MBS-OCSP: an OCSP based certificate revocation system for wireless environments

Insofar public-key cryptography has been mostly used to provide security for applications that don\´t have constraints on bandwidth, memory or power. This type of applications (e.g. digital signature applications) or security protocols (e.g. Secure Socket Layer - SSL) typically use X.509 public-key certificates issued in the frame of public key infrastructures (PKIs). For wireless devices, the design of X.509 certificate-based secure applications is still an open issue, mostly due to the storage, network and computation limitations. One important and difficult issue that must be handled is the distribution of the current revocation status of the X.509 certificate toward the mobile client. We propose an improvement of a system (named CPC-OCSP) that is an adaptation of the OCSP protocol, one certificate revocation mechanism largely used nowadays. Our proposal, named MBS-OCSP, makes use of Merkle hash trees and is particularly appropriate for use in wireless environments where the clients are able to cache some of the received information for further re-use. Unlike other proposals, our system is flexible since clients and servers must not agree "in advance" on any parameter used for cache management. Finally, we compare our proposal with the standard revocation mechanisms (CRL and OCSP) and with CPC-OCSP in terms of the computational effort and the message size.