Public key certificates (PKCs) are used nowadays in several security protocols and applications, so as to secure data exchange via transport layer security channels, or to protect data at the application level by means of digital signatures. However, many security applications often fail to manage properly the PKCs, in particular when checking their validity status. These failures are partly due to the lack of experience (or training) of the users who configure these applications or protocols, and partly due to the scarce support offered by some common cryptographic libraries to the application developers. This paper describes the design and implementation of a light middleware dealing with certificate validation in a unified way. Our middleware exploits on one side the libraries that have already been defined or implemented for certificate validation, and it constructs a thin layer, which provides flexibility and security features to the upper layer applications. In our current approach, this layer boasts an integrated approach to support various certificate revocation mechanisms, it protects the applications from some common security attacks, and offers several configuration and performance options to the programmers and to the end users. We describe the architecture of this approach as well as its practical implementation in the form of a library based on the famous OpenSSL security library, and that can be easily integrated with other certificate-aware security applications.

A unified and flexible solution for integrating CRL and OCSP into PKI applications / Berbecaru, DIANA GRATIELA; Desai, AMARKUMAR GUNVANTRAI; Lioy, Antonio. - In: SOFTWARE-PRACTICE & EXPERIENCE. - ISSN 0038-0644. - STAMPA. - 39:19(2009), pp. 891-921. [10.1002/spe.918]

A unified and flexible solution for integrating CRL and OCSP into PKI applications

BERBECARU, DIANA GRATIELA;DESAI, AMARKUMAR GUNVANTRAI;LIOY, ANTONIO
2009

Abstract

Public key certificates (PKCs) are used nowadays in several security protocols and applications, so as to secure data exchange via transport layer security channels, or to protect data at the application level by means of digital signatures. However, many security applications often fail to manage properly the PKCs, in particular when checking their validity status. These failures are partly due to the lack of experience (or training) of the users who configure these applications or protocols, and partly due to the scarce support offered by some common cryptographic libraries to the application developers. This paper describes the design and implementation of a light middleware dealing with certificate validation in a unified way. Our middleware exploits on one side the libraries that have already been defined or implemented for certificate validation, and it constructs a thin layer, which provides flexibility and security features to the upper layer applications. In our current approach, this layer boasts an integrated approach to support various certificate revocation mechanisms, it protects the applications from some common security attacks, and offers several configuration and performance options to the programmers and to the end users. We describe the architecture of this approach as well as its practical implementation in the form of a library based on the famous OpenSSL security library, and that can be easily integrated with other certificate-aware security applications.
File in questo prodotto:
File Dimensione Formato  
CRL_OCSP_PKI_paper.pdf

non disponibili

Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 417.87 kB
Formato Adobe PDF
417.87 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
CRL_OCSP_PKI_abstract.pdf

accesso aperto

Tipologia: Abstract
Licenza: PUBBLICO - Tutti i diritti riservati
Dimensione 29.67 kB
Formato Adobe PDF
29.67 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11583/1876387
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo