Skip to main content
Log in

Certificate revocation system implementation based on the Merkle hash tree

International Journal of Information Security Aims and scope Submit manuscript

Abstract

Public-key cryptography is widely used to provide Internet security services. The public-key infrastructure (PKI) is the infrastructure that supports the public-key cryptography, and the revocation of certificates implies one of its major costs. The goal of this article is to explain in detail a certificate revocation system based on the Merkle hash tree (MHT) called AD–MHT. AD–MHT uses the data structures proposed by Naor and Nissim in their authenticated dictionary (AD) [20]. This work describes the tools used and the details of the AD–MHT implementation. The authors also address important issues not addressed in the original AD proposal, such as responding to a request, revoking a certificate, deleting an expired certificate, the status checking protocol for communicating the AD–MHT repository with the users, verifying a response, system security, and, finally, performance evaluation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. CERtificate VAlidatioN TESt-bed (CERVANTES). http://isg.upc.es/cervantes

  2. Adams C, Farrell S (1999) Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC 2510

  3. Aho AV, Hopcroft JE, Ullman JD (1988) Data structures and algorithms. Addison-Wesley, Reading, MA

  4. Aiello W, Lodha S, Ostrovsky R (1998) Fast digital identity revocation. In: Advances in Cryptology (CRYPTO98), Santa Barbara, 23–27 August 1998. Lecture notes in computer science, vol 1462. Springer, Berlin Heidelberg New York, pp 137–152

  5. Arnes A, Just M, Knapskog SJ, Lloyd S, Meijer H (1995) Selecting revocation solutions for PKI. In: Proceedings of NORDSEC ’95

  6. CCITT Recommendation X.500 (1988) The directory overview of concepts, models and services

  7. Cooper DA (1999) A model of certificate revocation. In: Proceedings of the 15th annual computer security applications conference,Phoenix, AZ , 6–10 December 1999, pp 256–264

  8. Fox B, LaMacchia B (1999) Online certificate status checking in financial transactions: the case for re-issuance. In: Proceedings of the international conference on financial cryptography (FC99), Anguilla, BWI, February 1999. Lecture notes in computer science, vol 1648. Springer, Berlin Heidelberg New York, pp 104–117

  9. Housley R, Ford W, Polk W, Solo D (1999) Internet X.509 public key infrastructure certificate and CRL profile. RFC 2459

  10. ITU-T Recommendation X.680 (1995a) Abstract syntax notation one (ASN.1): specification of basic notation

  11. ITU-T Recommendation X.690 (1995b) ASN.1 Encoding rules: specification of basic encoding rules (BER), canonical encoding rules (CER) and distinguished encoding rules (DER)

    Google Scholar 

  12. ITU/ISO Recommendation X.509 (1997) Information technology open systems interconnection – the directory: public key and attribute certificate frameworks

  13. ITU/ISO Recommendation (2000) Internet X.509 information technology open systems interconnection – the directory: authentication frameworks, Technical Corrigendum

  14. Kocher PC (1998) On certificate revocation and validation. In: Proceedings of the international conference on financial cryptography (FC98), February 1998. Lecture notes in computer science, vol 1465. Springer, Berlin Heidelberg New York, pp 172–177

  15. Merkle RC (1989) A certified digital signature. In: Advances in Cryptology (CRYPTO89), Santa Barbara, 20–24 August 1989. Lecture notes in computer science, vol 435. Springer, Berlin Heidelberg New York, pp 234–246

  16. Micali S (1996) Efficient certificate revocation. Technical Report TM-542b, MIT Laboratory for Computer Science, Cambridge, MA

  17. Micali S (2002) NOVOMODO. Scalable certificate validation and simplified PKI management. In: Proceedings of the 1st annual PKI research workshop, Dartmouth, VT, 24–25 April 2002, pp 15–25

  18. Muñoz JL, Forné J (2002) Evaluation of certificate revocation policies: OCSP vs. Overissued CRL. In: Proceedings of DEXA workshops 2002: workshop on trust and privacy in digital business (TrustBus02), Aix-en-Provence, France, 2–6 September 2002. IEEE Press, New York, pp 511–515

  19. Myers M, Ankney R, Malpani A, Galperin S, Adams C (1999) X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP. RFC 2560

  20. Naor M, Nissim K (2000) Certificate revocation and certificate update. IEEE J Select Areas Commun 18(4):561–560

    Article  Google Scholar 

  21. Nikander P (1999) An architecture for authorization and delegation in distributed object-oriented agent systems. PhD thesis, Helsinki University of Technology, Helsinki

  22. Wohlmacher P (2000) Digital certificates: a survey of revocation methods. In: Proceedings of 2000 ACM workshops on multimedia, 30 October–3 November 2000, Los Angeles, pp 111–114

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Jose L. Muñoz, Jordi Forne, Oscar Esparza or Miguel Soriano.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Muñoz, J., Forne, J., Esparza, O. et al. Certificate revocation system implementation based on the Merkle hash tree. IJIS 2, 110–124 (2004). https://doi.org/10.1007/s10207-003-0026-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-003-0026-4

Keywords

Navigation