Back to Search Technologies
Method and Apparatus for Efficient TLS Revocation Mechanism - | Virginia Tech Intellectual Properties (VTIP)

Method and Apparatus for Efficient TLS Revocation Mechanism

THE CHALLENGE:

The widespread adoption of Transport Layer Security (TLS) is crucial for ensuring secure communication over the internet. TLS secures the connection between users and online services, protecting sensitive information during transmission. A vital aspect of TLS security is certificate revocation, which invalidates compromised or untrusted digital certificates. This mechanism ensures that only valid certificates are used to establish trust and secure communication.

Current approaches to certificate revocation, primarily using Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP), suffer from limitations. CRLs can become bulky and slow to process due to their size. Addressing the timelines of revocation updates is also challenging. While OCSP, despite offering real-time updates, introduces privacy concerns, reliability of OCSP responders and relies heavily on centralized infrastructure like Content Delivery Networks (CDNs), potentially creating bottlenecks and security vulnerabilities. These limitations highlight the need for more efficient, secure, and scalable solutions for TLS certificate revocation.

OUR SOLUTION:

OCSP-over-DNS is a novel method for enhancing the security and efficiency of Transport Layer Security (TLS) certificate validation. This approach leverages the geographically distributed nature of DNS resolvers to serve Online Certificate Status Protocol (OCSP) responses, eliminating the reliance on traditional HTTP-based infrastructure and CDNs. By querying a domain name that incorporates the certificate's serial number, clients can retrieve its OCSP status from nearby resolvers, reducing latency and improving validation speed.

The key differentiator of OCSP-over-DNS lies in its use of DNSSEC for security and its unique response mechanism. By implementing DNSSEC, the integrity of OCSP responses is ensured without requiring additional signatures. Revoked certificates result in a clear OCSP response, while valid certificates yield an NXDOMAIN response. This, coupled with the use of NSEC records, allows resolvers to efficiently determine the revocation status of certificates within a given range, further optimizing the process and enhancing security by minimizing potential attack vectors.

ADVANTAGES:

  • Improved efficiency over current methods.
  • Reduced latency for end-users that are geographically closer.
  • Improved security due to DNSSEC and reduced dependency on CDNs.

POTENTIAL APPLICATIONS:

  • Web Browser Security
  • CDN Infrastructure Enhancement
  • Certificate Authority Service
  • DNS Providers
  • IoT Device Authentication

 

Patent Information:
Direct Link:
http://vtip.technologypublisher.com/technology/55599
Tech ID:
24-025
Category(s):
Technology Classifications > Software
Bookmark this page
For Information, Contact:
Emily Lanier
Licensing Manager
Virginia Tech Intellectual Properties, Inc.
emilylt@vt.edu
Inventors:
Tijay Chung
Keywords: