Sie sind auf Seite 1von 4

A comprehensive study of prototyping a

framework for commissioning and distribution

of authenticated certificates for e-transactions
using cloud technology
Chengappa M.R, Research Scholar, Visvesvaraya Technological University
Dr. M.S. Shashidhara, Department of Computer Application (MCA),
The Oxford College of Engineering,
where the request is coming. As the cloud computing is
Abstract— The advancements in the wireless communication gaining popularity and due to the ability of the cloud to
technologies and the rapid development in the mobility world has leverage the computing resources and also due to the fact that
leveraged e-commerce industries and e-transactions which are the cloud services could be accessed from anywhere
making promising advancements. In such scenarios it becomes
irrespective of the geographical locations these are no burden
crucial for the users using such e-transactions to make sure they
use the authenticated PKI's and certificates and to make sure to have large-scale computing servers and maintaining them at
they have secured transactions. In this paper we discuss about different locations. In this paper we discuss to make use this
the mechanism to provide the authenticated certificates for e- property of the cloud and hence propose a mechanism
transactions by making use of the cloud services. All the e- authenticate the source of origin of the certificate and hence
transactions can make the request to use the authenticated facilitate the e-transactions with a robust security in place. The
certificates to the cloud regardless of the locations; we propose to
mechanism is in sync with the standard protocols of
use the dedicated cloud services to provide the authenticated
certificates. certification validation, all the devices which facilitating the e-
transactions can process a request to the cloud irrespective of
Keywords: e-transactions, PKI, Cloud. the geographical locations and get a quick response. Also the
cloud would facilitate the process for tracing the route for
back-tracking. The paper is organized in the following way:
I. INTRODUCTION We would touch upon some of the works done pertaining to

I n the recent years, with the development of wireless the authenticating the route of the source of the origin of the
communication technologies and easy access to mobile certificates in Section 2, In Section 3 we would put together
Internet, e-commerce industry is gaining prominence. In any the requirements for authenticating the certificates in the cloud
form of the e-transactions or in the e-commerce business with for e-transactions, In section 4 we would describe the
no frontal transactions security becomes a prime concern workflow in detail.
among the users. Usually in the cases of online money and
macro transactions require robust security in place [5], and to II. BACKGROUNDS AND RELATED WORK
tackle these security issues wireless communicating devices The proposed method supports and facilitates security
are adapting to use the certificates, TSL, SSL and Public Key services like AAA- authentication, authorization and
Infrastructure to have a robust security in place for such accounting, data confidentiality and integrity which are
transactions [6]. Hence to make sure the robustness of the basically based in the right combination of the public/private
security feature authenticating the source of origin of these key pairs. The public key of the key pair is allocated in the
certificates become prime concern to have a secure e- form of a public key certificate but making use of appropriate
transactions. However the devices such as mobile phones algorithms and could be use to authenticate the digital
which are very commonly used these days to make e- signatures and encrypt data. It is obvious that before one could
transactions have very limited processors, memory and battery make use of a certificate, one should verify the certificate and
backup, so there arise a need for using a dedicated servers to the source of the certificate has to be verified and validated. In
facilitate the task of validating and authenticating the source of order to check the correctness of the origin of the certificate,
the origin of certificates also the telecom service providers chaining a series of certificate and then establishing the path to
should also be comfortable to afford those process and the origin of the certificate must be established, and then every
authenticate those requests irrespective of the location from other certificated within that source must be verified [1]. In
this paper, we discuss the mechanism of establishing the route
to the origin of the certificate and then verifying the
certificates in that source. The Fig.1, Shows the architecture the fast advancements in the e-commerce industries and many
denoting the sequence of activities involved in the establishing people opting for e-transactions the requirement for such
the path to the source where the certificate is originated. The service would become important and it would be impossible to
flow further denotes implement to have in place such a single service server which
can facilitate more that one trust domains and interact with the
diverse PKI structures and repository interfaces.


In a real world e-transaction scenario, the request to
authenticate the route to the origin of the certificate has the
• Often the end users devices on which they tend to
do the e-transactions cannot afford heavy load and
stress of computing, communication and storage.
• In may so happen that all the authentication
requests may come from different geographical
regions all over the world.
• Say for a specific end device, it may or may not
Figure 1. Route Authentication Workflow accept the request from all over the world.
• Certificate authority involved in the authentication
that the route discovery of the source ends with finding the of the route may point to different regions.
certificate as the trust anchor, and when one encounters the • Depending upon the applications of the e-
root CA certificate, which is not the trust anchor in the route commerce, e-transactions the clients, end devices
established, it indicates that there might be other certificates may require applying different authentication
involved in the discovered route. All these process are time policies.
consuming and need large computing and communication According to above feature, the authentication service for e-
resources to establish the correct certificate. Due to the transaction scenario should satisfy the following requirements:
limitation of the devices in the e-transactions, efforts have • Trust / Transparency: Mitigating the cost of end-
gone into designing the lightweight process to adapt to the e- devices is a premier task. End-users are
transaction devices [2]. However in these approaches there unnecessary to know the complex PKI structures,
have been compromises between the complexity and the such as cross-certification.
functionality making the devices difficult in communicating • Distributed service: Because two important entities
with the desired interfaces. Another approach to this issues is involved in the authentication service are end-user
the Delegated Path Validation, the route to the source of the devices which are mobile and certificate authority
origin of the certificate is a task which cannot be often carried repositories which located at very different
out by the end devices and entities that have finite resources regions.
[2] and hence there raised a need where these tasks could be • Flexibility: End-users have the right to determine
handed over to trusted entities which perform DPD and DPV, whether or not to trust the authentication
RFC 3357 [3] in support of the requesting end devices. Some mechanism.
of the certificate authorities provide these services under the • Allowing efficiency: e-commerce is a new style of
umbrella of their trust domains. Here in this method, the commerce. The principle, time is money, is still
process of the route discovery to the origin of the certificate is adoptable.
very simple as the delegated server to which the request is • Compatibility: Adopting current standard protocols
placed can easily fetch the public key infrastructure structure to realize the authentication service can provide a
and may not communicate with the several other repositories, full service to e-transaction.
for the end devices involved in the e-transactions in order to • Traceability: Authentication service should
authenticate the all types of the certificate they need to interact provide users chances to trace the evidences when
with all kind of servers along with they bring cost overhead to dispute occurs.
the process. To the very best of our knowledge, we like to say
that there is not a dedicated authentication service which IV. PROPOSED MODEL
would serve the global route authentication. From the end user
To facilitate the requirement of the route authentication of
perspective using the devices for the e-transactions, the real
the certificates for the e-transactions, we would implement the
time use case would be that the request could be placed from
delegated services in the cloud. As shown in the Fig. 2, each
every nuke and corner of the world and they also expect the
end devices involved in the e-transactions can place a request
response to be quick, hence there raised the need to implement
to the cloud and can get a quick response irrespective of how
a feasible solution to process such real time scenarios. With
complex is the route to the origin of the certificate. We would
propose the implementation of the cloud providing the
delegated services in two parts, one by describing what
happens over the cloud when the response is received and the
other is the order of the trust between the end devices and the
cloud. Lastly we would introduce the working framework for
the implementation.

Fig.3 From the cloud’s perspective

As shown in the Fig.3, all the servers communicate and

collaborate with each other would return a quick response to
the requesting node. Each communicating end devices can
register in the designated cloud and then have there policies
configured separately. Another interesting feature here would
be that there can also be a scenario where there might be
groups of the end devices who wish to execute the same
policy, when the policies are defined and stored in the
designated cloud, the authentication process becomes more
faster as the communication within the cloud has been already
optimized by the CSP. The SaaS i.e the storage as a service
aspect of the cloud also offers the functionality to retain all the
authenticated proofs for the users for a specified time, which
Fig.2: Structure of Certificate Authentication Route in
would if need could be used to satisfy the requirement of
traceability and back-tracking.
Each firm, organization or a certificate authority for that
will have to put rule for defining an internal certification
According to RFC 3359, the users of the cloud services can
model i.e. it might be a single model, hierarchical, peer-to-
select to trust the designated server or not. Hence we would
peer cross certification models, and the functionality to
offer the three levels trust for the designated cloud service
implement the external security relationships. As we have
provides which would be flexible services to users. In our
denoted in the Fig.2, the server which used for this purpose
implementation, we would offer the three levels trust among
cannot predict the structure of the public key infrastructure
the designated cloud server and the registering users. The
and the desired route initially. However, the CSP (cloud
three levels of the trust would be as follows:
service providers) have the right to discover the routes to the
different server locations from where the request is placed.
No trust: Here in this level of trust the registered users
Consider the following example where a cloud server receives
would make use of the designated cloud server only for
a request to authenticate the certificate which is issues by
finding the route to the certificate without authenticating the
certificate authority say CA1 that is located in India, upon the
same. In this case, the end users need to perform the process
request received to the cloud, the cloud would communicate
of authenticating the certificate by offering the authentication
and talk to the servers located at different regions to reach the
policies by doing this they would not needed to trust the
related repositories, quick responses are received from the
designated cloud server. As shown in Fig.4a, the cloud server
servers that are near by the certificate authority repositories or
would only provide the required tools for the authentication of
its corresponding LDAP servers. The designated cloud server
the certificate, including the rule chain which would have the
can also record this process, and if needed it can optimize the
route to the origin of the certificate, the Certificate Location,
discovery of the next process.
and the certificate authority involved in the route of the
certificate. All these items are signed by the related certificate
authority, the tasks of authenticating the signature fall within
the responsibility of the end-users. The ideology behind this
level of trust is that the clients and the end users need not trust
the designated cloud server and only consider the cloud server
as the search option for obtaining the necessary items for
authenticating a certificate.

Trust: Here in this level of trust the designated cloud server

discovers the route to the origin of the certificate and would [3] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski,
G. Lee, D. Patterson, A. Rabkin, I. Stoica and M. Zaharia, "Above the
then authenticate it with the underlying policies that are clouds: A Berkeley View of Cloud
defined by the clients. In this case, the clients can have to trust [4] Computing", Tech. Rep. UCB/EECS- 2009-28, EECS Department,
the cloud server and accept the response from the designated University of California, Berkeley, February 2009.
[5] N. Mallat, M. Rossi and V.K. Tuunainen, "Mobile Banking
cloud server according to the policies defined by the clients.
Services", Communications of the ACM, Vol. 47, No. 5, pp. 42-
As shown in the Fig.4b, the designated cloud server would 46, May 2004.
process the response and would return the same to the end [6] J. Claessens, V. Dem, D. De Cock, B. Preneel and J. Vandewalle, "On
device. the security of today’s online electronic banking systems", Computers
and Security Vol. 21, No. 3, pp. 257–269, 2002.
[7] C. Adams and S. Lloyd, Understanding PKI, 2nd ed., Addison-
Full trust: Here in this case, the end devices, clients make Wesley, 2004.
use of the designated cloud server to authenticate the route the [8] RSA Security, The Power Behind RSA SecurID Two-Factor User
Authentication: RSA ACE/Server, solution white paper, 2003;
and then also to authenticate the certificate that is obtained in
[9] C.E. Irvine, “Teaching Constructive Security,” IEEE Security &
Privacy, vol. 1, no. 6, 2003, pp. 59–61.
[10] Amazon AWS,

Fig4. Levels of trust

that route as per the underlying policies that are already

defined by the clients. As shown in the Fig.4c, the end users
need not have to send the policies to the cloud server. A client
can make an contract with the designated cloud server to
deploy the authentication policy and also they need have to
explicitly provide the trust anchors which would further
reduce the communication over head.

In this paper, we propose a new deployment scheme of
delegated certification path validation, which can well serve
mobile business transactions. Comparing to traditional
centralized delegated certification path validation, we deploy
the validation service in a distributed and manageable
environment, named “delegation cloud”. Utilizing cloud
technologies including cloud storage and computing,
distributed end-devices can access the service with lowest
communication and computing cost. In Future, we will focus
on detailing the world-level delegation service, including how
to utilize the cloud storage resource to cache the history path
and further accelerate the delegated respond speed.

[1] PKI Forum, Inc, "Understanding Certification Path Construction", White
Paper, September 2002.
[2] K. Papapanagiotou, G. F. Marias, and P. Georgiadis, "Revising
centralized certificate validation standards for mobile and wireless
communications", Computer Standards & Interfaces 32 , pp. 281-287,