FcgiOCSP: a scalable OCSP‐based certificate validation system exploiting the FastCGI interface

Abstract: SUMMARYCertificate validation, one of the most important and complex tasks in Public Key Infrastructures, is still a challenging topic nowadays because of the scalability and complexity issues related to this process. Validation of an X.509 certificate requires checking its revocation status, either by consulting the so‐called Certificate Revocation Lists or by contacting a specific server via the Online Certificate Status Protocol (OCSP). Because more and more entities extensively need to validate the certifi… Show more

“…Therefore, according to the works of [9,10,[12][13][14][15], we improve the certificate verification scheme based on OCSP. In this paper, our contributions are as follows:…”

“…(1) Based on the related works [10,[13][14][15], we improve the interaction process between the communication entity and the network in the whole certificate verification: (a) we optimize the number of connections between the wireless communication entity and the wired network, and during the certificate verification process, the content server sends the OCSP query request directly so as to reduce the time and the consumption of wireless network bandwidth, compared with that the mobile terminal sends the query request; (b) we reduce the time and the consumption of network bandwidth when wireless communication entity needs to download the certificate; compared with the works [10,[13][14][15], the wireless communication entity does not need to download the CA certificate and the ARL in our the proposed scheme; thus the verification process of the CA certificate is committed to the OCSP server; although the directory server needs to send the mobile terminal certificate to the content server, the procedure is finished in the wired network, and thus the cost is beneficial; (c) if the OCSP server requires the signed OCSP query request, then in the original scheme the mobile terminal needs to send its own certificate to the OCSP server to be verified through the wireless network, and thus the occupied time and consumption of network bandwidth, however increase; in our proposed scheme, the content server sends its own certificate to the OCSP server through the wired network, such communication efficiency is much higher, and because the number of content servers is much smaller than the number of mobile terminals, the amount of data sent by the entire authentication process is reduced.…”

“…(3) Based on the works [9,[12][13][14][15], the structure of the certificate verification mechanism is improved and designed, which is compatible with the existing OCSP schemes. In this paper, we evaluate and analyze the efficiency of our proposed scheme by simulation and implementation.…”

“…Due to the unique characteristics of wireless network, WPKI needs to be improved or redesigned in many ways [9][10][11][12][13][14][15][17][18][19][20]. The evaluation framework of certificate verification scheme was given in [17].…”

“…In the other related works [10][11][12][13][14][15][18][19][20], the original OCSP scheme has been improved. The work [10] proposed a certificate verification scheme for reducing the number of interactive connections between the mobile terminal and the wireless network, in which CA certificate and ARL are forwarded by content server to reduce the interaction number between entities and network.…”

WPKI Certificate Verification Scheme Based on Certificate Digest Signature-Online Certificate Status Protocol

“…Therefore, according to the works of [9,10,[12][13][14][15], we improve the certificate verification scheme based on OCSP. In this paper, our contributions are as follows:…”

“…(1) Based on the related works [10,[13][14][15], we improve the interaction process between the communication entity and the network in the whole certificate verification: (a) we optimize the number of connections between the wireless communication entity and the wired network, and during the certificate verification process, the content server sends the OCSP query request directly so as to reduce the time and the consumption of wireless network bandwidth, compared with that the mobile terminal sends the query request; (b) we reduce the time and the consumption of network bandwidth when wireless communication entity needs to download the certificate; compared with the works [10,[13][14][15], the wireless communication entity does not need to download the CA certificate and the ARL in our the proposed scheme; thus the verification process of the CA certificate is committed to the OCSP server; although the directory server needs to send the mobile terminal certificate to the content server, the procedure is finished in the wired network, and thus the cost is beneficial; (c) if the OCSP server requires the signed OCSP query request, then in the original scheme the mobile terminal needs to send its own certificate to the OCSP server to be verified through the wireless network, and thus the occupied time and consumption of network bandwidth, however increase; in our proposed scheme, the content server sends its own certificate to the OCSP server through the wired network, such communication efficiency is much higher, and because the number of content servers is much smaller than the number of mobile terminals, the amount of data sent by the entire authentication process is reduced.…”

“…(3) Based on the works [9,[12][13][14][15], the structure of the certificate verification mechanism is improved and designed, which is compatible with the existing OCSP schemes. In this paper, we evaluate and analyze the efficiency of our proposed scheme by simulation and implementation.…”

“…Due to the unique characteristics of wireless network, WPKI needs to be improved or redesigned in many ways [9][10][11][12][13][14][15][17][18][19][20]. The evaluation framework of certificate verification scheme was given in [17].…”

“…In the other related works [10][11][12][13][14][15][18][19][20], the original OCSP scheme has been improved. The work [10] proposed a certificate verification scheme for reducing the number of interactive connections between the mobile terminal and the wireless network, in which CA certificate and ARL are forwarded by content server to reduce the interaction number between entities and network.…”

WPKI Certificate Verification Scheme Based on Certificate Digest Signature-Online Certificate Status Protocol

Attack Strategies and Countermeasures in Transport-Based Time Synchronization Solutions

Fighting TLS Attacks: An Autoencoder-Based Model for Heartbleed Attack Detection