Abstract
One of the hardest tasks of a Public Key Infrastructure (PKI) is to manage revocation. Different revocation mechanisms have been proposed to invalidate the credentials of compromised or misbehaving users. All these mechanisms aim to optimize the transmission of revocation data to avoid unnecessary network overhead. To that end, they establish release policies based on the assumption that the revocation data follows uniform or Poisson distribution. Temporal distribution of the revocation data has a significant influence on the performance and scalability of the revocation service. In this paper, we demonstrate that the temporal distribution of the daily number of revoked certificates is statistically self-similar, and that the currently assumed Poisson distribution does not capture the statistical properties of the distribution. None of the commonly used revocation models takes into account this fractal behavior, though such behavior has serious implications for the design, control, and analysis of revocation protocols such as CRL or delta-CRL.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Willinger, W., Paxson, V., Taqqu, M.S.: Self-similarity and heavy tails: structural modeling of network traffic, pp. 27–53 (1998)
Beran, J.: Statistics for Long-Memory Processes. Monographs on Statistics and Applied Probability. Chapman & Hall (1994)
Taqqu, M.S., Teverovsky, V., Willinger, W.: Estimators for long-range dependence: An empirical study. Fractals 3, 785–798 (1995)
Peng, C.K., Havlin, S., Stanley, H.E., Goldberger, A.L.: Quantification of scaling exponents and crossover phenomena in nonstationary heartbeat time series. Chaos Woodbury Ny 5(1), 82–87 (1995)
Netcraft. Market share of certification authorities (2009), https://ssl.netcraft.com/ssl-sample-report/CMatch/certs (accessed on May 2011)
Jain, G.: Certificate revocation: A survey, http://csrc.nist.gov/pki/welcome.html (accessed on May 2011)
Karagiannis, T., Faloutsos, M., Riedi, R.H.: Long-range dependence: now you see it, now you don’t. In: Proc. GLOBECOM 2002, pp. 2165–2169 (2002)
Leland, W.E., Taqqu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Trans. Netw. 2(1), 1–15 (1994)
Cooper, D.A.: A model of certificate revocation. In: Fifteenth Annual Computer Security Applications Conference, pp. 256–264 (1999)
Cooper, D.A.: A more efficient use of Delta-CRLs. In: 2000 IEEE Symposium on Security and Privacy. Computer Security Division of NIST, pp. 190–202 (2000)
Technological infrastructure for pki and digital certification. Computer Communications 24(14), 1460–1471 (2001)
Fox, B., LaMacchia, B.: Certificate Revocation: Mechanics and Meaning. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 158–164. Springer, Heidelberg (1998)
Naor, M., Nissim, K.: Certificate Revocation and Certificate Update. IEEE Journal on Selected Areas in Communications 18(4), 561–570 (2000)
Walleck, D., Li, Y., Xu, S.: Empirical Analysis of Certificate Revocation Lists. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 159–174. Springer, Heidelberg (2008)
Ma, C., Hu, N., Li, Y.: On the release of CRLs in public key infrastructure. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, pp. 17–28 (2006)
Hu, N., Tayi, G.K., Ma, C., Li, Y.: Certificate revocation release policies. Journal of Computer Security 17, 127–157 (2009)
ITU/ISO Recommendation. X.509 Information Technology Open Systems Interconnection - The Directory: Autentication Frameworks, Technical Corrigendum (2000)
Ofigsbø, M.H., Mjølsnes, S.F., Heegaard, P., Nilsen, L.: Reducing the Cost of Certificate Revocation: A Case Study. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 51–66. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gañán, C., Mata-Díaz, J., Muñoz, J.L., Esparza, O., Alins, J. (2012). On the Self-similarity Nature of the Revocation Data. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)