skip to main content
10.1145/2751323.2751324acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Deployment challenges in log-based PKI enhancements

Published:21 April 2015Publication History

ABSTRACT

Log-based PKI enhancements propose to improve the current TLS PKI by creating public logs to monitor CA operations, thus providing transparency and accountability. In this paper we take the first steps in studying the deployment process of log-based PKI enhancements in two ways. First, we model the influences that parties in the PKI have to incentivize one another to deploy a PKI enhancement, and determine that potential PKI enhancements should focus their initial efforts on convincing browser vendors to deploy. Second, as a promising vendor-based solution we propose deployment status filters, which use a Bloom filter to monitor deployment status and efficiently defend against downgrade attacks from the enhanced protocol to the current TLS PKI. Our results provide promising deployment strategies for log-based PKI enhancements and raise additional questions for further fruitful research.

References

  1. Comodo fraud incident 2011-03-23. https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, March 2011.Google ScholarGoogle Scholar
  2. Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A large-scale field study of browser security warning effectiveness. In Usenix Security, pages 257--272, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Hadi Asghari, Michel J. G. van Eeten, Axel M. Arnbak, and Nico A. N. M. van Eijk. Security economics in the HTTPS value chain. In Twelfth Workshop on the Economics of Information Security (WEIS 2013), November 2013.Google ScholarGoogle Scholar
  4. David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, and Pawel Szalachowski. ARPKI: Attack Resilient Public-key Infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), November 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Scott A. Crosby and Dan S. Wallach. Efficient data structures for tamper-evident logging. In USENIX Security Symposium, pages 317--334, August 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Antoine Delignat-Lavaud, Martín Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Web PKI: Closing the gap between guidelines and practices. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, 2014.Google ScholarGoogle Scholar
  7. Adrienne Porter Felt, Robert W Reeder, Hazim Almuhimedi, and Sunny Consolvo. Experimenting at scale with Google Chrome's SSL warning. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 2667--2670. ACM, April 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (v. 1.0). https://cabforum.org/wp-content/uploads/EV_Certificate_Guidelines.pdf, June 2007.Google ScholarGoogle Scholar
  9. CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (v. 1.5.2). https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf, October 2014.Google ScholarGoogle Scholar
  10. Hans Hoogstraaten, Ronald Prins, Daniël Niggebrugge, Danny Heppener, Frank Groenewegen, Janna Wettink, Kevin Strooy, Pascal Arends, Paul Pols, Robbert Kouprie, Steffen Moorrees, Xander van Pelt, and Yun Zheng Hu. Black Tulip: Report of the investigation into the DigiNotar certificate authority breach. www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf, August 2012.Google ScholarGoogle Scholar
  11. Tiffany Hyun-Jin Kim, Lin-Shung Huang, Adrian Perrig, Collin Jackson, and Virgil Gligor. Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure. In Proceedings of the International World Wide Web Conference (WWW), May 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Adam Langley. Revocation checking and Chrome's CRL. https://www.imperialviolet.org/2012/02/05/crlsets.html, February 2012.Google ScholarGoogle Scholar
  13. Adam Langley. Enhancing digital certificate security. http://googleonlinesecurity.blogspot.ch/2013/01/enhancing-digital-certificate-security.html, January 2013.Google ScholarGoogle Scholar
  14. Ben Laurie. Improving the security of EV certificates, December 2014.Google ScholarGoogle Scholar
  15. Ben Laurie, Adam Langley, and Emilia Kasper. Certificate transparency. https://tools.ietf.org/html/rfc6962, June 2013.Google ScholarGoogle Scholar
  16. Stephanos Matsumoto and Raphael M. Reischuk. Certificates-as-an-Insurance: Incentivizing accountability in SSL/TLS. Proceedings of the NDSS Workshop on Security of Emerging Network Technologies (SENT '15), February 2015.Google ScholarGoogle ScholarCross RefCross Ref
  17. Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology -- CRYPTO '87, volume 293 of Lecture Notes in Computer Science, pages 369--378. Springer Berlin Heidelberg, 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Microsoft. Erroneous verisign-issued digital certificates pose spoofing hazard. https://technet.microsoft.com/library/security/ms01-017, March 2001.Google ScholarGoogle Scholar
  19. Elinor Mills and Declan McCullagh. Google, Yahoo, Skype targeted in attack linked to Iran. http://www.cnet.com/news/google-yahoo-skype-targeted-in-attack-linked-to-iran/, March 2011.Google ScholarGoogle Scholar
  20. Jonathan Nightingale. DigiNotar removal follow up. https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/, September 2011.Google ScholarGoogle Scholar
  21. Forrester Research. eCommerce web site performance today, August 2009.Google ScholarGoogle Scholar
  22. Mark D Ryan. Enhanced certificate transparency and end-to-end encrypted mail. Network and Distributed System Security Symposium (NDSS), February 2014.Google ScholarGoogle ScholarCross RefCross Ref
  23. Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson, and Dan Boneh. The case for prefetching and prevalidating TLS server certificates. In NDSS, 2012.Google ScholarGoogle Scholar
  24. Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. Policert: Secure and flexible TLS certificate management. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 406--417. ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Dan Wendlandt, David G. Andersen, and Adrian Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, June 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Michael Zusman and Alexander Sotirov. Sub-prime PKI: Attacking extended validation SSL. Black Hat Security Briefings, Las Vegas, USA, 2009.Google ScholarGoogle Scholar

Index Terms

  1. Deployment challenges in log-based PKI enhancements

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          EuroSec '15: Proceedings of the Eighth European Workshop on System Security
          April 2015
          51 pages
          ISBN:9781450334792
          DOI:10.1145/2751323

          Copyright © 2015 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 21 April 2015

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article

          Acceptance Rates

          Overall Acceptance Rate47of113submissions,42%

          Upcoming Conference

          EuroSys '24
          Nineteenth European Conference on Computer Systems
          April 22 - 25, 2024
          Athens , Greece

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader