Design, Analysis, and Implementation of ARPKI: An Attack-Resilient Public-Key Infrastructure

Basin, David; Cremers, Cas; Kim, Tiffany Hyun-Jin; Perrig, Adrian; Sasse, Ralf; Szałachowski, Paweł

doi:10.1109/tdsc.2016.2601610

Cited by 45 publications

(30 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, it is sufficient to corrupt two signing entities to conduct MitM attacks. ARPKI 34 identified attacks on AKI and mitigated those attacks. It provides a stout defense against attacks caused by single‐point‐of‐failure and strong adversary controlling n‐1 entities.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

SCM: Secure and accountable TLS certificate management

Khan

Zhang

Zhu

et al. 2020

Int J Communication

View full text Add to dashboard Cite

Summary In classical public‐key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain‐ and log‐based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log‐based PKIs are still exposed to split‐world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain‐based PKIs have scaling and high‐cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next‐generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA‐signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain‐based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain‐ and log‐based PKI schemes.

show abstract

Section: Related Workmentioning

confidence: 99%

“…We presume that the cryptographic building that we use for such as commitment, hash function, and signature is secure. Table 2 compares security of our scheme with the following seven log‐ and blockchain‐based proposals: CT, 19 AKI, 4 ARPKI, 34 DTKI, 55 BlockPKI, 22 CertChain, 59 and CertLedger 18 …”

Section: Security Analysismentioning

confidence: 99%

SCM: Secure and accountable TLS certificate management

Khan

Zhang

Zhu

et al. 2020

Int J Communication

View full text Add to dashboard Cite

show abstract

“…The Design, Analysis, and Implementation of ARPKI: an Attack Resilient Public-Key Infrastructure [48] is public log-based Public-Key Infrastructure providing certificate related services and is an improvement over Accountable Key Infrastructure. In ARPKI, registering certificate requires the domain to contact only one CA, but a domain designates n service providers.…”

Section: Related Workmentioning

confidence: 99%

“…The Tamarin Prover is a symbolic tool for verification of security protocol that supports both unbounded verification and falsification in the nominal model. In the implementation of our model, we have abstracted several ideas just as in [47,48,69]. The log server is abstracted in the form of a list, and we also have only verified the security-related parameters of MCP instead of all other irrelevant information.…”

Section: Security Analysismentioning

confidence: 99%

See 1 more Smart Citation

Accountable and Transparent TLS Certificate Management: An Alternate Public-Key Infrastructure with Verifiable Trusted Parties

Khan

Zhang

Zhu

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Current Transport Layer Security (TLS) Public-Key Infrastructure (PKI) is a vast and complex system; it consists of processes, policies, and entities that are responsible for a secure certificate management process. Among them, Certificate Authority (CA) is the central and most trusted entity. However, recent compromises of CA result in the desire for some other secure and transparent alternative approaches. To distribute the trust and mitigate the threats and security issues of current PKI, publicly verifiable log-based approaches have been proposed. However, still, these schemes have vulnerabilities and inefficiency problems due to lack of specifying proper monitoring, data structure, and extra latency. We propose Accountable and Transparent TLS Certificate Management: an alternate Public-Key Infrastructure (PKI) with verifiable trusted parties (ATCM) that makes certificate management phases; certificate issuance, registration, revocation, and validation publicly verifiable. It also guarantees strong security by preventing man-in-middle-attack (MitM) when at least one entity is trusted out of all entities taking part in the protocol signing and verification. Accountable and Transparent TLS Certificate Management: an alternate Public-Key Infrastructure (PKI) with verifiable trusted parties (ATCM) can handle CA hierarchy and introduces an improved revocation system and revocation policy. We have compared our performance results with state-of-the-art log-based protocols. The performance results and evaluations show that it is feasible for practical use. Moreover, we have performed formal verification of our proposed protocol to verify its core security properties using Tamarin Prover.

show abstract

Application of Public Ledgers to Revocation in Distributed Access Control

Bui

Aura

2018

Information and Communications Security

View full text Add to dashboard Cite

There has recently been a flood of interest in potential new applications of blockchains, as well as proposals for more generic designs called public ledgers. Most of the novel proposals have been in the financial sector. However, the public ledger is an abstraction that solves several of the fundamental problems in the design of secure distributed systems: global time in the form of a strict linear order of past events, globally consistent and immutable view of the history, and enforcement of some application-specific safety properties. This paper investigates the applications of public ledgers to access control and, more specifically, to group management in distributed systems where entities are represented by their public keys and authorization is encoded into signed certificates. It is particularly difficult to handle negative information, such as revocation of certificates or group membership, in the distributed setting. The linear order of events and global consistency simplify these problems, but the enforcement of internal constraints in the ledger implementation often presents problems. We show that different types of revocation require slightly different properties from the ledger. We compare the requirements with Bitcoin, the best known blockchain, and describe an efficient ledger design for membership revocation that combines ideas from blockchains and from web-PKI monitoring. While we use certificate-based groupmembership management as the case study, the same ideas can be applied more widely to rights revocation in distributed systems.

show abstract

Design, Analysis, and Implementation of ARPKI: An Attack-Resilient Public-Key Infrastructure

Cited by 45 publications

References 15 publications

SCM: Secure and accountable TLS certificate management

SCM: Secure and accountable TLS certificate management

Accountable and Transparent TLS Certificate Management: An Alternate Public-Key Infrastructure with Verifiable Trusted Parties

Application of Public Ledgers to Revocation in Distributed Access Control

Contact Info

Product

Resources

About