• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.12C
• /
• pp.1722-1728
• /
• 2004

To discover a certificate path is a very important topic in the PKI with a lot of candidate paths. The certificate path discovery processing is executed via many verifications and as the number of verification times increases, the validity of the discovered path becomes high. The selection of the path with high validity provides high-speed certificate validation by reducing the number of repetition times of path discovery and validation processing. Otherwise, there is a problem that the speed and computation overheads are increased. In this paper, we propose an efficient certificate path discovery algorithm can make high the certificate validity with low overhead.

• The KIPS Transactions:PartC
• /
• v.11C no.1
• /
• pp.21-30
• /
• 2004

Most applications using the PKI allows a user to execute the certificate validation processing. The efficiency of user system can be declined by the user-side processing resulting the overhead and low speed of the validation processing. Therefore, in this paper, we propose a new certificate validation processing method can decrease the overhead on user by allowing CAs of the hierarchical PKI to participate in the validation processing. Therefore, our proposed scheme can not only reduce the considerable overhead caused by the user-side whole processing without a new implementation of the delegated server but also improve the time spent for the processing by the reduction of the validation processing job on user.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.28 no.9C
• /
• pp.908-922
• /
• 2003

The Public Key Infrastructure (PKI) trends to delegate the certificate path processing to the Delegated Path Discovery (DPD) Server and Delegated Path Validation (DPV) server recently. The most critical factor for the selection of the delegated server is to allow the server to be equipped with a high reliability through a low cost, and simple implementation. In this paper, we propose a new certificate path processing scheme employed the trusted CA as the DPD/DPV server by adding the capability of the Validation Authority (VA) to the trusted CA. Since our proposed scheme uses the existing trusted CA as validation server, we can achieve a high trust through a simple implementation for the processing. Besides, we propose an additional scheme for reducing an overhead on the trusted CA. it is obtained by delegating digital signature verification to CAs on the path and by skipping the repeated path processing. As the result, our proposed validation scheme can be performed efficiently with high speed and low computational overhead.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.55-65
• /
• 2003

To perform the certificate validation processing on the user-side application induces the very considerable overhead because of the complex and time-consuming characteristic of the validation processing. Especially, the verification for digital signature over a certificate can be the major reason of the overhead, since the verification accompanies with the cryptographic calculation over each certificate on the certificate path. In this paper, we propose a new certificate validation scheme can reduce the overhead caused by user-side certificate validation processing and improve the utilization of CAs. As the result, our proposed scheme can not only reduces the overhead for the validation processing by decreasing the cryptographic calculation but also improves the utilization of CAs by employing them to the validation processing.

• Journal of Internet Computing and Services
• /
• v.4 no.4
• /
• pp.53-64
• /
• 2003

To perform the certificate validation on the user-side application induces the very considerable overhead on the user-side system because of the complex and time-consuming characteristic of the validation processing. Most of the time spend for performing the validation processing is required for the digital signature verification, since the verification accompanies with the cryptographic calculation over each certificate on the certificate path. In this paper, we propose a new certificate validation scheme using DSVP(Delegated Signature Validation Protocol) which can reduce the overhead for the user-side certificate validation processing. It is achieved by delegating the digital signature verification to CAs of the PKI domain. As the proposed DSVP is the protocol performed between a user and CAs, it is applied to the hierarchical PKI efficiently and used for delegating the digital signature verification reliably and safely, our proposed scheme can not only reduces the overhead for the validation processing by decreasing the cryptographic calculation but also improves the utilization of CAs by employing them to the validation processing.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.11c
• /
• pp.1917-1920
• /
• 2003

오늘날 대부분의 인증 시스템들은 PKI 환경으로 변화하는 추세이며, 인증서의 역할은 날로 중요해지고 있다. 만일 이런 인증서가 위조 된다면 심각한 정보 사고가 발생할 것이다. 따라서 인증서는 위조되면 안될 것이다. 그러나 인증서 위조 가능성은 존재한다. 왜냐하면 디지털 서명 방식을 사용하고 있기 때문이다. 인증서 위조 방법은 두 가지가 있다. 첫 번째가 인증기관의 비밀키를 알아내는 방법이고, 두 번째는 디지털 서명에 사용되는 해쉬 알고리즘의 충돌(Collision) 문제를 이용하여 위조하는 방법이다. 어느 것으로든 인증서가 위조되면 어느 누구도 기술적으로 위조라는 사실을 증명할 수 없다. 위조 인증서는 디지털 검증 방식에 의해 모두 유효하게 판정되기 때문이다. 첫 번째 방법은 디지털 서명에 있어서 원천적인 문제이다. 따라서 본 논문은 두 번째 방법인 해쉬 알고리즘의 충돌 문제를 이용한 위조를 해결하는 방법에 대해 연구한다. 또한 인증 경로를 최적화하는 방법에 대해서도 연구한다.

• The KIPS Transactions:PartC
• /
• v.9C no.3
• /
• pp.313-322
• /
• 2002

In this paper, proposes Kerberos certification mechanism that improve certification service of PKINIT base that announce in IETF CAT Working Ggroup. Did to certificate other realm because search position of outside realm through DNS and apply X.509 directory certification system, acquire public key from DNS server by chain (CertPath) between realms by certification and Key exchange way that provide service between realms applying X.509, DS/BNS of PKINIT base. In order to provide regional services, Certification and key exchange between realms use Kerberos' symmetric method and Session connection used Directory service to connection X.509 is designed using an asymmetric method. Excluded random number ($K_{rand}$) generation and duplex encryption progress to confirm Client. A Design of Kerberos system that have effect and simplification of certification formality that reduce Overload on communication.