A comprehensive study of prototyping a
framework for commissioning and distribution
of authenticated certificates for e-transactions
using cloud technology
Chengappa M.R, Research Scholar, Visvesvaraya Technological University
Dr. M.S. Shashidhara, Department of Computer Application (MCA),
The Oxford College of Engineering,
Bangalore
Abstract— The advancements in the wireless communication
technologies and the rapid development in the mobility world has
leveraged e-commerce industries and e-transactions which are
making promising advancements. In such scenarios it becomes
crucial for the users using such e-transactions to make sure they
use the authenticated PKI's and certificates and to make sure
they have secured transactions. In this paper we discuss about
the mechanism to provide the authenticated certificates for e-
transactions by making use of the cloud services. All the e-
transactions can make the request to use the authenticated
certificates to the cloud regardless of the locations; we propose to
use the dedicated cloud services to provide the authenticated
certificates.
Keywords: e-transactions, PKI, Cloud.
I. INTRODUCTION
I n the recent years, with the development of wireless
communication technologies and easy access to mobile
Internet, e-commerce industry is gaining prominence. In any
form of the e-transactions or in the e-commerce business with
no frontal transactions security becomes a prime concern
among the users. Usually in the cases of online money and
macro transactions require robust security in place [5], and to
tackle these security issues wireless communicating devices
are adapting to use the certificates, TSL, SSL and Public Key
Infrastructure to have a robust security in place for such
transactions [6]. Hence to make sure the robustness of the
security feature authenticating the source of origin of these
certificates become prime concern to have a secure e-
transactions. However the devices such as mobile phones
which are very commonly used these days to make e-
transactions have very limited processors, memory and battery
backup, so there arise a need for using a dedicated servers to
facilitate the task of validating and authenticating the source of
the origin of certificates also the telecom service providers
should also be comfortable to afford those process and
authenticate those requests irrespective of the location from
where the request is coming. As the cloud computing is
gaining popularity and due to the ability of the cloud to
leverage the computing resources and also due to the fact that
the cloud services could be accessed from anywhere
irrespective of the geographical locations these are no burden
to have large-scale computing servers and maintaining them at
different locations. In this paper we discuss to make use this
property of the cloud and hence propose a mechanism
authenticate the source of origin of the certificate and hence
facilitate the e-transactions with a robust security in place. The
mechanism is in sync with the standard protocols of
certification validation, all the devices which facilitating the e-
transactions can process a request to the cloud irrespective of
the geographical locations and get a quick response. Also the
cloud would facilitate the process for tracing the route for
back-tracking. The paper is organized in the following way:
We would touch upon some of the works done pertaining to
the authenticating the route of the source of the origin of the
certificates in Section 2, In Section 3 we would put together
the requirements for authenticating the certificates in the cloud
for e-transactions, In section 4 we would describe the
workflow in detail.
II. BACKGROUNDS AND RELATED WORK
The proposed method supports and facilitates security
services like AAA- authentication, authorization and
accounting, data confidentiality and integrity which are
basically based in the right combination of the public/private
key pairs. The public key of the key pair is allocated in the
form of a public key certificate but making use of appropriate
algorithms and could be use to authenticate the digital
signatures and encrypt data. It is obvious that before one could
make use of a certificate, one should verify the certificate and
the source of the certificate has to be verified and validated. In
order to check the correctness of the origin of the certificate,
chaining a series of certificate and then establishing the path to
the origin of the certificate must be established, and then every
other certificated within that source must be verified [1]. In
this paper, we discuss the mechanism of establishing the route
to the origin of the certificate and then verifying the
certificates in that source. The Fig.1, Shows the architecture
denoting the sequence of activities involved in the establishing
the path to the source where the certificate is originated. The
flow further denotes
Figure 1. Route Authentication Workflow
that the route discovery of the source ends with finding the
certificate as the trust anchor, and when one encounters the
root CA certificate, which is not the trust anchor in the route
established, it indicates that there might be other certificates
involved in the discovered route. All these process are time
consuming and need large computing and communication
resources to establish the correct certificate. Due to the
limitation of the devices in the e-transactions, efforts have
gone into designing the lightweight process to adapt to the e-
transaction devices [2]. However in these approaches there
have been compromises between the complexity and the
functionality making the devices difficult in communicating
with the desired interfaces. Another approach to this issues is
the Delegated Path Validation, the route to the source of the
origin of the certificate is a task which cannot be often carried
out by the end devices and entities that have finite resources
[2] and hence there raised a need where these tasks could be
handed over to trusted entities which perform DPD and DPV,
RFC 3357 [3] in support of the requesting end devices. Some
of the certificate authorities provide these services under the
umbrella of their trust domains. Here in this method, the
process of the route discovery to the origin of the certificate is
very simple as the delegated server to which the request is
placed can easily fetch the public key infrastructure structure
and may not communicate with the several other repositories,
for the end devices involved in the e-transactions in order to
authenticate the all types of the certificate they need to interact
with all kind of servers along with they bring cost overhead to
the process. To the very best of our knowledge, we like to say
that there is not a dedicated authentication service which
would serve the global route authentication. From the end user
perspective using the devices for the e-transactions, the real
time use case would be that the request could be placed from
every nuke and corner of the world and they also expect the
response to be quick, hence there raised the need to implement
a feasible solution to process such real time scenarios. With
the fast advancements in the e-commerce industries and many
people opting for e-transactions the requirement for such
service would become important and it would be impossible to
implement to have in place such a single service server which
can facilitate more that one trust domains and interact with the
diverse PKI structures and repository interfaces.
III. FEATURES AND REQUIREMENTS
In a real world e-transaction scenario, the request to
authenticate the route to the origin of the certificate has the
following:
• Often the end users devices on which they tend to
do the e-transactions cannot afford heavy load and
stress of computing, communication and storage.
• In may so happen that all the authentication
requests may come from different geographical
regions all over the world.
• Say for a specific end device, it may or may not
accept the request from all over the world.
• Certificate authority involved in the authentication
of the route may point to different regions.
• Depending upon the applications of the e-
commerce, e-transactions the clients, end devices
may require applying different authentication
policies.
According to above feature, the authentication service for e-
transaction scenario should satisfy the following requirements:
• Trust / Transparency: Mitigating the cost of end-
devices is a premier task. End-users are
unnecessary to know the complex PKI structures,
such as cross-certification.
• Distributed service: Because two important entities
involved in the authentication service are end-user
devices which are mobile and certificate authority
repositories which located at very different
regions.
• Flexibility: End-users have the right to determine
whether or not to trust the authentication
mechanism.
• Allowing efficiency: e-commerce is a new style of
commerce. The principle, time is money, is still
adoptable.
• Compatibility: Adopting current standard protocols
to realize the authentication service can provide a
full service to e-transaction.
• Traceability: Authentication service should
provide users chances to trace the evidences when
dispute occurs.
IV. PROPOSED MODEL
To facilitate the requirement of the route authentication of
the certificates for the e-transactions, we would implement the
delegated services in the cloud. As shown in the Fig. 2, each
end devices involved in the e-transactions can place a request
to the cloud and can get a quick response irrespective of how
complex is the route to the origin of the certificate. We would
propose the implementation of the cloud providing the
delegated services in two parts, one by describing what
happens over the cloud when the response is received and the
other is the order of the trust between the end devices and the
cloud. Lastly we would introduce the working framework for
the implementation.

Fig.3 From the cloud’s perspective

As shown in the Fig.3, all the servers communicate and

collaborate with each other would return a quick response to
the requesting node. Each communicating end devices can
register in the designated cloud and then have there policies
configured separately. Another interesting feature here would
be that there can also be a scenario where there might be
groups of the end devices who wish to execute the same
policy, when the policies are defined and stored in the
designated cloud, the authentication process becomes more
faster as the communication within the cloud has been already
optimized by the CSP. The SaaS i.e the storage as a service
aspect of the cloud also offers the functionality to retain all the
authenticated proofs for the users for a specified time, which
Fig.2: Structure of Certificate Authentication Route in
would if need could be used to satisfy the requirement of
Cloud
traceability and back-tracking.
Each firm, organization or a certificate authority for that
will have to put rule for defining an internal certification
According to RFC 3359, the users of the cloud services can
model i.e. it might be a single model, hierarchical, peer-to-
select to trust the designated server or not. Hence we would
peer cross certification models, and the functionality to
offer the three levels trust for the designated cloud service
implement the external security relationships. As we have
provides which would be flexible services to users. In our
denoted in the Fig.2, the server which used for this purpose
implementation, we would offer the three levels trust among
cannot predict the structure of the public key infrastructure
the designated cloud server and the registering users. The
and the desired route initially. However, the CSP (cloud
three levels of the trust would be as follows:
service providers) have the right to discover the routes to the
different server locations from where the request is placed.
No trust: Here in this level of trust the registered users
Consider the following example where a cloud server receives
would make use of the designated cloud server only for
a request to authenticate the certificate which is issues by
finding the route to the certificate without authenticating the
certificate authority say CA1 that is located in India, upon the
same. In this case, the end users need to perform the process
request received to the cloud, the cloud would communicate
of authenticating the certificate by offering the authentication
and talk to the servers located at different regions to reach the
policies by doing this they would not needed to trust the
related repositories, quick responses are received from the
designated cloud server. As shown in Fig.4a, the cloud server
servers that are near by the certificate authority repositories or
would only provide the required tools for the authentication of
its corresponding LDAP servers. The designated cloud server
the certificate, including the rule chain which would have the
can also record this process, and if needed it can optimize the
route to the origin of the certificate, the Certificate Location,
discovery of the next process.
and the certificate authority involved in the route of the
certificate. All these items are signed by the related certificate
authority, the tasks of authenticating the signature fall within
the responsibility of the end-users. The ideology behind this
level of trust is that the clients and the end users need not trust
the designated cloud server and only consider the cloud server
as the search option for obtaining the necessary items for
authenticating a certificate.

Trust: Here in this level of trust the designated cloud server

discovers the route to the origin of the certificate and would
then authenticate it with the underlying policies that are
defined by the clients. In this case, the clients can have to trust
the cloud server and accept the response from the designated
cloud server according to the policies defined by the clients.
As shown in the Fig.4b, the designated cloud server would
process the response and would return the same to the end
device.
Full trust: Here in this case, the end devices, clients make
use of the designated cloud server to authenticate the route the
and then also to authenticate the certificate that is obtained in
[3] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski,
G. Lee, D. Patterson, A. Rabkin, I. Stoica and M. Zaharia, "Above the
clouds: A Berkeley View of Cloud
[4] Computing", Tech. Rep. UCB/EECS- 2009-28, EECS Department,
University of California, Berkeley, February 2009.
[5] N. Mallat, M. Rossi and V.K. Tuunainen, "Mobile Banking
Services", Communications of the ACM, Vol. 47, No. 5, pp. 42-
46, May 2004.
[6] J. Claessens, V. Dem, D. De Cock, B. Preneel and J. Vandewalle, "On
the security of today’s online electronic banking systems", Computers
and Security Vol. 21, No. 3, pp. 257–269, 2002.
[7] C. Adams and S. Lloyd, Understanding PKI, 2nd ed., Addison-
Wesley, 2004.
[8] RSA Security, The Power Behind RSA SecurID Two-Factor User
Authentication: RSA ACE/Server, solution white paper, 2003;
www.internet-security.ag/gen/rsa04/f/power.pdf.
[9] C.E. Irvine, “Teaching Constructive Security,” IEEE Security &
Privacy, vol. 1, no. 6, 2003, pp. 59–61.
[10] Amazon AWS, http://aws.amazon.com/.

Fig4. Levels of trust

that route as per the underlying policies that are already

defined by the clients. As shown in the Fig.4c, the end users
need not have to send the policies to the cloud server. A client
can make an contract with the designated cloud server to
deploy the authentication policy and also they need have to
explicitly provide the trust anchors which would further
reduce the communication over head.

V. CONCLUSION
In this paper, we propose a new deployment scheme of
delegated certification path validation, which can well serve
mobile business transactions. Comparing to traditional
centralized delegated certification path validation, we deploy
the validation service in a distributed and manageable
environment, named “delegation cloud”. Utilizing cloud
technologies including cloud storage and computing,
distributed end-devices can access the service with lowest
communication and computing cost. In Future, we will focus
on detailing the world-level delegation service, including how
to utilize the cloud storage resource to cache the history path
and further accelerate the delegated respond speed.

REFERENCES
[1] PKI Forum, Inc, "Understanding Certification Path Construction", White
Paper, September 2002.
[2] K. Papapanagiotou, G. F. Marias, and P. Georgiadis, "Revising
centralized certificate validation standards for mobile and wireless
communications", Computer Standards & Interfaces 32 , pp. 281-287,
2010.