CRL是其中最简单,最容易实现的方法。但是如何有效地分布已经回收的安全凭证信息是这种方法所面临的一个挑战。论文提出利用P2P技术组织终端实体,并利用bloomfilter压缩向量代表安全凭证回收链CRL。通过实体间的协作和bloomfilter的压缩功能减少REPOSITORY和网络的负担。此外,为了有效地向终端实体发布CRL的bloomfilter压缩向量,提出一种高效的广播算法,在最小的TTL内尽量将向量广播到每一个节点。论文最后进行了模拟试验,实验证明提出的解决方案是有效的。     

一种适用于Ad Hoc网络的高效证书撤销机制

由于Ad hoe网络的特殊性,基于数字证书的安全机制在其中的应用面临很多困难,其中最大的挑战是：在网络节点无法在线访问CA的情况下,如何实现证书的撤销。在对Adhoe网络环境下现存的证书撤销机制进行分析后,提出了一种基于单向哈希函数的证书撤销机制,这种机制具有执行效率高、节约网络带宽、计算开销低：等优点,非常适用于Adhoe网络环境。     

基于Over-Issued增量CRL发布机制的研究

目前关于公钥基础设施（public key infrastructure）中证书撤销问题的主要解决方案是使用X．509证书撤销列表（CRL）来定期发布证书状态信息;现有的发布机制主要针对提高处理时间,而对存储库性能的优化仍然存在一些问题——CRL存储库峰值负荷过大;通过对增量CRL和Over—Issued CRL模型的分析,给出了一种基于Over—Issued增量CRL机制的证书状态信息发布方法;它结合了上述两种模型的优点,通过改变Over- IssuedCRL发布的时间间隔和增量CRL发布窗口大小,有效降低了存储库峰值负荷。     

一种新型的证书撤销列表

对证书撤销机制进行了研究。指出基于有序顺序表的证书撤销列表方案的不足，提出一种基于二叉排序树的CRL方案。通过分析表明，该方案与传统CRL相比，能够减少证书用户查找撤销证书的平均查询次数，克服了顺序CRL在更新时移动记录的缺点，优化了系统性能，且方案易于实现。     

身份签名技术在无线Mesh网络的接入应用

针对无线Mesh网络的特点和安全缺陷,提出将基于身份密码学机制应用到无线Mesh网络的思想,设计了IBS-EAP接入认证协议和IBS-RP漫游认证协议,实现快速接入,避免了多次认证;对新协议进行安全性分析和效率分析,证明了新协议的优越性。设计了IBS-EAP接入认证协议,实现了快速接入的目的,基于IBS签名技术完成双向认证,一个节点的公钥可以通过身份标识和IBS系统的公开参数直接获得,无需采用复杂的技术维护公钥证书和证书撤销列表CRL。     

公钥证书与属性证书的结合--融合证书

介绍了一种新的证书撤销方案——NewPKI证书撤销方案,运用这种新的撤销机制解决公钥证书与属性证书不能简单合并的问题。定义了一类新的属性——NewPKI属性,并且将NewPKI属性与X.509公钥证书相结合,从而提出一类新的证书——融合证书。融合证书保留与X.509 v3证书相同的证书格式,且能够将属性加到X.509身份证书中,它能够作为一个理想的机制来携带属性信息而不需要属性证书,在很多情况下十分有用。     

Relying Party Credentials Framework

We present architecture for a relying-party to manage credentials, and in particular to map different credentials into common format and semantics. This will allow use of simple, widely available credentials as well as more advanced credentials such as public key certificates, attribute certificates and 'negative' credentials (which result in reduced trust) such as certificate revocation lists (CRL). The core of the architecture is a Credential Manager who collects credentials, and maps them to common format and semantics.     

一种基于P2P共享下载模式的证书撤销机制

基于增量CRL证书撤销机制,提出了基于P2P共享下载模式的证书撤销机制。在Delta-CRL的发布周期内,CA发布Base-CRL和Delta-CRL,用户除初始化外,其他时刻只需下载Delta-CRL即可。当用户提出请求,通过洪泛机制查询相应节点和资源的信誉度记录,找到最优记录节点,建立P2P连接。然后,将下载的CRL模块在客户端重构以获得完整的CRL。与其他CRL相比,该方法能够有效减少CRL的下载尺寸,真正降低通信载荷以及系统的峰值请求率,提供更为及时的证书撤销信息。     

基于短消息的数字证书状态发布系统的研究

在任何一个基于公钥基础设施的安全应用系统中,数字证书的验证对保证系统的安全具有至关重要的作用。简要描述了因特网中通过OCSP进行在线证书状态查询的方法,说明了目前加密手机无法像因特网一样进行在线数字证书状态查询的原因,提出了一种基于短消息的数字证书撤销状态发布方案,有效地解决了无线环境中的数字证书状态验证问题,提高了加密手机的安全水平。     

Detection of malicious vehicles (DMV) through monitoring in Vehicular Ad-Hoc Networks

Vehicular Ad Hoc Networks (VANETs) are appropriate networks that can be applied to intelligent transportation systems. In VANET, messages exchanged among vehicles may be damaged by attacker nodes. Therefore, security in message forwarding is an important factor. We propose the Detection of Malicious Vehicles (DMV) algorithm through monitoring to detect malicious nodes that drop or duplicate received packets and to isolate them from honest vehicles, where each vehicle is monitored by some of it trustier neighbors called verifier nodes. If a verifier vehicle observes an abnormal behavior from vehicle V, it increases distrust value of vehicle V. The ID of vehicle V is then reported to its relevant Certificate Authority (CA) as a malicious node when its distrust value is higher than a threshold value. Performance evaluation shows that DMV can detect most existence abnormal and malicious vehicles even at high speeds.     

Design and implementation of a public key-based group collaboration system

We present PubKey-Wiki, a public key-based wiki group collaboration system. PubKey-Wiki allows users to authenticate themselves using public-key cryptography and gain authorizations using digital certificates. By using public key-based user authentication, users’ passwords are not sent across the network and are not stored on the web server’s host machine. Using digital certificates to authorize users to access protected files facilitates delegation of authority and simpler access control list (ACL) management, and allows the ability of a user to pass authorizations onto other users without needing to connect to the wiki’s server. The paper introduces a new approach to revocation in which revocation of certificates and revocation of public keys are handled separately and take effect immediately.The paper also introduces an algorithm, CertClosure, that computes the transitive closure of a set of certificates that contain authorization information. When a user adds or removes a certificate from his certificate directory in PubKey-Wiki, PubKey-Wiki uses the CertClosure algorithm to derive authorization rules. PubKey-Wiki stores these authorization rules in a lookup table where they can be easily referenced. When a user tries to access a protected file, PubKey-Wiki looks up and uses the relevant authorization rules to efficiently make an access control decision.