Thursday, May 20, 2010

Self- Organized Public Key Management

Overview

A self-organized approach for public key certificates, which is similar to PGP , but unlike PGP it does not depend on the certificate directories for the distribution of certificates. In this key management service the need for the existence of a centralized certification authority is omitted and every node in the network is responsible for generating their keys, issuing, storing and distributing public key certificates. The key management scheme is said to be self-organized, as it does not require any external configuration or management.

The relationship between users of the system is denoted by a directed trust graph G (V, E), where the vertices represent the nodes and an edge E denotes a public key certificate.

The main working principle is, each user maintains a local repository, which contains a limited number of certificates selected by the users based on an algorithm. When a user u wants to verify the public key certificates of another user v, then they merge the local certificate repositories and user u tries to find a certificate chain to user v in the merged repository.

Following sub-sections discusses and analyses the various operations of the self organized key management scheme:

Generating Keys, Each user of the system generates its own public key and corresponding private key locally.

Issuing Certificates, Each user in the system has the capability to issue a public key certificate. Suppose user u gets a public key of another user v through a secure channel or from another user whom user u trusts. If a user u believes that a public key Kpub belongs to a user v, then it can issue a public key certificate for v, which is signed by u. The system assumes that users are honest and do not issue false certificates. So, if user u issues a public key certificate for user v, then there must exist a directed edge form vertex u to vertex v in the trust graph G (V, E)

Storing Certificates, As mentioned earlier, each user of the system maintains a local repository where it stores the public key certificates. The local repository consists of two parts; first, each user stores the certificates that it issues and the certificates issued to it. This is necessary, as in this process all the certificates that have been issued is stored at least once. Along with these each user stores a set of other certificates issued by other users. The later set of certificates is selected using a common algorithm. In terms of the system model, each user u selects a sub graph of the trust graph G (V, E) which consists of the outgoing edges and corresponding vertices from user u and an additional set of selected edges and corresponding vertices.

Analysis

This key management scheme that does not require any existing infrastructure and nodes in the networks are responsible for issuing, distributing and storing certificates in a distributed manner. The key management service works like PGP, but instead of using separate directories, it uses the local repositories maintained by each user. Uses of public key cryptography ensure confidentiality and a decentralized approach means that there is no single point of failure. The proposal does not discuss about the scalability issue.

Some of the key points need to be mentioned regarding the efficiency of the proposed scheme:
• The proposed key management service lacks the certificate revocation mechanism, which is an important issue that should be considered.

• The authenticity of a received public key is achieved based on the probability of finding a certificate chain in the merged directory. Though, it was shown that the probability is always high if each user uses the same algorithm. Even though, all nodes may not be honest and issue false certificates. So, there is a risk using this type of model in applications where security and accountability is a prime issue.

• As discusses earlier that the proposed scheme is similar to PGP. Like PGP It has a problem in the initial stages of its execution before the number of certificates issued reaches to a certain number consider the scenario shown in fig, where a dashed line represent only friendship and a directed line represents a certificate. Now, if node 9 wants to communicate securely with node 1, it has to find a chain of certificate in the graph. But, as it is the initial stage and only nodes 2,8 and 9 have issued a certificate. So, node 9 has to wait for some other nodes to issue certificates to find a certificate chain between node 1 and 9

2 comments:

  1. hi...
    i m doing my ME project in NS2..
    is there any code in NS2 for certificate exchange...
    if there is any sample code for the above discussed concept means please let me know...
    please help me.
    reply me at amurupriyu@gmail.com

    ReplyDelete
  2. I went through your blog... I'm at present doing my mtech at PEC.. My mtech project is on RSA algorithm which is implemented in NS2.. I'm nearing the deadline of my project.. Kindly help.. Reply me at nithya.gazelle@yahoo.com..

    ReplyDelete

Thanks for using my blog any queries or help please email to clickprasan@gmail.com . Please be careful from spammers .do not reply to any other email address other than mentioned above