A delayed commitment scheme to enhance public key certificate based protocols

Abstract

Public key certificate based protocols depend on the freshness of the certificates for their security. It has been pointed out by various authors that current Public Key Infrastructure (PKI) does not provide effective freshness proof for certificates. An "ex-employee" who has access to the private key of a compromised server certificate can mount an attack on the SSL/TLS hand-shake protocol and eavesdrop the subsequent secret communication even if the server uses a fresh certificate. In this paper we propose an improved handshake protocol which requires minimum change to the current SSL/TLS handshake protocol, yet practically prevent the above "ex-employee" attack.