A Method for Detecting the Exposure of a Secret Key in Key-Insulated Scheme

Transcription

1 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 3 A Method for Detectng the Exposure of a Secret ey n ey-insulated Scheme Younggyo Lee and Dongho Won Department of Internet Informaton, Seol College, orea Informaton Securty roup, Department of Computer Engneerng, Sungkyunkwan Unversty, orea Summary Dods et al proposed a key-nsulated sgnature scheme n 23. In the scheme, total lfetme of a certfcate s dvded to tme perods and dfferent secret keys are used for each tme perod. The master secret key s stored n the physcally secure devce and s not used for sgnng drectly. The dfferent secret keys are used for sgnature n each tme perod and they are refreshed by a computaton wth the master key. Therefore, the scheme can mnmze the damage caused by a secret key s exposure. However, t can not protect the from the secret key s exposure perfectly. We propose a method whch can detect even a sngle llegtmate sgnature due to the exposure of a secret key n the key-nsulated scheme. The method uses the one-tme hash chan based on NOVOMODO and the counter. And t requres small modfcaton of tradtonal PI. The method can prevent the s from compromsng a secret key effectvely n the keynsulated sgnature scheme. ey words: key-nsulated sgnature, one-tme hash chan, NOVOMODO, PSD. Introducton PI (Publc ey Infrastructure) s a wdespread and strong technology for provdng the securty (ntegrty, authentcaton, and non-repudaton) usng publc key technques. The man dea of PI s based on the dgtal certfcate that s a dgtally sgned statement bndng an entty ( or authorty) s dentty nformaton and hs publc key by CA (Certfcate Authorty) s secret key. If the entty s secret key s compromsed or the entty s dentty nformaton s changed, the entty makes a request to the CA for revokng ts own certfcate. The nformaton whether the certfcate s revoked or not s called CSI (Certfcate Status Informaton) and CRL (Certfcate Revocaton Lsts) s one of the most well-known methods for CSI [2, 7, 3].. CRL sze and communcaton cost The CRL system has an advantage of ts smplcty, however, t has a dsadvantage of hgh communcaton cost between the and the CA s Repostory (or Drectory) storng the CRL. Therefore, n order to reduce the sze of certfcate revocaton lst (communcaton costs), computaton cost and storage amounts, varous methods have been suggested up to date. These are Delta- CRL, CRL DP (Dstrbuted Ponts), Over-ssued CRL, Indrect CRL, Dynamc CRL DP, Freshest CRL, CRT (Certfcate Revocaton Trees), NOVOMODO, Authentcated Drectory et al [, 2, 5, 6, 7, 9,, 2, 3, 4, 6]. 2 OCSP and computaton cost If the clent or needs very tmely CSI, an onlne certfcate status servce such as the OCSP (Onlne Certfcate Status Protocol) s more convenent than the off-lne method such as CRL et al [9]. In OCSP, snce the clent does not need to download a CRL from the CA s Repostory, the hgh communcaton cost between the clent and the CA s Repostory and the storage spaces for storng the CRL are not requred. However, f the CSI requests are centralzed to an OCSP Responder, the OCSP Responder can have a rsk of DoS (Denal of Servce) attacks [5]. In order to reduce the rsk of DoS attacks, the OCSP Responder can pre-produce a sgned value for responses n a short tme. However ths may allow a possblty of the replay attacks [5, 6]. 3 T-OCSP and D-OCSP To reduce the overload of sngle OCSP Responder n T- OCSP (Tradtonal-OCSP), D-OCSP (Dstrbuted- OCSP) s ntroduced [4, 5]. In D-OCSP, f dstrbuted OCSP Responders have the same secret key, the possblty of OCSP Responder s secret key exposure s very hgh [6]. Therefore, n the general D-OCSP model, each OCSP Responder has a dfferent secret key and clents must have all of the OCSP Responder s certfcates for verfyng CSI response of OCSP Responders. Ths gves an ncrease of storage amounts consumpton or communcaton costs for acqurng the OCSP Responder s certfcates. For solvng ths problem, the method of sngle publc key was proposed n D-OCSP-IS (Dstrbuted Manuscrpt receved September 5, 28. Manuscrpt revsed September 2, 28.

2 4 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 OCSP based on ey-insulated Sgnature) by oga and Sakura [5]. Also for solvng the problem that the length of the sngle publc key s n proporton to the number of OCSP Responder n D-OCSP-IS, Daehyun Yum and Pljoong Lee proposed the D-OCSP-IBS(Dstrbuted OCSP based on Identty-Based Sgnature) that the length of the sngle publc key s constant and short [4]. In addton, a method for detectng the exposure of an OCSP Responder s sesson secret key n D-OCSP-IS was proposed by Younggyo Lee et al [2, 2]. master secret key s dvded nto tme perods and the dfferent secret keys refreshed by the master key are used for each tme perod as shown n Fg.. The secret key (S ) stored n the nsecure devce s refreshed at dscrete tme perods va nteracton wth the physcally secure devce whch stores the master secret key. Therefore the scheme can mnmze the damage caused by the secret key exposure untl the secret key s changed. The keynsulated sgnature scheme needs a 5-tuple of poly-tme algorthms (en, Upd*, Upd, Sgn, Vrfy) such that: 4 Our Contrbutons However, the study for preventng the exposure of a s secret key s hardly accomplshed up to date. Dods et al proposed a key-nsulated sgnature scheme at 23 n [7, 8] In the scheme, the master secret key s stored n the physcally secure devce and not used for sgnng drectly. Total lfetme of the master secret key s dvded nto tme perods and the dfferent secret keys refreshed by the master key are used for each tme perod. Therefore the scheme can mnmze the damage caused by the secret key s exposure but can not protect the from the secret key s exposure n a tme perod perfectly. Just a sngle llegtmate sgnature by the exposure of a secret key can gve extensve damage to the n E-busness or E- commerce. In ths paper, we propose a method that can detect even a sngle llegtmate sgnature caused by the exposure of a secret key n the key-nsulated scheme. The method uses the one-tme hash chan based on NOVOMODO and the counter. The method can prevent s from compromsng the secret key effectvely n the key-nsulated sgnature scheme. The rest of ths paper s organzed as follows. In secton 2, we present the keynsulated sgnature scheme and NOVOMODO. In secton 3, we propose a method for detectng the exposure of a secret key n the key-nsulated scheme. In secton 4, we analyze the proposal n detal. In secton 5, we show the characterstcs of proposal and compare the proposed method to other methods. Fnally, n secton 6, we conclude our paper. 2. ey-nsulated sgnature scheme and NOVOMODO In ths secton, we present the key-nsulated sgnature scheme proposed by Dods et al frst and show Mcal s NOVOMODO that our proposal based on. 2. ey-nsulated sgnature scheme In the key-nsulated sgnature scheme, the master secret key (S*) s stored n the physcally secure devce (PSD) and not used for sgnng drectly. Total lfetme of the Fg. The concept of key-nsulated sgnature scheme en : the key generaton algorthm U pd * : the physcally secure devce key-update algorthm U pd : the key-update algorthm Sgn : the sgnng algorthm Vrfy : the sgnng verfcaton algorthm At frst, a generates (P, S*, S ) usng en( k, N) and publshes P n the central locaton. The stores S* n the physcally secure devce and stores S n the general devce. S s used for sgnng durng the tme perod. When a tme perod (f the secret key s S ) s fnshed, the gets S,j from the secure devce usng U pd * (,j,s*). The computes the next tme perod s secret key S j = U pd (, j, S, S,j ) usng S and S,j. Sgn algorthm s used for sgnng a message M(Sgn sk (,M),s) and Vrfy algorthm s used for verfyng the sgnature s of M(Vrfy P (M,<,s>) b) [7, 8]. After computng S j, the erases S and S,j. S j s used for sgnng a message durng the tme perod j wthout further access to the physcally secure devce. Therefore the scheme can mnmze the damage caused by the secret key s exposure. However the scheme cannot protect the from the exposure of s secret key n a tme perod perfectly. If the secret key (S n Fg. ) of a tme perod s exposed ncdentally, t can be used for sgnng by an attacker acqurng t untl t s changed (S j n Fg. ). Therefore the key-nsulated sgnature scheme can mnmze the damage caused by the secret key s exposure but can not protect the from the secret key s exposure perfectly.

3 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September NOVOMODO In NOVOMODO, a s certfcate Cert ncludes two 2-byte (6-bt) hash values n addton as shown n Fg. 2. The one (X 365 ) s used as valdty target and the other (Y ) s used as revocaton target. Cert Fg. 2 The structure of certfcate n MOVOMODO These values are produced by applyng one-way hash functon to two dfferent 2-byte values randomly selected n CA. When the tme nterval s one day, The value X 365 s computed by 365 hashng operatons from X : X =h(x ), X 2 =h(x ),.., X 365 =h(x 364 ); and Y by hashng operaton from Y : Y =h(y ). The CA keeps secretly the ntal values X, Y and all the ntermedate values X. The CA releases the correspondng ntermedate hash value to each as a certfcate s valdty proof (X ) or revocaton proof (Y ) at ntal tme of each nterval. In E-busness or E-commerce based on PI, the verfer gettng the s certfcate and correspondng hash value compares two values usng the hash functon. If the result of comparson s the same, the verfer gets the message authentcaton and ntegrty concernng the released hash value (X or Y ) perodcally and confrms the s certfcate status by the hash value [6] Table The comparson of storage amounts for hash chan stored n each tme nterval n CA tme nterval X = Sg certfcat e mllon certfcat es certfcat level e s mllon (A ~ certfcat J ) es Unt : bytes. day hour mnute 5 seconds second.3 M 4 M 65 M M 4 M 65 M 52 Valdty target ( P SCA, SN, I, S, V, X 365, Y ) Revocaton The well-known CRL holds the lst of revoked certfcate n the lst. If a certfcate does not appear n the CRL, then the certfcate s deduced to be vald. Thus CRL s a double negatve scheme but NOVOMODO s a postve/negatve scheme that t releases the valdty or revocaton status. A bg advantage of NOVOMODO s that t uses the hash functon of small computaton cost and storage amount (always produces 2-byte outputs) as gven n Table. CA may provde the hash value to a clent as OCSP response or release t perodcally or post t on the WWW (World Wde Web). The hash value s small. However, snce the nversng of the hash functon s practcally mpossble, anybody (e.g., attacker) cannot forge t and t offers the message authentcaton and ntegrty If the certfcate ncludes valdty targets and revocaton target and CA releases a dfferent valdty proof, a can use the certfcate as certfcates wth dfferent levels [6]. 3. A method detectng the exposure of a secret key n the key-nsulated sgnature scheme As we mentoned earler, the key-nsulated sgnature scheme can mnmze the damage caused by the exposure of a secret key but can not protect the from the exposure of a secret key perfectly. Therefore, n ths secton, we propose a method that detects even a sngle llegtmate sgnature by the exposure of a secret key of. Ths proposal uses the one-tme hash chan based on NOVOMODO and the counter. And ts framework (ncludes the certfcate format) s smlar to general PI. 3. Requrements Our proposal has some requrements as follow. ) Both the s sgnature and the verfer s certfcate status valdaton (usng OCSP) are establshed by : n real tme. 2) The s certfcate ncludes a hash value (of 2 bytes) of detecton mark for detectng the own secret key s exposure. 32 Proposal [Intal procedure : the s certfcate ssuance by CA] ) In ths proposal, the s secret key s restrcted by the number of sgnatures. Let be the total number of sgnature usages for a. For an example, s, f each s certfcate s expred after, sgnng operatons. Thus, the certfcate of the s expred after, certfcate status valdatons. The computes by, hashng operatons from random nput value usng h as follows.

4 6 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 h L h h h L OCS Pr equest, Cert, C before Step 3: C now? C before + CA CA Step 2 P,, Inform Step 3 Cert = Sg S ( P CA, L, ) Step 2 OCSP request,cert Step 4 OCSP response verfer Step M, Sg ( M), Cert, S verfer Step h h h h L L Fg. 3 The procedure of certfcate ssuance by CA 2) The sends the own publc key, the own dentfcaton nformaton, and the fnal hash value, safely to CA for the request of own certfcate ssuance. 3) The CA ssues the s certfcate Cert by usng own secret key. In Cert, the hash value s also ncluded as follows. SN s the seral number of certfcate and V represents the valdty perod. I and S denote ssuer and subject of certfcate, respectvely. And the CA sets the counter C before for to. The counter C before s stored and managed n CA. Cert = Sg S CA ( P, SN, I, S, V, ) C before 4) The stores hs own master secret key, the nput value and all ntermedate values of step n PSD securely. [Servce procedure : sgnature and certfcate status valdaton] ) When the sgns, he sends hs own certfcate and the hash value wth the sgned message M to the verfer. The s taken out from PSD and delvered n the order of, 2, 3,..., M, Sg ( M), Cert, S 2) After recevng the sgned message from, the verfer requests the s certfcate status nformaton to CA. Then he also delvers the s certfcate and the hash value wth the OCSP request. Fg. 4 The procedure of sgnature and certfcate status valdaton 3) When the CA receves the OCSP request from the verfer, t repeatedly computes the hashng operaton untl the hashng operaton result of s equal to the hash values contaned n the certfcate. h( )? If ths holds, the CA can confrm the message authentcaton and ntegrty about the hash value. And the counter C now (=; the number of hashng operaton n the present request) s compared wth the stored counter C before (the number of hashng operaton n the prevous request) by the followng condton. C? C now before + If the condton s satsfed, then the CA confrms that the s secret key was not used n an llegtmate sgnature. Otherwse, CA concludes that the s secret key was exposed and used llegtmately by an attacker. 4) In step 3, f the condton about the counter s satsfed, the CA ncreases the counter C before by and sets the counter C now to. And the CA delvers the correspondng OCSP response ncludng the s certfcate status nformaton ( good ) to the verfer. Otherwse, he returns the response ( revoked ) to the verfer. And he revokes the s certfcate and nforms that s secret key s exposed and used by an attacker llegtmately. The CA goes to step to process the next OCSP request.

5 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September Analyss OCS Pr esponse C C before now C before + In ths secton, we analyze the proposed method n detal for each step. ) The hash value ncluded n the certfcate The hash value ncluded n the s certfcate s used as detecton mark for detectng the exposure of the s secret key. The hash value s a fnal value of hash chan computed by the. When s receved wth the request of the certfcate status nformaton from the verfer, the CA can have the message authentcaton and ntegrty about by comparng wth through the hashng computaton. 2) The hash values of,...,,..., stored n PSD Snce the hash values of,...,,..., are computed usng the one-way hash functon, the nverse computaton s mpossble. These values are computed n a s PC and stored n PSD securely. When sgns a message, these values are taken out from PSD and delvered n order of,...,,..., to the verfer wth sgned message step by step. Therefore an attacker cannot compute the hash values. In other words, these values are unquely delvered values and the attacker cannot forge and reuse the hash values. 3) The hash value delvered to the CA va the verfer The hash value wth sgned message s delvered to the verfer and t wth the OCSP request s sent to the CA. The value cannot be forged by an attacker and she cannot re-compute the prevous hash value +. And the CA can have the ntegrty about receved by hashng operaton and comparng wth ncluded n certfcate. Therefore does not need the sgnature when t s delvered to the CA va the verfer. 4) The counter C before and C now n the CA The counter C before and C now are used for judgng the llegtmate sgnature by the s secret key. The C before s ncreased one by one n normal case and ts value represents the number of the prevous hashng operatons. The C now s the number of present hashng operatons when comparng the and n CA. Therefore f the s sgnature s not used llegtmately, the dfference of these counters s (C now = C before +). Otherwse, we acknowledge that a secret key of s compromsed and the llegtmate sgnature use s performed by the attacker. In case that the dfference of these counters s ( C now = C before ), the llegtmate sgnature use s performed usng the hash value of latest sgnature. In case that the C now s less then the C before (C now < C before ), the llegtmate sgnature s performed usng the old hash value. In cay case, even f the attacker forges llegtmate sgnature only once, the proposed method can detect t mmedately. 5. Characterstcs and comparsons In ths secton, we explan the characterstcs of the proposed method and compare t to tradtonal PI and key-nsulated sgnature scheme. The detaled characterstcs are as follows: [Immedate exposure detecton of a secret key of ] The s secret key s kept securely and s used at the sgnature n PI. However n the key-nsulated scheme, the possblty of each s secret keys exposure s hgher than that of server s because the s PC has the weak ponts concernng the system securty n general (e.g., frewall) and each secret key s stored n unphyscally secure devce. In the proposal, the certfcate status request for each s sgnature s checked one by one usng the one-tme hash chan. Even f the attacker that acqures a secret key of the uses only one-tme llegtmate sgnature, the CA can detect t mmedately at the procedure of the certfcate status valdaton. [The computaton costs and storage amounts n the ] Table 2: The computaton costs and storage amounts n the by the number of sgnature The number of, 5,, sgnatures The number of hashng, 5,, operatons The number of stored hash values (Max.), 5,, Storage amount for the hash values (Max.).95 bytes 9.53 bytes bytes 95.3 bytes In the proposal, the uses the hash chan to CA for delverng the unque value that an attacker cannot forge t. Each computes the number of, hashng

6 8 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 operatons and stores the nput and all the ntermedate values safely. Table 2 shows the computaton costs and Table 3: The comparson of the proposal wth other methods proposal tradtonal PI key-nsulated sgnature scheme structure modfed (+ 2bytes) - - certfcate, tmes valdty (+- s possble) 365 days 365 days OCSP request form adds certfcate, hash value - - OCSP response form addtonal computaton costs for average 5, hashng operatons / CA OCSP request (durng servce) - addtonal 2 bytes / storage amount (. 97 M bytes n total) - addtonal communcaton costs certfcate, hash value / OCSP request (acceptor CA) - -, hashng addtonal ntally - en( k,n) for P,S*,S operatons / computaton each tme costs for - - Upd*, Upd nterval addtonal storage amount for maxmum secret key bytes at each perod receve hash value, addtonal loads send certfcate, for acceptor hash value - - possblty of wrong response O O securty of s secret key hgh no medum detecton of s secret key exposure possble number of llegtmate sgnature O from hundreds from several only to thousands of tmes to hundreds of tmes detector of llegal sgnature CA detecton tme of llegtmate sgnature at once (later) (later) sgner : verfer : n : n n : n mplementaton Internet bankng, E-commerce, E- busness All knd All knd Notes. O : Supported, : Not supported for the number of certfcates s,, and the number of usage tmes () s, storage amounts of the by the number of sgnature. In case the number of, sgnatures,, hashng operatons are requred and ths s equaled to only the number of sgnature operaton because the hash operaton s at least, tmes faster n computaton than a sgnature operaton [5, 6] bytes are needed for storng the hash chan and the hash chan s reduced accordng to delvery of hash value at the sgnature. Therefore the computaton cost and the storage amounts are not the overload to. [The number of use tmes of s secret key] In the proposed method, the secret key (the certfcate) of a s used for the lmted number of tmes because onetme hash value s used n the valdty proof of s secret key. As above, t s supposed that the number of tmes s,. In ths case, the CA computes hash operaton at the frst OCSP request and the, hash operatons at,-th OCSP request for detectng the exposure of the s secret key. Thus, the CA computes average 5, hashng operatons. Of course, can be set

7 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 9 bgger (e.g., 2, 5, ) or smaller (e.g., 8, 5, 2). However settng bgger than, s neffcent because the requred computaton tme s larger than dgtal sgnature tme. If dfferent 3 hash values are added to the s certfcate, the number of usage tmes of s secret key s ncreased and the number of hash operaton s decreased n the CA. Suppose that these 3 hash values are computed by 5, hashng operatons from dfferent ntal values. The total number of usage tmes s 5,, but the CA only computes average 2,5 hashng operatons for OCSP request. When the spends all of the number of usage tmes, t computes a new hash-chan and transfers the only fnal hash value to the CA unless ts secret key s compromsed or publc key and other nformaton s changed [2-22]. [The computaton costs and storage amounts n CA] In ths proposal, the CA should manage the counter C before for each. The nteger varable of 2 bytes s needed for storng the maxmum value, n t. Suppose that the CA s a bg CA wth,, ssued certfcates. The storage amounts of.97 M bytes are needed for,, certfcates. The storng and managng of the quantty does not gve an overload to CA. As we mentoned earler, the CA computes averagely 5, hashng operatons when s,. The computaton costs also do not gve an overload to the CA. [The addtonal communcaton costs] In ths proposal, the hash value of 2 bytes s delvered from the to the verfer addtonally and the communcaton cost s small. And the s certfcate and the hash value are sent to the CA wth OCSP request. The CA can acqure the s certfcate n Drectory drectly. In any case, the CA should acqure certfcate and 2-byte hash value addtonally n ths proposal. [The PI structure and procedure havng small modfcatons] There are slght dfferences between our proposal and the tradtonal PI n the structure (ncludng the certfcate format) and procedure. The dfferences n our PI structure and procedure can be summarzed as follows: () each has a hash chan and sends the hash value wth the sgned document, (2) verfer sends the hash value wth the OCSP request, and (3) CA mantans the counter C before, computes the hash operatons and comparsons. The dfference n our certfcate format s that each s certfcate has a hash value of 2 bytes for the detecton mark n addton. [The frequency of the communcatng wth the PSD] In ths proposal, the needs to communcate wth the PSD to get the hash values of,...,,..., whenever he sgns a message. Thus the frequency of the communcatng wth the PSD s ncreased, and the frequency of the PSD s connecton to nsecure envronments s also ncreased. After all, t puts the PSD n a hgher rsk of exposure. As the master secret key s stored n PSD, the key-nsulated sgnature system wll be broken by the only one exposure of PSD. Therefore, for reducng the rsk of the master secret key, two PSDs are requred as lke PIPE(Parallel ey-insulated Publc Encrypton) [6]. The master secret key s stored n PSD and the hash values are stored n PSD 2 In PSD 2, the -defned password can be used to protect the hash values aganst abuse [6] We compare the proposed method to tradtonal PI and key-nsulated sgnature scheme such as n Table 3. In Table 3, we see that the proposal has some dsadvantages. These dsadvantages nclude the facts that the s secret key has a lmted usage tmes, the small computaton costs and storage amounts s ncreased n CA and and the small communcaton costs s ncreased between verfer and CA. However the proposal has some advantages. One bg advantage of ths proposal s the detecton the exposure of s secret keys. And t has an advantage of delverng correct response to verfer. In addton, t has an advantage of accountng the s certfcate rate by the number of tmes. 6. Conclusons In the key-nsulated sgnature scheme, the damage of the secret key s exposure can be mnmzed. But, even just one-tme llegtmate sgnature by the exposure of a secret key can gve extensve damage to the n E-busness or E-commerce. Therefore we propose a method that can detect mmedately even just one-tme llegtmate sgnature by the exposure of a secret key of. The method uses the one-tme hash chan based on NOVOMODO and ts structure and procedure are smlar to the tradtonal PI. We analyze the proposed method n detal and compare t to the tradtonal PI and the key-nsulated sgnature scheme. Our proposal uses the one-tme hash chan requrng small resource and can prevent the s from compromsng the secret key effectvely and perfectly n the key-nsulated sgnature scheme. The method can ncrease the securty of the s secret key n PI. References [] A. Malpan, R. Housley, T. Freeman, Smple Certfcate Valdaton Protocol(SCVP), IETF Internet Draft, June, 22.

8 2 IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL.8 No.9, September 28 [2] C. Adams, P. Sylvestor, M. olotarev, R. uccherato, Internet X.59 Publc ey Infrastructure Data Valdaton and Certfcaton Server Protocols, IETF RFC 329, February, 2. [3] Dae Hyun Yum, Jae Eun ang, and Pl Joong Lee, Advanced Certfcate Status Protocol, n MMM-ACNS 23, LNCS 2776, pp , 23. [4] Dae Hyun Yum, Pl Joong Lee, A Dstrbuted Onlne Certfcate Status Protocol Based on Q Sgnature Scheme, n ICCSA 24, LNCS 343, pp.47-48, 24. [5] Janyng hou, Feng Bao, and Robert Deng, An Effcent Publc-ey Framework, n ICICS 23, LNCS 2836, pp.88-99, 23. [6] Jong-Phl Yang, Chul Sur, Hwa-Sk Jang, and yung- Hyune Rhee, Practal Modfcaton of An Effcent Publc- ey Framework, 24 IEEE Internatonal Conference on e-technology, e-commerce and e-servce, March 24. [7] Jose L. Munoz, Jord Forne, Oscar Esparza, and Mguel Sorano, A Certfcate Status Checkng Protocol for the Authentcated Dctonary, n MMM-ACNS 23, LNCS 2776, pp , 23. [8] Leo Reyzn, eneral Tme/Storage Tradeoffs for Hash- Chan Re-comoutaton, unpublshed manuscrpt. [9] M. Myers, R. Ankney, A. Mappan, S. alpern, C. Adams, X.59 Internet Publc ey Infrastructure Onlne Certfcate Status Protocol - OCSP, IETF RFC 256, June, 999. [] NIST FIPS (Federal Informaton Processng Standards Publcaton) 86-, Dgtal Sgnature Standard, December, 998. [] P.C.ocher, On Certfcate Revocaton and Valdaton, n Fnancal Cryptography (FC 98), LNCS 465, pp.72-77, Sprnger-Verlag, 998. [2] Paul. ocher, A Quck Introducton to Certfcate Revocaton Tree(CRTs), Techncal Report, Valcert, 999. [3] R. Housley, W. Ford, W. Polk, D. Solo, Internet X.59 Publc ey Infrastructure Certfcate and CRL Profle, IETF RFC 2458, January, 999. [4] R. Housley, W. Ford, W. Polk and D. Solo, Internet X.59 Publc ey Infrastructure Certfcate and CRL Profle, IETF RFC 328, Aprl, 22. [5] Satosh oga, ouch Sakura, A Dstrbuted Onlne Certfcate Status Protocol wth a Sngle Publc ey, n Publc ey Cryptography 24, LNCS 2947, pp.389-4, 24. [6] Slvo Mcal, NOVOMODO; Scable Certfcate Valdaton And Smplfed PI Management, n st Annual PI Research Workshop Preproceedngs, pp.5-25, 22. [7] Yevgeny Dods, Jonathan atz, Shouhua Xu, and Mot Yung, ey-insulated Publc ey Crytosystems, n EUROCRYPT 22, LNCS 2332, pp , 22. [8] Yevgeny Dods, Jonathan atz, Shouhua Xu, and Mot Yung, Strong ey-insulated Sgnature Schemes, n PC 23, LNCS 2567, pp , 23. [9] ochro, Yumko Hanaoka, and Hdek Ima, Pararell ey-insulated Publc ey Encrypton, n PC 26, LNCS 3958, pp. 5-22, 26. [2] Younggyo Lee, Injung m, Seungjoo m, and Dongho Won, A Method for Detectng the Exposure of an OCSP Responder s Sesson Prvate ey n D-OCSP-IS, n Euro PI 25, LNCS 3545, pp , 25. [2] Younggyo Lee, Jeonghee Ahn, Seungjoo m, and Dongho Won, A Method for Detectng the Exposure of an OCSP Responder s Prvate ey usng One-Tme Hash Value, n IJCSNS Internatonal Journal of Computer Scence and Network Securty, VOL. 5 No.8, pp , August 25. [22] Younggyo Lee, Jeonghee Ahn, Seungjoo m, and Dongho Won, A PI System for Detectng the Exposure of a User s Secret ey, n EuroPI 26, LNCS 443, pp , 26. [23] secure PI protocols. Younggyo Lee receved the B.E. and M.E. degrees n Electronc Engneerng from Hanyang Unversty n 986 and 99. He receved the Ph.D. degree n Computer Engneerng n Sungkyunkwan Unversty. He s currently a professor of Department of Internet Informaton of Seol College n orea. Hs current research nterest s n the area of cryptography, partcularly regardng the desgn of Dongho Won receved hs B.E., M.E., and Ph.D. degrees from Sungkyunkwan Unversty n 976, 978, and 988, respectvely. After workng at ETRI (Electroncs & Telecommuncatons Research Insttute) from 978 to 98, he joned Sungkyunkwan Unversty n 982, where he s currently professor of School of Informaton and Communcaton Engneerng. Hs nterests are on cryptology and nformaton securty. Especally, n the year 22, he was occuped the presdent of IISC (orea Insttute of Informaton Securty & Cryptology).