research-article

Deployment challenges in log-based PKI enhancements

Authors:

Stephanos Matsumoto,

Pawel Szalachowski,

Adrian PerrigAuthors Info & Claims

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

Article No.: 1, Pages 1 - 7

https://doi.org/10.1145/2751323.2751324

Published: 21 April 2015 Publication History

Abstract

Log-based PKI enhancements propose to improve the current TLS PKI by creating public logs to monitor CA operations, thus providing transparency and accountability. In this paper we take the first steps in studying the deployment process of log-based PKI enhancements in two ways. First, we model the influences that parties in the PKI have to incentivize one another to deploy a PKI enhancement, and determine that potential PKI enhancements should focus their initial efforts on convincing browser vendors to deploy. Second, as a promising vendor-based solution we propose deployment status filters, which use a Bloom filter to monitor deployment status and efficiently defend against downgrade attacks from the enhanced protocol to the current TLS PKI. Our results provide promising deployment strategies for log-based PKI enhancements and raise additional questions for further fruitful research.

References

[1]

Comodo fraud incident 2011-03-23. https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, March 2011.

[2]

Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A large-scale field study of browser security warning effectiveness. In Usenix Security, pages 257--272, 2013.

Digital Library

[3]

Hadi Asghari, Michel J. G. van Eeten, Axel M. Arnbak, and Nico A. N. M. van Eijk. Security economics in the HTTPS value chain. In Twelfth Workshop on the Economics of Information Security (WEIS 2013), November 2013.

[4]

David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, and Pawel Szalachowski. ARPKI: Attack Resilient Public-key Infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), November 2014.

Digital Library

[5]

Scott A. Crosby and Dan S. Wallach. Efficient data structures for tamper-evident logging. In USENIX Security Symposium, pages 317--334, August 2009.

Digital Library

[6]

Antoine Delignat-Lavaud, Martín Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Web PKI: Closing the gap between guidelines and practices. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, 2014.

[7]

Adrienne Porter Felt, Robert W Reeder, Hazim Almuhimedi, and Sunny Consolvo. Experimenting at scale with Google Chrome's SSL warning. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 2667--2670. ACM, April 2014.

Digital Library

[8]

CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (v. 1.0). https://cabforum.org/wp-content/uploads/EV_Certificate_Guidelines.pdf, June 2007.

[9]

CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (v. 1.5.2). https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf, October 2014.

[10]

Hans Hoogstraaten, Ronald Prins, Daniël Niggebrugge, Danny Heppener, Frank Groenewegen, Janna Wettink, Kevin Strooy, Pascal Arends, Paul Pols, Robbert Kouprie, Steffen Moorrees, Xander van Pelt, and Yun Zheng Hu. Black Tulip: Report of the investigation into the DigiNotar certificate authority breach. www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf, August 2012.

[11]

Tiffany Hyun-Jin Kim, Lin-Shung Huang, Adrian Perrig, Collin Jackson, and Virgil Gligor. Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure. In Proceedings of the International World Wide Web Conference (WWW), May 2013.

Digital Library

[12]

Adam Langley. Revocation checking and Chrome's CRL. https://www.imperialviolet.org/2012/02/05/crlsets.html, February 2012.

[13]

Adam Langley. Enhancing digital certificate security. http://googleonlinesecurity.blogspot.ch/2013/01/enhancing-digital-certificate-security.html, January 2013.

[14]

Ben Laurie. Improving the security of EV certificates, December 2014.

[15]

Ben Laurie, Adam Langley, and Emilia Kasper. Certificate transparency. https://tools.ietf.org/html/rfc6962, June 2013.

[16]

Stephanos Matsumoto and Raphael M. Reischuk. Certificates-as-an-Insurance: Incentivizing accountability in SSL/TLS. Proceedings of the NDSS Workshop on Security of Emerging Network Technologies (SENT '15), February 2015.

[17]

Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology -- CRYPTO '87, volume 293 of Lecture Notes in Computer Science, pages 369--378. Springer Berlin Heidelberg, 1988.

Digital Library

[18]

Microsoft. Erroneous verisign-issued digital certificates pose spoofing hazard. https://technet.microsoft.com/library/security/ms01-017, March 2001.

[19]

Elinor Mills and Declan McCullagh. Google, Yahoo, Skype targeted in attack linked to Iran. http://www.cnet.com/news/google-yahoo-skype-targeted-in-attack-linked-to-iran/, March 2011.

[20]

Jonathan Nightingale. DigiNotar removal follow up. https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/, September 2011.

[21]

Forrester Research. eCommerce web site performance today, August 2009.

[22]

Mark D Ryan. Enhanced certificate transparency and end-to-end encrypted mail. Network and Distributed System Security Symposium (NDSS), February 2014.

[23]

Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson, and Dan Boneh. The case for prefetching and prevalidating TLS server certificates. In NDSS, 2012.

[24]

Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. Policert: Secure and flexible TLS certificate management. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 406--417. ACM, 2014.

Digital Library

[25]

Dan Wendlandt, David G. Andersen, and Adrian Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, June 2008.

Digital Library

[26]

Michael Zusman and Alexander Sotirov. Sub-prime PKI: Attacking extended validation SSL. Black Hat Security Briefings, Las Vegas, USA, 2009.

Cited By

Halder RDas Roy DShin D(2024)A Blockchain-Based Decentralized Public Key Infrastructure Using the Web of TrustJournal of Cybersecurity and Privacy10.3390/jcp40200104:2(196-222)Online publication date: 31-Mar-2024
https://doi.org/10.3390/jcp4020010
Koa CHeng SChin J(2024)New Ethereum-Based Distributed PKI with a Reward-and-Punishment MechanismBlockchain: Research and Applications10.1016/j.bcra.2024.100239(100239)Online publication date: Nov-2024
https://doi.org/10.1016/j.bcra.2024.100239
Xing QWang XXu XLin JWang FLi CWang B(2023)BRT: An Efficient and Scalable Blockchain-Based Revocation Transparency System for TLS ConnectionsSensors10.3390/s2321881623:21(8816)Online publication date: 30-Oct-2023
https://doi.org/10.3390/s23218816
Show More Cited By

Index Terms

Deployment challenges in log-based PKI enhancements
1. Security and privacy
  1. Network security
  2. Security services
    1. Authentication
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Information system economics

Recommendations

CAPS: Smoothly Transitioning to a More Resilient Web PKI
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Many recent proposals to increase the resilience of the Web PKI against misbehaving CAs face significant obstacles to deployment. These hurdles include (1) the requirement of drastic changes to the existing PKI players and their interactions, (2) the ...
Decentralized Cross-organizational Application Deployment Automation: An Approach for Generating Deployment Choreographies Based on Declarative Deployment Models
Advanced Information Systems Engineering
Abstract
Various technologies have been developed to automate the deployment of applications. Although most of them are not limited to a specific infrastructure and able to manage multi-cloud applications, they all require a central orchestrator that ...
SiDD: The Situation-Aware Distributed Deployment System
Service-Oriented Computing – ICSOC 2020 Workshops
Abstract
Most of today’s deployment automation technologies enable the deployment of distributed applications in distributed environments, whereby the deployment execution is centrally coordinated either by a central orchestrator or a master in a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

April 2015

51 pages

ISBN:9781450334792

DOI:10.1145/2751323

Program Chairs:
Juan Caballero
IMDEA Software Institute
,
Michalis Polychronakis
Stony Brook University

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

EuroSys '15

Sponsor:

SIGOPS

EuroSys '15: Tenth EuroSys Conference 2015

April 21, 2015

Bordeaux, France

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
264
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Halder RDas Roy DShin D(2024)A Blockchain-Based Decentralized Public Key Infrastructure Using the Web of TrustJournal of Cybersecurity and Privacy10.3390/jcp40200104:2(196-222)Online publication date: 31-Mar-2024
https://doi.org/10.3390/jcp4020010
Koa CHeng SChin J(2024)New Ethereum-Based Distributed PKI with a Reward-and-Punishment MechanismBlockchain: Research and Applications10.1016/j.bcra.2024.100239(100239)Online publication date: Nov-2024
https://doi.org/10.1016/j.bcra.2024.100239
Xing QWang XXu XLin JWang FLi CWang B(2023)BRT: An Efficient and Scalable Blockchain-Based Revocation Transparency System for TLS ConnectionsSensors10.3390/s2321881623:21(8816)Online publication date: 30-Oct-2023
https://doi.org/10.3390/s23218816
Li BLin JLi FWang QWang WLi QCheng GJing JWang C(2022)The Invisible Side of Certificate Transparency: Exploring the Reliability of Monitors in the WildIEEE/ACM Transactions on Networking10.1109/TNET.2021.312350730:2(749-765)Online publication date: Apr-2022
https://doi.org/10.1109/TNET.2021.3123507
Faisal AZulkernine M(2022)DKS-PKI: A Distributed Key Server Architecture for Public Key InfrastructureInformation Systems Security10.1007/978-3-031-23690-7_2(23-43)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-23690-7_2
Wen SLi BMa ZWu QYu N(2022)X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate TransparencyApplied Cryptography in Computer and Communications10.1007/978-3-031-17081-2_8(123-138)Online publication date: 6-Oct-2022
https://doi.org/10.1007/978-3-031-17081-2_8
Subramanian NShobana G(2021)Log-Based Authentication for Cloud EnvironmentsSmart Computing Techniques and Applications10.1007/978-981-16-0878-0_72(739-746)Online publication date: 8-Jul-2021
https://doi.org/10.1007/978-981-16-0878-0_72
Yakubov AShbair WKhan NState RMedinger CHilger J(2020)BlockPGP: A Blockchain-based Framework for PGP Key ServersInternational Journal of Networking and Computing10.15803/ijnc.10.1_110:1(1-24)Online publication date: 2020
https://doi.org/10.15803/ijnc.10.1_1
Li BLi FMa ZWu Q(2020)Exploring the Security of Certificate Transparency in the WildApplied Cryptography and Network Security Workshops10.1007/978-3-030-61638-0_25(453-470)Online publication date: 14-Oct-2020
https://doi.org/10.1007/978-3-030-61638-0_25
Li BLin JLi FWang QLi QJing JWang CCavallaro LKinder JWang XKatz J(2019)Certificate Transparency in the WildProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3345653(2505-2520)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3345653
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten