Showing papers on "Revocation published in 2001"

Revocation and Tracing Schemes for Stateless Receivers

Abstract: We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1/2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a "bifurcation property". This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user's end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

A method for fast revocation of public key certificates and security capabilities

Abstract: We present a new approach to fast certificate revocation centered around the concept of an on-line semi-trusted mediator (SEM). The use of a SEM in conjunction with a simple threshold variant of the RSA cryptosystem (mediated RSA) offers a number of practical advantages over current revocation techniques. Our approach simplifies validation of digital signatures and enables certificate revocation within legacy systems. It also provides immediate revocation of all security capabilities. This paper discusses both the architecture and implementation of our approach as well as performance and compatibility with the existing infrastructure. Our results show that threshold cryptography is practical for certificate revocation.

A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares

Abstract: We proposed a new public-key traitor tracing scheme with revocation capability using the dynamic share and entity revocation techniques. The enabling block of our scheme is independent of the number of subscribers, but dependent on the collusion and revocation thresholds. Each receiver holds one decryption key only. Our traitor tracing algorithm works in a black-box way and is conceptually simple. The distinct feature of our scheme is that when the traitors are found, we can revoke their private keys (up to some threshold z) without updating any private key of the remaining subscribers. Furthermore, we can restore the decryption privilege of a revoked private key later. We can actually increase the revocation capability beyond z with dynamic assignment of shares into the enabling block. This property makes our scheme highly practical. Previously proposed public-key traitor tracing schemes have to update all existing private keys even when revoking one private key only. Our scheme is as efficient as Boneh and Franklin's scheme in many aspects. Our traitor tracing scheme is fully k-resilient such that our traitor tracing algorithm can find all traitors if the number of them is k or less. The encryption algorithm of our scheme is semantically secure assuming that the decisional Diffie-Hellman problem is hard. We also proposed a variant traitor tracing scheme whose encryption algorithm is semantically secure against the adaptive chosen ciphertext attack assuming hardness of the decisional Diffie-Hellman problem.

Efficient Revocation in Group Signatures

Abstract: We consider the problem of revocation of identity in group signatures. Group signatures are a very useful primitive in cryptography, allowing a member of a group to sign messages anonymously on behalf of the group. Such signatures must be anonymous and unlinkable, but a group authority must be able to open them in case of dispute. Many constructions have been proposed, some of them are quite efficient. However, a recurrent problem remains concerning revocation of group members. When misusing anonymity, a cheating member must be revoked by the authority, making him unable to sign in the future, but without sacrifying the security of past group signatures. No satisfactory solution has been given to completely solve this problem. In this paper, we provide the first solution to achieve such action for the Camenish-Stadler [6] scheme. Our solution is efficient provided the number of revoked members remains small.

Revocation and tracing schemes for stateless receivers

Abstract: We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1/2 log 2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a bifurcation property. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user's end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

Revocations - A classification

Abstract: In an ownership-based framework for access control, with the possibility of granting access and administrative rights, chains of granted accesses will form. This is a comprehensive study of the problem of revoking such rights, and on the impact different revocation schemes may have on the chains. Three main revocation characteristics are identified: the extent of the revocation to other grantees (propagation), the effect on other grants to the same grantee (dominance), and the permanence of the negation of rights (resilience). A classification is devised using these three dimensions. The different schemes thus obtained are described, and compared to other models from the literature.

Legitimate Expectations in Administrative Law

Abstract: Introduction 1. Expectations, Fairness, and Lawful Administration in the Public Interest 2. Prodedural Protection of Legitimate Eexpectations 3. Substantive Protection of Legitimate Expectations (I): Revocation of Decisions 4. Substantive Protection of Legitimate Expectations (II): Informal Administration Representations 5. Compensatory Protection of Legitimate Expectations (I): Revocation of Decisions 6. Compensatory Protection of Legitimate Expectations (II): Informal Representations Conclusion Index

Method and apparatus for on demand certificate revocation updates

Abstract: A method of distributing revocation state information includes receiving first update scheduling information from a first party, and sending digital certificate revocation state information to the first party according to a schedule that is based on the first update scheduling information.

Using Authority Certificates to Create Management Structures

Abstract: We address the issue of updating privileges in a dynamic environment by introducing authority certificates in a Privilege Management Infrastructure. These certificates can be used to create access-level permissions but also to delegate authority to other agents, thereby providing a mechanism for creating management structures and for changing these structures over time. We present a semantic framework for privileges and certificates and an associated calculus, encoded as a logic program, for reasoning about them. The framework distinguishes between the time a certificate is issued or revoked and the time for which the associated privilege is created. This enables certificates to have prospective and retrospective effects, and allows us to reason about privileges and their consequences in the past, present, and future. The calculus provides a verification procedure for determining, given a set of declaration and revocation certificates, whether a certain privilege holds.

Formal treatment of certificate revocation under communal access control

Abstract: The conventional approach to distributed access control (AC) tends to be server-centric. Under this approach, each server establishes its own policy regarding the use of its resources and services by its clients. The choice of this policy, and its implementation, are generally considered the prerogative of each individual server. This approach to access control may be appropriate for many current client-server applications, where the server is an autonomous agent, in complete charge of its resources. It is not suitable for the growing class of applications where a group of servers, and sometimes their clients, belong to a single enterprise, and are subject to the enterprise-wide policy governing them all. One may not be able to entrust such an enterprise-wide policy to the individual servers, for two reasons: first, it is hard to ensure that an heterogeneous set of servers implement exactly the same policy. Second, as demonstrate, an AC policy can have aspects that cannot, in principle, be implemented by servers alone. As argued in a previous paper (Minsky, 2000), what is needed in this situation is a concept of communal policy that governs the interaction between the members of a distributed community of agents involved in some common activity along with a mechanism that provides for the explicit formulation of such policies, and for their scalable enforcement. We focus on the communal treatment of expiration and revocation of the digital certificates used for the authentication of the identity and roles of members of the community.

Provably Secure Fair Blind Signatures with Tight Revocation

Abstract: A fair blind signature scheme allows the trustee to revoke blindness so that it provides authenticity and anonymity to honest users while preventing malicious users from abusing the anonymity to conduct blackmail etc. Although plausible constructions that offer efficient tricks for anonymity revocation have been published, security, especially one-more unforgeability and revocability against adaptive and parallel attacks, has not been studied well. We point out a concrete vulnerability of some of the previous schemes and present an efficient fair blind signature scheme with a security proof against most general attacks. Our scheme offers tight revocation where each signature and issuing session can be linked by the trustee.

Revocation method and apparatus for secure content

Abstract: A system and method is provided for revoking a device. A method includes receiving a certificate from the device, the certificate including one or more of fields, at least one of the fields holding a signature, attempting to verify the signature, receiving a revocation list from a source, the revocation list identifying one or more data on the certificate as valid or invalid, the data including at least one of the fields of the certificate; and if one of one or more signatures identified unsuccessfully verified and one or more data is identified as invalid, preventing the transmission of a session key to the device, the session key being required to establish a secure communication channel.

An authorization model for a public key management service

Abstract: Public key management has received considerable attention from both the research and commercial communities as a useful primitive for secure electronic commerce and secure communication. While the mechanics of certifying and revoking public keys and escrowing and recovering private keys have been widely explored, less attention has been paid to access control frameworks for regulating access to stored keys by different parties. In this article we propose such a framework for a key management service that supports public key registration, lookup, and revocation, and private key escrow, protected use (e.g., to decrypt selected messages), and recovery. We propose an access control model using a policy based on principal, ownership, and authority relationships on keys. The model allows owners to grant to others (and revoke) privileges to execute various actions on their keys. The simple authorization language is very expressive, enabling the specification of authorizations for composite subjects that can be fully specified (ground) or partially specified, thus making the authorizations applicable to all subjects satisfying some conditions. We illustrate how the access control policy and the authorizations can easily be expressed through a simple and restricted, hence efficiently computable, form of logic language.

Review and revocation of access privileges distributed with PKI certificates. Discussion

Abstract: Public-key infrastructures (PKIs) that support both identity certificates and access control (e.g., attribute, delegation) certificates are increasingly common. We argue that these PKIs must a lso support revocation and review policies that are typical of more traditional access control systems; e.g., selective and transitive certificate revocation, and per-object access review. Further, we show that PKIs that eliminate identity certificates, such as the SPKI, resolve only selective revo cation problems and, at the same time, make access review more complex.

Efficient Revocation of Anonymous Group Membership Certificates and Anonymous Credentials

Abstract: An accumulator scheme, introduced be Benaloh and de Mare [BdM94] and further studied by Baric and Pfitzmann [BP97], is an algorithm that allows to hash a large set of inputs into one short value, called the accumulator, such that there is a short witness that a given input was incorporated into the accumulator. We put forward the notion of dynamic accumulators, i.e., a method that allows to dynamically add and delete inputs from the accumulator, such that the cost of an add or delete is independent on the number of accumulated values. We achieve this under the strong RSA assumption. For this construction, we also show an efficient zero-knowledge protocol for proving that a committed value is in the accumulator. In turn, our construction of dynamic accumulator enables efficient membership revocation in the anonymous setting. This method applies to membership revocation in group signature schemes, such as the one due to Ateniese et al. [ACJT00], and efficient revocation of credentials in anonymous credential systems, such as the one due to Camenisch and Lysyanskaya [CL01]. Using our method, allowing revocation does not alter the complexity of any operations of the underlying schemes. In particular, the cost of a group signature verification or credential showing increases by only a small constant factor, less than 2. All previously known methods (such as the ones due to Bresson and Stern [BS01] and Ateniese and Tsudik [AT01]) incurred an increase in these costs that was linear in the number of members.

Trust grant and revocation from a master key to secondary keys

Abstract: A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key.

Revocation of Police Officer Certification: A Viable Remedy for Police Misconduct?

Abstract: We take it as a given that any profession or occupation, which involves interaction with the public, will be regulated by a state agency Accountants, architects, attorneys, barbers, cosmeticians, dentists, etc are all required to undergo training, meet selection standards and, if they seriously misbehave, they will have their licenses or certificates revoked by the board or commission which regulates that profession Until fairly recently, there was no license or professional certificate issued by a state agency for law enforcement officers That meant that an officer, who had successfully completed his police academy training and received a diploma, could be terminated by one department for cause and be hired by any other department in the state willing to hire him This article describes the statutes and regulations now in existence in the 44 states that do license and revoke licenses of law enforcement officers for misconduct There is great variation among the states on what conduct can lead to revocation, eg, some states require conviction of a crime whereas others permit revocation administratively, after a hearing before an ALJ There are also differences on what types of officers are subject to having their licenses removed, eg, in some states, only peace officers, in others, correctional officers are also covered With the fate of the exclusionary rule uncertain given recent US Supreme Court decisions, strengthening license revocation to ensure that citizens are not subject to continuing abuse by law enforcement officers is more important than ever before

Asynchronous Large-Scale Certification Based on Certificate Verification Trees

Abstract: Good public-key infrastructures (PKIs) are essential to make electronic commerce secure. Quite recently, certificate verification trees (CVTs) have been introduced as a tool for implementation of large-scale certification authorities (CAs). In most aspects, the CVT approach outperforms previous approaches like X.509 and certificate revocation lists, SDSI/SPKI, certificate revocation trees, etc. However, there is a tradeoff between manageability for the CA and response time for the user: CVT-based certification as initially proposed is synchronous, i.e. certificates are only issued and revoked at the end of a CVT update period (typically once a day). Assuming that the user is represented by a smart card, we present here solutions that preserve all advantages of CVTs while relaxing the aforementioned synchronization requirement. If short-validity certificates are used, implicit revocation provided by the proposed solutions completely eliminates the need for the signature verifier to check any revocation information (CRLs, CRTs, etc.).

Method of revoking_authorizations for software components

Abstract: Selective revocation of software components using a key hierarchy in a content protection system. A content distributor creates a content voucher root key, a content voucher signing key, one or more component root keys, and a content voucher. A component vendor creates a vendor root key, a component class key, a component version key, and an object voucher. The content voucher, object voucher and associated software component for processing content may be communicated to a content user system. The keys are used to sign each other in a novel hierarchical arrangement to provide for determination of integrity and authenticity of software components distributed by the component vendor for use on the content user system. The components may be implicitly authorized by the content distributor for use with selected content as a result of the relationships between the keys in the key hierarchy. Revocation of components may be implemented by inserting a revocation list into the content voucher. The revocation list may be checked prior to allowing access to content. Selective revocation of component versions, classes of components, and component vendors may be supported.

Key Revocation with Interval Cover Families

Abstract: We present data structures for complement covering with intervals and their application for digital identity revocation. We give lower bounds showing the structures to be nearly optimal. Our method improves upon the schemes proposed by S. Micali [5,6] and Aiello, Lodha, Ostrovsky [1] by reducing the communication between a Certificate Authority and public directories while keeping the number of tokens per user in the public key certificate small.

Liability of Certification Authorities: A Juridical Point of View

Abstract: Liability is an essential but a non-resolved question of commercial and legal development of certification entities. The issuing, distribution and use of a certificate, together with an eventual revocation or suspension of same up to its expiration date, generate relationships between implicated parties (basically, the provider of certification services, the subscriber and the user of the certificate) which set up the need to limit and clarify respective rights, obligations and eventual liabilities of each party. We analyze liability of certification authorities from a juridical point of view; the study is centered mainly in the content of the European Directive and the Spanish Law on electronic signatures, but we also refer to other laws (such as Utah Digital Signature Law, and Italian law on electronic signatures). We conclude criticizing legal rules on liability because they are incomplete and excessive, without taking into proper account the necessary balance of all involved parties.

Revocation and Tracing Schemes for Stateless Receivers.

Abstract: We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Coverframework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantee the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of and keys respectively ( is the total number of users), and in order to revoke users the required message lengths are of and keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adapted to the stateless scenario, are: (1) reducing the message length to regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide aseamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

Quasi-Efficient Revocation of Group Signatures.

Abstract: A group signature scheme allows any group member to sign on behalf of the group in an anonymous and unlinkable fashion. In the event of a dispute, a designated trusted entity can reveal the identity of the signer. Group signatures are claimed to have many useful applications such as voting and electronic cash. A number of group signature schemes have been proposed to-date. However, in order for the whole group signature concept to become practical and credible, the problem of secure and efficient group member revocation must be addressed. In this paper, we construct a new revocation method for group signatures based on the signature scheme by Ateniese et al. [ACJT]. This new method represents an advance in the state-of-the-art since the only revocation schemes proposed thus far are either: 1) based on implicit revocation and the use of fixed time periods, or 2) require the signature size to be linear in the number of revoked members. Our method, in contrast, does not rely on time periods, offers constant-length signatures and constant work for the signer.

Canceling information update method, device and recording medium

Abstract: A storage medium (PM) 13 includes a controller 130 and two types of storage regions, the concealed region 134 and the open region 131. The open region 131 includes an open RW 133 storing a digital content, an open ROM-W region 132a storing, as revocation information, identification information of an electronic appliance that is prohibited from accessing the digital content, and an open ROM region 132 storing, as master revocation information, identification information of an electronic appliance that is prohibited from updating the revocation information. When the storage medium is loaded into an electronic appliance that has identification information which is registered in the open ROM region 132, the controller 130 prohibits the electronic appliance from updating the revocation information.

Storage media and method for protecting contents using this

Abstract: PURPOSE: To protect contents by making illegal electronic equipment ineffective when a storage medium is mounted on the electronic equipment represented by revocation information and used by previously registering the revocation information in a specific storage area of the storage medium. CONSTITUTION: In a read-only open ROM area 132 secured on a PM (storage medium) 13, a revocation list RL by which a PD (recording and reproducing device) to be made ineffective for contents protection can be decided is previously registered and when the PM 13 is mounted on an LCM (contents use management system) or the PD and used, a controller 130 provided on the PM 13 receives information. representing the LCM or PD from the equipment, refers to the revocation list RL with the information, and determines whether or not the equipment is made ineffective according to the reference result.

Method and system for copy protection in a multi-level content distribution system

Abstract: A hierarchical arrangement of revocation lists, corresponding to a hierarchy of content processing and rendering devices is used to optimize the processing and storage of revocation lists. At each level of the hierarchy, an access device provides its certification to an access device at a higher level in the device hierarchy. The higher level device compares the lower level device's certification to a revocation list corresponding to devices at the lower level. If the certificate has not been revoked, the higher level device provides a lower level revocation list to the lower level access device. The lower level access device uses this lower level revocation list to verify the status of devices to which it communicates content material. Because each list is limited to devices at each level of a conventional hierarchy of consumer devices, the lists provide an optimization at each device, by providing revocations only for devices that are expected to be used at the particular hierarchy level.