Browse Prior Art Database

Smart ASN.1 System Stash

IP.com Disclosure Number: IPCOM000031125D
Original Publication Date: 2004-Sep-13
Included in the Prior Art Database: 2004-Sep-13
Document File: 5 page(s) / 105K

Publishing Venue

IBM

Abstract

Disclosed is a software technique and index object which eliminate the need to do repeated ASN.1 parsing of a certificate to determine its validity over the certificate's lifetime. The solution discussed below is a software solution that any platform could implement. The solution takes advantage of the fact that digital certificates are reused over and over again until they have exceeded their validity period or until they have been revoked.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 33% of the total text.

Page 1 of 5

Smart ASN.1 System Stash

The problem solved by this invention is the problem of performance when an X.509 digital certificate (which is represented in Abstract Syntax Notation One (ASN.1) and Distinguished Encoding Rules (DER)) is parsed repeatedly over the life of the certificate to determine its validity, its issuer, its subject, its public key, etc.. ASN.1 is a recursive syntax (see the representation of an X.509 version 3 digital certificate below) which further exacerbates the problem of poor performance when large abstract objects are parsed.

X.509 version 3 Certificate in ASN.1 Syntax:

cert ::= Certificate

Certificate ::= SEQUENCE {

tbsCertificate TBSCertificate,

signatureAlgorithm AlgorithmIdentifier,

signatureValue BIT STRING }

TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1,

serialNumber CertificateSerialNumber,

signature AlgorithmIdentifier,

issuer Name,

validity Validity,

subject Name,

subjectPublicKeyInfo SubjectPublicKeyInfo,

issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,

-- If present, version MUST be v2 or v3

subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

-- If present, version MUST be v2 or v3

extensions [3] EXPLICIT Extensions OPTIONAL

-- If present, version MUST be v3

}

Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE { notBefore Time,

notAfter Time }

Time ::= CHOICE { utcTime UTCTime,

generalTime GeneralizedTime }

UniqueIdentifier ::= BIT STRING
SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier,

subjectPublicKey BIT STRING }

Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension

1

Page 2 of 5

Extension ::= SEQUENCE {

extnID OBJECT IDENTIFIER,

critical BOOLEAN DEFAULT FALSE,

extnValue OCTET STRING }

Digital certificates are used in secure applications to authenticate the application server and, increasingly, to authenticate the client. The authentication process involves parsing the certificate to determine its validity. The subject certificate's issuer which is represented by a certificate must also be located, parsed and validated. Certificates are also used to distribute public keys which can be used to encrypt data before sending it out on a network. The encrypted data may then be decrypted by the owner of the certificate who also owns the private key component of the public-private key pair. This invention pertains more to the verification of a certificate's authenticity than to its use as a distributor of a public key.

     Research has revealed the unlikelihood of a pre-existing solution to this performance problem which is inherent in an all-inclusive ASN.1 parser. Such parsers are subject to the recursive nature of ASN.1 syntax and, recursion and performance are diametrically opposing concepts.

     In order to solve the problem of poor performance caused by the recursive nature of ASN.1, a system-wide cache will be built at "first touch" of a digital certificate. The "first touch" occurs, in most cases, when a c...