In automated business transactions, the method of building a trusted path between the trusted anchor and the target entity constructs a path as each certificate is retrieved from a repository via LDAP, a protocol employed for repository access operations.
The simplicity of such method resides in the fact that only one certification path is possible in the case of Hierarchical PKI. Also the path is unidirectional and simple.
But, building a path in Peer-to-Peer PKI is nothing but traversing a complex graph.
However, from the simplest viewpoint, writing a path-building module can be nothing more than traversal of a spanning tree, even in a very complex cross-certified envi- ronment. In the proposed method, we traverse the graph representing Peer-to-Peer PKI in Depth First Search (DFS) [8] order and construct a DFS spanning tree. In a DFS spanning tree, we have a single path between any two users. We construct DFS spanning tree as follows:
Let graph G represent the Peer-to-Peer PKI in question. Each vertex in the graph represents a CA. We shall start from a given vertex v in the graph, G. We will mark this vertex v as visited. The next step is to pick a new unvisited vertex (any one of the adjacent vertices can be selected). Call this vertex w. We then explore this new vertex depending upon its adjacent vertices recursively. The search procedure terminates after all the vertices are explored (i.e. visited). As each vertex is visited, it is added to the DFS spanning tree.
Algorithm Construct_DFSSpanningTree(v) {
//G is a Graph representing Peer-to-Peer PKI. Each edge is bidirectional
//Visited[1:n] is an array to remember the visited information // v is the starting vertex
Visited[v]=1; //mark the starting vertex visited Add v to the DFS spanning tree
for(each vertex w adjacent to v)
Certificate Path Verification in Peer-to-Peer PKI by Constructing DFS Spanning Tree 165
if(visited[w]=0)
Construct_DFSSpanningTree(w); //continue to explore }
For example, Figure 4(a) is a graph that represents a Peer-to-Peer PKI in which the path is bidirectional. The DFS order of the tree is: CA1, CA2, CA3, CA6, CA4, CA5, and CA7.
Fig. 4(a). A Peer-to-Peer PKI Fig. 4(b). DFS spanning tree
Fig 4(b) represents the DFS spanning tree of the graph shown in Fig 4(a). From Fig 4(b), we can observe that there exists single path between any two CAs. Since there exists single path between any two CAs in the spanning tree, the certificate path con- struction is simple and straight forward. The complexity due to multiple paths be- tween CAs and ambiguity in choosing one of them is removed.
5 Simulation Results
The algorithm is implemented in Java platform using NetBeans IDE on a Windows Vista/XP machine with 2 GB RAM. Peer-to-Peer PKI performance evaluation is per- formed based on the time elapsed on path validation between different users under different nodes.
Fig. 5. A Peer-to-Peer PKI
166 Balachandra, A. Rao, and K.V. Prema
One of the special features of Mesh PKI is that every node may be connected to every other node i.e. if there are n number of nodes, then the links needed are n*(n-1).
Here the time required for path validation does not depend upon the number of nodes.
We considered the Mesh PKI shown in Fig5 as the input for the implementation.
The graph shown in Fig6 illustrates the certificate verification time required by a user certified by CA1 to verify the certificates of the users certified by different CAs and the time required for the same in the equivalent DFS spanning tree.
Fig. 6. Comparative Analysis of Path verification time of Mesh PKI and its Equivalent DFS Spanning Tree
6 Conclusion
In mesh or Peer-to-Peer PKI, certificate path verification is a complex task since there exists multiple paths between CAs. In this paper, we proposed an efficient method to convert a mesh or Peer-to-Peer PKI to its equivalent DFS spanning tree to simplify the certificate path construction. Using this algorithm, the complexity of certificate path verification in Peer-to-Peer PKIs due to multiple paths between users can be re- moved. The main benefit of this approach is that the needed certificate for a complete certificate path can be computed in advance, thus accelerating certificate collection activity.
References
1. Lloyd, S.: Understanding certificate path construction. PKI Forum (September 2002) 2. Richard Kuhn, D., Hu, V.C.: Introduction to Public Key Technology and the Federal PKI
Infrastructure, National Institute of Standard and Technology, U.S. Government publication (February 26, 2007)
3. Hesse, P.M., Lemire, D.P.: Managing interoperability in non-hierarchical public key infra- structures. Gemini Security Solutions
Certificate Path Verification in Peer-to-Peer PKI by Constructing DFS Spanning Tree 167 4. Guo, Z., Okuyama, T., Finley Jr, M.R.: A New trust Model for PKI Interoperability, Infor-
mation Network Laboratory, Graduate School of Business Administration Asahi University, Japan
5. Linn, J.: Trust models and managements in Public Key Infrastructures, RSA Laboratories, 20 Crosby Drive Bedford, MA 01730 USA, jlinn@rsasecurity.com, (November 6, 2000) 6. Turnbull, J.: Cross-certification and PKI policy Networking, Version 1.0, Entrust Securing
Digital Identities And Information (August 2000)
7. Satizabal, C., Hernandez-Serrano, J., Forne, J., Pegueroles, J.: Building a virtual hierarchy to simplify certification path discovery in mobile ad hoc network, Department of Telematics Engineering, Technical University of Catalonia, Jordi Girona 1-3 C3, 08034 Barcelona, Spain (January 9, 2007), http://www.elsevier.com/locate/comcom
8. Sahni, S.: Data Structures, Algorithms and Applications in C++”, Magraw Hill International edition (2000)