research-article

Public Access

Authentication Challenges in a Global Environment

Authors:

Stephanos Matsumoto,

Raphael M. Reischuk,

Pawel Szalachowski,

Tiffany Hyun-Jin Kim,

Adrian PerrigAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 20, Issue 1

Article No.: 1, Pages 1 - 34

https://doi.org/10.1145/3007208

Published: 09 January 2017 Publication History

Abstract

In this article, we address the problem of scaling authentication for naming, routing, and end-entity (EE) certification to a global environment in which authentication policies and users’ sets of trust roots vary widely. The current mechanisms for authenticating names (DNSSEC), routes (BGPSEC), and EE certificates (TLS) do not support a coexistence of authentication policies, affect the entire Internet when compromised, cannot update trust root information efficiently, and do not provide users with the ability to make flexible trust decisions. We propose the Scalable Authentication Infrastructure for Next-generation Trust (SAINT), which partitions the Internet into groups with common, local trust roots and isolates the effects of a compromised trust root. SAINT requires groups with direct routing connections to cross-sign each other for authentication purposes, allowing diverse authentication policies while keeping all entities’ authentication information globally discoverable. SAINT makes trust root management a central part of the network architecture, enabling trust root updates within seconds and allowing users to make flexible trust decisions. SAINT operates without a significant performance penalty and can be deployed alongside existing infrastructures.

References

[1]

Martin Abadi, Andrew Birrel, Ilya Mironov, Ted Wobber, and Yinglian Xie. 2013. Global authentication in an untrustworthy world. In Proceedings of the 14th USENIX Conference on Hot Topics in Operating Systems (HotOS’13). 19.

Digital Library

[2]

David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, and Scott Shenker. 2008. Accountable Internet protocol (AIP). In Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication (SIGCOMM’08). 339--350.

Digital Library

[3]

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. 2005. DNS Security Introduction and Requirements. RFC 4033. Available at https://www.ietf.org/rfc/rfc4033.txt.

[4]

David Barrera, Raphael M. Reischuk, Pawel Szalachowski, and Adrian Perrig. 2015. SCION five years later: Revisiting scalability, control, and isolation on next-generation networks. arXiv:1508.01651.

[5]

David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, and Pawel Szalachowski. 2014. ARPKI: Attack resilient public-key infrastructure. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, 382--393.

Digital Library

[6]

Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering 2, 2, 77--89.

[7]

Andrew D. Birrell, Butler W. Lampson, Roger M. Needham, and Michael D. Schroeder. 1986. A global authentication service without global trust. In Proceedings of the 1986 Symposium on Security and Privacy (SP’86). 223.

[8]

Julian Borger. 2013. GCHQ and European Spy Agencies Worked Together on Mass Surveillance. Retrieved December 4, 2016, from http://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance-snowden.

[9]

CAIDA. 2014. The CAIDA AS Relationships Dataset. Available at http://www.caida.org/data/as-relationships/.

[10]

Ran Canetti, Juan Garay, Gene Itkis, Daniele Micciancio, Moni Naor, and Benny Pinkas. 1999. Multicast security: A taxonomy and some efficient constructions. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM’99), Vol. 2. 708--716.

[11]

I. Castineyra, N. Chiappa, and M. Steenstrup. 1996. The Nimrod Routing Architecture. RFC 1992. Available at https://tools.ietf.org/html/rfc1992.

Digital Library

[12]

Miguel Castro and Barbara Liskov. 1999. Practical Byzantine fault tolerance. In Proceedings of the 3rd Symposium on Operating System Design and Implementation (OSDI’99).

Digital Library

[13]

David Chaum and Eugène Van Heyst. 1991. Group signatures. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT’91). 257--265.

Digital Library

[14]

Laurent Chuat, Pawel Szalachowski, Adrian Perrig, Ben Laurie, and Eran Messeri. 2015. Efficient gossip protocols for verifying the consistency of certificate logs. In Proceedings of the IEEE Conference on Communications and Network Security (CNS’15). 415--423.

[15]

D. Clark, R. Braden, A. Falk, and V. Pingali. 2003. FARA: Reorganizing the addressing architecture. ACM SIGCOMM Computer Communication Review 33, 4, 313--321.

Digital Library

[16]

Danny Cooper, Ethan Heilman, Kyle Brogle, Leonid Reyzin, and Sharon Goldberg. 2013. On the risk of misbehaving RPKI authorities. In Proceedings of the 12th ACM Workshop on Hot Topics in Networks (HotNets-XII). ACM, New York, NY, Article No. 16.

Digital Library

[17]

David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen, Russell Housley, and Tim Polk. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280. Available at https://tools.ietf.org/html/rfc5280.

[18]

Tim Dierks and Eric Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. Available at https://tools.ietf.org/html/rfc5246.

[19]

C. Dillow. 2010. An Order of Seven Global Cyber-Guardians Now Hold Keys to the Internet. Retrieved December 4, 2016, from http://www.popsci.com/technology/article/2010-07/order-seven-cyber-guardians-around-world-now-hold-keys-internet.

[20]

Peter Eckersley and Jesse Burns. 2010. Is the SSLiverse a Safe Place? In Proceedings of the 2010 Chaos Communication Congress.

[21]

Barton Gellman and Laura Poitras. 2013. U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program. Washington Post. Retrieved December 4, 2016, from http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html.

[22]

Virgil D. Gligor, Shyh-Wei Luan, and Joseph N. Pato. 1992. On inter-realm authentication in large distributed systems. In Proceedings of the 1992 IEEE Symposium on Security and Privacy (SP’92). 2

Digital Library

[23]

P. Hoffman and J. Schlyter. 2012. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698. Available at https://tools.ietf.org/html/rfc6698.

[24]

ICANN. 2012. gTLD Applicant Guidebook. Available at https://newgtlds.icann.org/en/applicants/agb.

[25]

James Kasten, Eric Wustrow, and J. Alex Halderman. 2013. CAge: Taming certificate authorities by inferring restricted scopes. In Financial Cryptography and Data Security. Lecture Notes in Computer Science, Vol. 7859. Springer, 329--337.

[26]

Stephen Kent, Charles Lynn, and Karen Seo. 2000. Secure border gateway protocol (S-BGP). IEEE Journal on Selected Areas in Communications 18, 4, 582--592.

Digital Library

[27]

Tiffany Hyun-Jin Kim, Lin-Shung Huang, Adrian Perrig, Collin Jackson, and Virgil Gligor. 2013. Accountable key infrastructure (AKI): A proposal for a public-key validation infrastructure. In Proceedings of the 22nd International Conference on World Wide Web (WWW’13). 679--690.

Digital Library

[28]

Leslie Lamport. 1998. The part-time parliament. ACM Transactions on Computer Systems 16, 2, 133--169.

Digital Library

[29]

Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wober. 1991. Authentication in distributed systems: Theory and practice. In Proceedings of the 13th ACM Symposium on Operating Systems Principles (SOSP’91. 165--182.

Digital Library

[30]

Ben Laurie, Adam Langley, and Emilia Kasper. 2013. Certificate Transparency. RFC 6962. Available at https://tools.ietf.org/html/rfc6962.

[31]

M. Lepinski. 2013. BGPSEC Protocol Specification. Retrieved December 4, 2016, from https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-07.

[32]

M. Lepinski and S. Kent. 2012. An Infrastructure to Support Secure Internet Routing. RFC 6480. Available at https://tools.ietf.org/html/rfc6480.

[33]

Ang Li, Xin Liu, and Xiaowei Yang. 2011. Bootstrapping accountability in the Internet we have. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation (NSDI’11). 155--168.

Digital Library

[34]

Moxie Marlinspike. 2011. SSL and the Future of Authenticity. Retrieved December 4, 2016, from http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/.

[35]

Stephanos Matsumoto and Raphael M. Reischuk. 2015. Certificates-as-an-insurance: Incentivizing accountability in SSL/TLS. Internet Society. Retrieved December 4, 2016, from http://internetsociety.org/sites/default/files/01_6.pdf.

[36]

David Mazieres, Michael Kaminsky, M. Frans Kaashoek, and Emmett Witchel. 1999. Separating key management from file system security. In Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP’99). 124--139.

Digital Library

[37]

R. Moskowitz, T. Heer, P. Jokela, and T. Henderson. 2008. Host Identity Protocol. RFC 5201. Available at https://tools.ietf.org/html/rfc5201.

[38]

Diego Ongaro and John Ousterhout. 2014. In search of an understandable consensus algorithm. In Proceedings of the USENIX Annual Technical Conference (ATC’14). 305--319.

Digital Library

[39]

Michael K. Reiter and Stuart G. Stubblebine. 1998. Resilient authentication using path independence. IEEE Transactions on Computers 47, 12, 1351--1362.

Digital Library

[40]

Mark D. Ryan. 2014. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS’14).

[41]

Aaron Schulman, Dave Levin, and Neil Spring. 2014. RevCert: Fast, private certificate revocation over FM radio. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).

Digital Library

[42]

Victor Shoup. 2000. Practical threshold signatures. In Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques (EUROCRYPT’00). 207--220.

Digital Library

[43]

Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. 2014. PoliCert: Secure and flexible TLS certificate management. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).

Digital Library

[44]

Fred Upton, Tim Murphy, Greg Walden, and Michael C. Burgess. 2015. Letters to Browsers Regarding Government Certificate Authorities. Retrieved December 4, 2016, from https://energycommerce.house.gov/news-center/letters/letters-browsers-regarding-government-certificate-authorities.

[45]

Greg Weston, Glenn Greenwald, and Ryan Gallagher. 2013. Snowden document shows Canada set up spy posts for NSA. CBC News. Retrieved December 4, 2016, from http://www.cbc.ca/news/politics/snowden-document-shows-canada-set-up-spy-posts-for-nsa-1.2456886.

[46]

Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig, and David G. Andersen. 2011. SCION: Scalability, control, and isolation on next-generation networks. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11).

Digital Library

Cited By

Carnley RBagui S(2022)A Public Infrastructure for a Trusted Wireless WorldFuture Internet10.3390/fi1407020014:7(200)Online publication date: 30-Jun-2022
https://doi.org/10.3390/fi14070200
Cheng YGao SHou X(2022)A Secure Authentication Mechanism for Multi-Dimensional Identifier Network2022 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA56854.2022.00035(163-168)Online publication date: Dec-2022
https://doi.org/10.1109/NaNA56854.2022.00035
Garba AChen ZGuan ZSrivastava G(2021)LightLedger: A Novel Blockchain-Based Domain Certificate Authentication and Validation SchemeIEEE Transactions on Network Science and Engineering10.1109/TNSE.2021.30691288:2(1698-1710)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TNSE.2021.3069128
Show More Cited By

Index Terms

Authentication Challenges in a Global Environment
1. Networks
2. Security and privacy

Recommendations

Efficient and secure self-escrowed public-key infrastructures
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

A self-escrowed public key infrastructure (SE-PKI) combines the usual functionality of a public-key infrastructure with the ability to recover private keys given some trap-door information. We present an additively homomorphic variant of an existing SE-...
An Identity-Based Authentication Model for Multi-domain in Grid Environment
CSSE '08: Proceedings of the 2008 International Conference on Computer Science and Software Engineering - Volume 03

In the grid security infrastructure (GSI), cross-domain authentication is based on traditional PKI cross certificate, which brings about problems of certificates management. Encouragingly, identity-based cryptography (IBC) can overcome these problems ...
A non-interactive deniable authentication scheme based on designated verifier proofs

A deniable authentication protocol enables a receiver to identify the source of the given messages but unable to prove to a third party the identity of the sender. In recent years, several non-interactive deniable authentication schemes have been ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 20, Issue 1

February 2017

99 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3038258

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 January 2017

Accepted: 01 October 2016

Revised: 01 October 2016

Received: 01 November 2015

Published in TOPS Volume 20, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Google
NSF
European Research Council under the European Union's Seventh Framework Programme (FP7/2007--2013)/ERC
ETH Zurich

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
942
Total Downloads

Downloads (Last 12 months)77
Downloads (Last 6 weeks)17

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Carnley RBagui S(2022)A Public Infrastructure for a Trusted Wireless WorldFuture Internet10.3390/fi1407020014:7(200)Online publication date: 30-Jun-2022
https://doi.org/10.3390/fi14070200
Cheng YGao SHou X(2022)A Secure Authentication Mechanism for Multi-Dimensional Identifier Network2022 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA56854.2022.00035(163-168)Online publication date: Dec-2022
https://doi.org/10.1109/NaNA56854.2022.00035
Garba AChen ZGuan ZSrivastava G(2021)LightLedger: A Novel Blockchain-Based Domain Certificate Authentication and Validation SchemeIEEE Transactions on Network Science and Engineering10.1109/TNSE.2021.30691288:2(1698-1710)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TNSE.2021.3069128
Kakei SShiraishi YMohri MNakamura THashimoto MSaito S(2020)Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger FabricIEEE Access10.1109/ACCESS.2020.30111378(135742-135757)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3011137
Sermpezis PKotronis VDainotti ADimitropoulos X(2018)A Survey among Network Operators on BGP Prefix HijackingACM SIGCOMM Computer Communication Review10.1145/3211852.321186248:1(64-69)Online publication date: 27-Apr-2018
https://dl.acm.org/doi/10.1145/3211852.3211862
Sermpezis PKotronis VGigis PDimitropoulos XCicalese DKing ADainotti A(2018)ARTEMISIEEE/ACM Transactions on Networking10.1109/TNET.2018.286979826:6(2471-2486)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1109/TNET.2018.2869798
Bharadwaj PPal HNarwal B(2018)Proposing a Key Escrow Mechanism for Real-Time access to End-to-End encryption systems in the Interest of Law Enforcement2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)10.1109/IC3I44769.2018.9007301(233-237)Online publication date: Oct-2018
https://doi.org/10.1109/IC3I44769.2018.9007301
Ma YWu YGe JLi J(2018)An Architecture for Accountable Anonymous Access in the Internet-of-Things NetworkIEEE Access10.1109/ACCESS.2018.28064836(14451-14461)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2806483
Barrera DChuat LPerrig AReischuk RSzalachowski P(2017)The SCION internet architectureCommunications of the ACM10.1145/308559160:6(56-65)Online publication date: 24-May-2017
https://dl.acm.org/doi/10.1145/3085591
Ma YWu YGe JLi J(2017)A New Architecture for Anonymous Use of Services in Distributed Computing Networks2017 IEEE International Symposium on Parallel and Distributed Processing with Applications and 2017 IEEE International Conference on Ubiquitous Computing and Communications (ISPA/IUCC)10.1109/ISPA/IUCC.2017.00059(368-374)Online publication date: Dec-2017
https://doi.org/10.1109/ISPA/IUCC.2017.00059

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents