China
Africa
Explore chapters and articles related to this topic
Identity Claims in High Assurance
Published in Kevin E. Foltz, William R. Simpson, Enterprise Level Security 2, 2020
Kevin E. Foltz, William R. Simpson
OCSP itself must be provided with security guarantees. The CA designates a responder in the certificates it issues. Requesters sign OCSP requests to the responder and send requests through TLS as defined in the U.S. Air Force Consolidated Enterprise IT Baseline Technical Profile (CEITB TP) Provide Cryptographic Services with mutual authentication. Nonces are used to prevent replay attacks. CA keys are stored in hardware. OCSP requesters are configured to treat any response other than “valid” by the OCSP responder, including timeouts, as being “invalid.” In the event that OCSP responders are not available, entities may be configured to allow failover to CRLs, but the default is to require OCSP, as CRL updates can introduce additional delays in the availability of revocation status.
Hypertext Transfer Protocol
Published in Giovanni Bartolomeo, Tatiana Kováčiková, Identification and Management of Distributed Data: NGN, Content-Centric Networks and the Web, 2016
Giovanni Bartolomeo, Tatiana Kováčiková
HTTPS was originally introduced in 1994 for Netscape Navigator and used the SSL protocol. The current version of HTTPS, which uses TLS, is specified by RFC 2818 (Rescorla 2000). Except for the fact that HTTPS URLs begin with “https://” and use port 443 by default, HTTPS has identical syntax to the standard HTTP scheme. Using TLS and X.509 certificates, HTTPS provides authentication of a web site, protecting the client from man-in-the-middle attacks. web browsers are released with preloaded certificates that enable seamless use of secure web sites that have brought a public key signed by one of many commercial certification authorities. Revocation is managed using a simple protocol called Online Certificate Status Protocol (OCSP). With OCSP, before establishing a HTTPS connection, the browser sends the HTTPS site certificate’s serial number to the certificate authority (or to a delegate) to inquire whether the certificate is still valid or has been revoked.
A pre-signed response method based on online certificate status protocol request prediction
Published in Enterprise Information Systems, 2021
Chi-Hua Chen, Genggeng Liu, Yu-Chih Wei, Zuoyong Li, Bon-Yeh Lin
Verifying, validating, issuing and revoking many certificates are undertaken by certificate authorities (CAs). CAs are trusted third parties, who check and certify communications at their endpoints. If a private key of an endpoint is stolen, an issued certificate needs to be revoked by a CA, and all endpoints need to be made aware of this as soon as possible to control further potential crimes. One traditional and the simplest way of achieving this is to require each endpoint to download a certificate revocation list (CRL) for verifications. However, as the size of CRLs are constantly changing, it is a big challenge to download real-time CRLs for verifications (Pachilakis et al. 2020). The online certificate status protocol (OCSP) is a solution to real-time verifications, as the OCSP guarantees the verification time to be within 1 s. However, a considerable amount of time is often required before a signed response can be issued after receipt of a request, which often causes delay in replying to a client request. As the volume of OCSP requests increases, so does the burden on an OCSP server and its response signature system to issue signed responses. These OCSP servers may be shut down when overloaded (Tsai and Lo 2016; Park and Park 2018; Alrawais et al. 2017; Yao et al. 2019; Wang et al. 2018; Hurley-Smith, Wetherall, and Adekunle 2017). Current methods of network volume predictions are mainly based on statistical methods and machine learning methods (Wang et al. 2016, 2019; Li et al. 2017; Feng et al. 2018; Apiletti et al. 2016; Fadlullah et al. 2019; Bui and Widmer 2018), which require a large amount of statistical data for analysis. These methods are more prone to serious errors in the request volume predictions because users’ requests often change from time to time.