research-article

DomainPKI: Domain Aware Certificate Management

Authors:

Mostafa El-SaidAuthors Info & Claims

SIGITE '20: Proceedings of the 21st Annual Conference on Information Technology Education

Pages 419 - 425

https://doi.org/10.1145/3368308.3415401

Published: 07 October 2020 Publication History

Abstract

Certificate Authority (CA) is a single point of failure in the trust model of X.509 Public Key Infrastructure (PKI), since CA is the only entity to sign and distribute public key certificates and no one else is involved in certificate verification. In response, recent fixes based on public logs have been successful in making certificate management more transparent and publicly verifiable. However, more recent researches have shown that none of existing solutions is fully satisfactory due to different security flaws and operational challenges. In this study, we propose a domain-aware alternative to mitigate those issues by involving domain owner in digital signature and certificate verification.

Our proposal is based on current PKI design and business model with critical extensions of domain awareness. In order to engage domain owner in its certificate verification, we propose that each domain maintains its own certificate logs. A certificate is co-signed by a CA and its domain with a domain master key. To prove the authenticity of a certificate, a client first verifies the CA's digital signature, then the domain signature, and finally sends a query about the certificate status to its domain owner for further confirmation. By engaging domain owner in co-signing and verifying its certificates, we distribute the trust for certificate authenticity between the CA that signed this certificate and its domain owner. With these extensions, it will be extremely hard, if not impossible, for an adversary to make a successful attack to a client, and the damage of a successful attack is limited to this single client only. In this paper, we present a framework of our proposal, analyze its security gains and compare it with existing solutions.

References

[1]

Ed. A. Melnikov and Ed. W. Chuang. 2018. Internationalized Email Addresses in X.509 Certificates. RFC 8398. RFC Editor. 1--12 pages. https://tools.ietf.org/html/rfc8398

[2]

Faizan Safdar Ali and Alptekin Kupcu. 2020. Improving PKI, BGP, and DNS Using Blockchain: A Systematic Review. arXiv:2001.00747, Cryptography and Security. https://arxiv.org/abs/2001.00747.

[3]

M. Alicherry and A.D. Keromytis. 2009. DoubleCheck: Multi-path verification against man-in-the-middle attacks. In Computers and Communications, 2009. ISCC 2009. IEEE Symposium on. IEEE, New York, NY, USA, 557--563. https://doi.org/10.1109/ISCC.2009.5202224

[4]

Johanna Amann, Matthias Vallentin, Seth Hall, and Robin Sommer. 2012. Revisiting SSL: A Large-Scale Study of the Internet's Most Trusted Protocol. Technical Report TR-12-015. University California, Berkeley, CA, USA. 1--15 pages. http://www.icsi.berkeley.edu/pubs/techreports/ICSI_TR-12-015.pdf

[5]

David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, and Pawel Szalachowski. 2014. ARPKI: Attack Resilient Public-Key Infrastructure. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 382--393. https://doi.org/10.1145/2660267.2660298

Digital Library

[6]

Sathya Bhat. 2011. Gmail Users in Iran Hit by MI™ Attacks. Online. http://techie-buzz.com/tech-news/gmail-iran-hit-mitm.html, last visited on June 1, 2020.

[7]

Fran Casino, Thomas K. Dasaklis, and Constantinos Patsakis. 2019. A systematic literature review of blockchain-based applications: Current status, classification and open issues. Telematics and Informatics, Vol. 36 (2019), 55--81. https://doi.org/10.1016/j.tele.2018.11.006

[8]

L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri. 2015. Efficient gossip protocols for verifying the consistency of Certificate logs. In 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, New York, NY, USA, 415--423. https://doi.org/10.1109/CNS.2015.7346853

[9]

J. Clark and P.C. van Oorschot. 2013. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, New York, NY, USA, 511--525. https://doi.org/10.1109/SP.2013.41

Digital Library

[10]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. 2008. Internet X. 509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280. RFC Editor. 1--151 pages. https://tools.ietf.org/html/rfc5280

[11]

Scott A. Crosby and Dan S. Wallah. 2009. Efficient Data Structures for Tamper-Evident Logging. In USENIX Security Symposium. USENIX, Berkeley, CA, USA, 317--334. https://www.usenix.org/legacy/event/sec09/tech/full_papers/crosby.pdf

[12]

T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. RFC Editor. 1--104 pages. https://datatracker.ietf.org/doc/rfc5246/, Last visited in May, 2020.

[13]

L. Dykcik, L. Chuat, P. Szalachowski, and A. Perrig. 2018. BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure. In 2018 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, New York, NY, USA, 105--114.

[14]

Peter Eckersley. 2011a. How secure is HTTPS today? How often is it attacked? online. https://www.eff.org/deeplinks/2011/10/how-secure-https-today, last visited on May 26, 2020.

[15]

Peter Eckersley. 2011b. Sovereign Keys: A Proposal to Make HTTPS and Email More Secure. online. https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure, last visited on June 2, 2020.

[16]

Peter Eckersley. 2011c. A Syrian Man-In-The-Middle Attack against Facebook. online. https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook, last visited on June 1, 2020.

[17]

Peter Eckersley. 2012. Sovereign Key Cryptography for Internet Domains. online. https://git.eff.org/?p=sovereign-keys.git;a=blob_plain;f=sovereign-key-design.txt;hb=master, last retrieved on December 21, 2014.

[18]

Peter Eckersley and Jesse Burns. 2010. Is the SSLiverse a Safe Place? online. https://www.eff.org/files/ccc2010.pdf, last visited on June 1, 2020.

[19]

Electronic Frontier Foundation. 2020 a. The EFF SSL Observatory. online. https://www.eff.org/observatory, last visited on June 1, 2020.

[20]

Electronic Frontier Foundation. 2020 b. The Sovereign Keys Project. online. https://www.eff.org/sovereign-keys, last visited on June 2, 2020.

[21]

Carl Ellison and Bruce Schneier. 2000. Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure. Computer Security Journal, Vol. 16, 1 (2000), 1--7.

[22]

C. Evans, C. Palmer, and R. Sleevi. 2015. Public Key Pinning Extension for HTTP. Internet-Draft 7469. IETF. 1--28 pages. https://tools.ietf.org/html/rfc7469

[23]

Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32.Stuxnet Dossier. White Paper. Symantec Security Response. 1--69 pages. https://nsarchive2.gwu.edu//NSAEBB/NSAEBB424/docs/Cyber-044.pdf https://nsarchive2.gwu.edu//NSAEBB/NSAEBB424/docs/Cyber-044.pdf, last retrieved in May.

[24]

Dennis Fisher. 2011. DigiNotar says its CA infrastructure was compromised. online. https://threatpost.com/diginotar-says-its-ca-infrastructure-was-compromised-083011/75594/, last visited on June 1, 2020.

[25]

Ed Gerck. July 2000. Overview of Certificate Systems: X.509, PKIX, CA, PGP & SKIP. The Bell, Vol. 1, 3 (July July 2000), 8. http://www.thebell.net/papers/

[26]

GobalSign. 2011. Security Incident Report. online. https://www.globalsign.com/en/resources/globalsign-security-incident-report.pdf. last visited on June 1, 2020.

[27]

Peter Gutman. 2002. PKI: It's Not Dead, Just Resting. IEEE Computer, Vol. 35, 8 (2002), 41--49. https://doi.org/10.1109/MC.2002.1023787

Digital Library

[28]

S. Haber and W.S. Stornetta. 1991. How to time-stamp a digital document. Journal of Cryptology, Vol. 3 (1991), 9 --111. https://doi.org/10.1007/BF00196791

Digital Library

[29]

R. Housley. 2018. Internationalization Updates to RFC 5280. RFC 8399. RFC Editor. 1--9 pages. https://tools.ietf.org/html/rfc8399

[30]

R. Housley, W. Ford, W. Polk, and D. Solo. 1999. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459. Network Working Group. 1--129 pages. https://tools.ietf.org/html/rfc2459

[31]

Lin Shung Huang, Alex Rice, Erling Ellingsen, and Collin Jackson. 2014. Analyzing Forged SSL Certificates in the Wild. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP '14). IEEE Computer Society, Washington, DC, USA, 83--97. https://doi.org/10.1109/SP.2014.13

Digital Library

[32]

Minhaj Ahmad Khan and Khaled Salah. 2018. IoT security: Review, blockchain solutions, and open challenges. Future Generation Computer Systems, Vol. 82 (2018), 395--411. https://doi.org/10.1016/j.future.2017.11.022

[33]

Tiffany Hyun-Jin Kim, Lin-Shung Huang, Adrian Perring, Collin Jackson, and Virgil Gligor. 2013. Accountable Key Infrastructure (AKI): A Proposal for a Public-key Validation Infrastructure. In Proceedings of the 22Nd International Conference on World Wide Web (WWW '13). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 679--690. http://dl.acm.org/citation.cfm?id=2488388.2488448

[34]

Murat Yasin Kubilay, Mehmet Sabir Kiraz, and Haci Ali Mantar. 2019. CertLedger: A new PKI model with Certificate Transparency based on blockchain. Computers & Security, Vol. 85 (2019), 333--352. https://doi.org/10.1016/j.cose.2019.05.013

Digital Library

[35]

Ben Laurie. 2014. Certificate Transparency. Communications of The ACM, Vol. 57, 10 (Sept. 2014), 40--46. https://doi.org/10.1145/2659897

Digital Library

[36]

B. Laurie, A. Langley, and E. Kasper. 2013. Certificate Transparency. RFC 6962. RFC Editor. 1--26 pages. https://tools.ietf.org/html/rfc6962

[37]

Antonio Lioy, Marius Marian, Natalia Moltchanova, and Massimiliano Pala. 2006. PKI past, present and future. International Journal of Information Security, Vol. 5, 1 (2006), 18--29.

Digital Library

[38]

Ralph C. Merkle. 1988. A Digital Signature Based on a Conventional Encryption Function. In Advances in Cryptology -- CRYPTO '87, Carl Pomerance (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 369--378.

Digital Library

[39]

Microsoft. 2001. MS01-017: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard. Online. https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-017?redirectedfrom=MSDN. last viewed in May, 2020.

[40]

Michael Nofer, Peter Gomber, Oliver Hinz, and Dirk Schiereck. 2017. Blockchain. Business and Information Systems Engineering, Vol. 59, 3 (06 2017), 183--187. http://search.proquest.com.ezproxy.gvsu.edu/docview/1899626399?accountid=39473 Copyright - Business and Information Systems Engineering is a copyright of Springer, 2017; Last updated - 2018-10-14.

[41]

H. Orman. 2018. Blockchain: the Emperors New PKI? IEEE Internet Computing, Vol. 22, 2 (2018), 23--28.

[42]

T. Perlines Hormann, K. Wrona, and S. Holtmanns. 2006. Evaluation of Certificate Validation Mechanisms. Computer Communications, Vol. 29, 3 (Feb. 2006), 291--305. https://doi.org/10.1016/j.comcom.2004.12.008

[43]

Perspectives Project. 2019. Home page of the Perspectives project. online. https://perspectives-project.org/, last visited on June 6, 2020.

[44]

Fahmida Y. Rashid. 2011. Comodo Hacker Exploited Insecure Passwords to Generate SSL Certs. online. https://www.eweek.com/security/comodo-hacker-exploited-insecure-passwords-to-generate-ssl-certs. last visited on June 1, 2020.

[45]

E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. RFC Editor. 1--152 pages. https://tools.ietf.org/html/rfc8446, Last visited in May, 2020.

[46]

Ivan Ristić. 2018. SSL/TLS and PKI History. Online. Available at https://www.feistyduck.com/ssl-tls-and-pki-history/.

[47]

Paul Roberts. 2011. Phony SSL certificates issued for Google, Yahoo, Skype, others. threat post, online. https://threatpost.com/phony-ssl-certificates-issued-google-yahoo-skype-others-032311/75061/, last visited on June 1, 2020.

[48]

Mark D. Ryan. 2013. Enhanced certificate transparency and end-to-end encrypted mail. Cryptology ePrint Archive, Report 2013/595. https://eprint.iacr.org/2013/595.pdf, last retrieved on June 6, 2020.

[49]

S. Santesson, M. Myers, R. Ankney, A Malpani, S. Galperin, and C. Adams. 2013. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960. RFC Editor. 1--41 pages. https://tools.ietf.org/html/rfc6960

[50]

A. Singla and E. Bertino. 2018. Blockchain-Based PKI Solutions for IoT. In 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC). IEEE, New York, NY, USA, 9--15.

[51]

Christopher Soghoian and Sid Stamm. 2012. Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In Financial Cryptography and Data Security, George Danezis (Ed.). Lecture Notes in Computer Science, Vol. 7035. Springer Berlin Heidelberg, Berlin, Heidelberg, 250--259. https://doi.org/10.1007/978-3-642-27576-0_20

[52]

SSLShopper. 2008. SSL Certificate for Mozilla.com Issued Without Validation. Online. https://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html. last viewed in May, 2020.

[53]

Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. 2014. PoliCert: Secure and Flexible TLS Certificate Management. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 406--417. https://doi.org/10.1145/2660267.2660355

Digital Library

[54]

Xinli Wang, Yan Bai, and Lihui Hu. 2015a. Certification with Multiple Signatures. In Proceedings of the 4th Annual ACM Conference on Research in Information Technology (RIIT '15). ACM, New York, NY, USA, 13--18. https://doi.org/10.1145/2808062.2808068

Digital Library

[55]

Xinli Wang, Yan Bai, and Lihui Hu. 2015b. Domain Based Certification and Revocation. In Proceedings of the 2015 International Conference on Security and Management (SAM'15 ). CSCE press, Las Vegas, NV, USA.

[56]

Z. Wang, J. Lin, Q. Cai, Q. Wang, D. Zha, and J. Jing. 2020. Blockchain-based Certificate Transparency and Revocation Transparency. IEEE Transactions on Dependable and Secure Computing (2020), 1--1. https://doi.org/10.1109/TDSC.2020.2983022

[57]

Dan Wendlandt, David G Andersen, and Adrian Perrig. 2008. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In Proceedings of USENIX Annual Technical Conference. USENIX, Berkeley, CA, USA, 321--334.

[58]

Kathleen Wilson. 2015. Distrusting New CNNIC Certificates. Online. https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/. last viewed in May, 2020.

[59]

Chester Wisniewski. 2013. Turkish Certificate Authority screw up leads to attempted Google impersonation. naked security, online. https://nakedsecurity.sophos.com/2013/01/04/turkish-certificate-authority-screwup-leads-to-attempted-google-impersonation/. last visited on June 1, 2020.

[60]

P. Yee. 2013. Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6818. RFC Editor. 1--8 pages. https://tools.ietf.org/html/rfc6818

[61]

J. Yu, V. Cheval, and M. Ryan. 2016. DTKI: A New Formalized PKI with Verifiable Trusted Parties. Comput. J., Vol. 59, 11 (2016), 1695--1713.

Cited By

Xie TWang SLei XShi JTu GLi C(2023)MPKIX: Towards More Accountable and Secure Internet Application Services via Mobile Networked SystemsIEEE Transactions on Mobile Computing10.1109/TMC.2022.314169422:6(3489-3507)Online publication date: 1-Jun-2023
https://doi.org/10.1109/TMC.2022.3141694
Khan SLuo FZhang ZUllah FAmin FQadri SHeyat MRuby RWang LUllah SLi MLeung VWu K(2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: Dec-2024
https://doi.org/10.1109/COMST.2023.3323640

Index Terms

DomainPKI: Domain Aware Certificate Management
1. Security and privacy
  1. Network security

Recommendations

Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Revocation Speedrun: How the WebPKI Copes with Fraudulent Certificates
PACMNET

The TLS ecosystem depends on certificates to bootstrap secure connections. Certificate Authorities (CAs) are trusted to issue these correctly. However, as a result of security breaches or attacks, certificates may be issued fraudulently and need to be ...
CertLedger: A new PKI model with Certificate Transparency based on blockchain
Abstract
In conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs’ absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGITE '20: Proceedings of the 21st Annual Conference on Information Technology Education

October 2020

446 pages

ISBN:9781450370455

DOI:10.1145/3368308

General Chairs:
Deepak Khazanchi
University of Nebraska at Omaha, USA
,
Harvey Siy,
Program Chairs:
George Grispos,
Tenace Kwaku Setor
University of Nebraska at Omaha, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGITE: ACM Special Interest Group on Information Technology Education

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGITE '20

Sponsor:

SIGITE

SIGITE '20: The 21st Annual Conference on Information Technology Education

October 7 - 9, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 176 of 429 submissions, 41%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
102
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xie TWang SLei XShi JTu GLi C(2023)MPKIX: Towards More Accountable and Secure Internet Application Services via Mobile Networked SystemsIEEE Transactions on Mobile Computing10.1109/TMC.2022.314169422:6(3489-3507)Online publication date: 1-Jun-2023
https://doi.org/10.1109/TMC.2022.3141694
Khan SLuo FZhang ZUllah FAmin FQadri SHeyat MRuby RWang LUllah SLi MLeung VWu K(2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: Dec-2024
https://doi.org/10.1109/COMST.2023.3323640

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents