The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
This article gives a brief introduction to the Belgian EID card project commonly referred to as “Belpic.” This introduction includes an overview of the history of the project, details on the visual and cryptographic aspects of the EID cards, a discussion of the different sub-CAs involved, together with the card issuing process.
This paper discusses the technical and management experience gained in the day-by-day operation of the EuroPKI infrastructure. First the context where EuroPKI was born is explained, along with its certification philosophy. Then common certification practices are discussed, along with description of the services and applications offered by the EuroPKI partners. User-reported problems are also listed...
Certificate validation is one of the toughest scalability problems of the PKI. The goal of this paper is to introduce a Java platform for certificate revocation called CERVANTES. CERVANTES pretends to be an easy to extend tool that allows researchers to develop and test their own “real” revocation systems. As CERVANTES is an open source project it can also be included as part of any open PKI project...
A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server’s. This danger particularly threatens a traveling user Bob borrowing...
This paper is a survey of the advantages that the use of identity based cryptosystems can provide to PKIs. Since its introduction by Shamir in 1984, a couple of breakthroughs have been achieved in this area: namely, several identity based encryption (IBE) and identity based signature (IBS) schemes were proposed as well as hierarchical extensions of these while various special purpose identity based...
To guarantee the authenticity of public keys, traditional PKC (Public Key Cryptography) requires certificates signed by a CA (Certification Authority). However, the management of infrastructure supporting certificates is the main complaint against traditional PKC. While identity-based PKC can eliminate this cumbersome infrastructure, the key escrow of a user’s private key is inherent in identity-based...
The Online Certificate Status Protocol provides the up-to-date response to certificate status queries. To reduce the risk of denial of service attacks, the responder can pre-produce responses. However this approach has the disadvantage that computational costs of the responder are inefficient since the responder should pre-produce one response message for each certificate. This paper proposes efficient...
The last years have seen a major interest in designing and deploying trust management and public key infrastructures. Yet, it is still far from clear how one can pass from the organization and system requirements to the actual credentials and attribution of permissions in the PKI infrastructure. Our goal in this paper is filling this gap. We propose a formal framework for modeling and analyzing...
Besides the pure technical features, the usability of a PKI-enabled application plays a crucial role since the best security application will fail in practice if its usability is insufficient. We present a generic framework to evaluate the usability and utility of PKI-enabled applications with respect to their security features. Our approach is modeled on the Common Criteria methodology and...
We present a framework for extending the functionality of LDAP servers from their typical use as a public directory in public key infrastructures. In this framework the LDAP servers are used for administrating infrastructure processes. One application of this framework is a method for providing proof-of-possession, especially in the case of encryption keys. Another one is the secure delivery of software...
Path discovery and path building in large scale certificate based infrastructures can be difficult and a hindrance to secure electronic communications. The recursive certificate structure can eliminate or greatly alleviate these problems. This paper presents in ASN.1-like syntax a description of how the recursive certificate structure could be employed in an X.509 centric system.
The use of PKI in large scale environments suffers some inherent problems concerning the options to adopt for the optimal cost-centered operation of the system. In this paper a Markov based probability model has been applied and a performability indicator has been introduced for assisting the evaluation of the operational cost of the system in a decision support process. Considering the unavailability...
This work introduces a particular implementation of the X.509 Attribute Certificate framework (Xac), presented in the ITU-T Recommendation. The implementation is based on the use of the Openssl library, that we have chosen for its advantages in comparison with other libraries. The paper also describes how the implementation is middleware-oriented, focusing on the delegation model specified by ITU-T...
The idea of setting up an on-line repository hosting the academic trust anchors arose within the TERENA Task Force for Authentication and Authorisation Coordiantion for Europe (TF-AACE) and gained immediately a great consensus within the academic community. Over the last months of the 2003 the TF-AACE group (promoted by TERENA) has formalized the policy, established a pilot site and exercised the...
A substantial number of micropayment schemes in the literature are based on distributing the cost of a digital signature over several successive micropayments (e.g. Payword). Thus, a stable relationship between user and merchant is assumed: the micropayments validated by the same signature must take place between the same user and merchant. This stability is ill-suited for surfing on the web, a situation...
In recent years we have observed a huge evolution of services deployed over the Internet, in particular by the World Wide Web; the development of Web Services has enabled Business-to-Business (B2B) relationships, i.e., the exchange of services over the Internet between different, possibly mutually distrustful, organisations. Unfortunately, Web Services themselves do not provide all the features...
At present, network users have to manage a set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once to an entity termed the ‘Authentication Service Provider’ (ASP)...
The SEM approach to PKI (by Boneh et al [4]) offers many advantages, such as instant revocation and compatibility with standard RSA tools. However, it has some disadvantages with regard to trust and scalability: each user depends on a mediator that may go down or become compromised. In this paper, we present a design that addresses this problem. We use secure coprocessors linked with peer-to-peer...
The implementation of a standard PKI in a mobile ad hoc network (MANET) is not practical for several reasons: (1) lack of a fixed infrastructure; (2) a centralized certification authority (CA) represents a single point of failure in the network; (3) the relative locations and logical assignments of nodes vary in time; (4) nodes often have limited transmission and computational power, storage, and...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.