Attack-Resilient TLS Certificate Transparency

Salabat Khan; Liehuang Zhu; Zijian Zhang; Mussadiq Abdul Rahim; Khalid Khan; Meng Li

doi:10.1109/ACCESS.2020.2996997

Attack-Resilient TLS Certificate Transparency

Salabat Khan
, Liehuang Zhu^*
, Zijian Zhang
, Mussadiq Abdul Rahim
, Khalid Khan
, Meng Li

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

10 Scopus citations

Abstract

The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

Original language	English
Article number	9099233
Pages (from-to)	98958-98973
Number of pages	16
Journal	IEEE Access
Volume	8
DOIs	https://doi.org/10.1109/ACCESS.2020.2996997
State	Published - 2020
Externally published	Yes

Bibliographical note

Publisher Copyright:
© 2013 IEEE.

Keywords

PKI
TLS
collaborative identity verification
delegation of trust
log server

ASJC Scopus subject areas

General Computer Science
General Materials Science
General Engineering

Access to Document

10.1109/ACCESS.2020.2996997

Cite this

@article{ee3855bc7da94849be075a8c7327e80c,

title = "Attack-Resilient TLS Certificate Transparency",

abstract = "The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.",

keywords = "PKI, TLS, collaborative identity verification, delegation of trust, log server",

author = "Salabat Khan and Liehuang Zhu and Zijian Zhang and Rahim, \{Mussadiq Abdul\} and Khalid Khan and Meng Li",

note = "Publisher Copyright: {\textcopyright} 2013 IEEE.",

year = "2020",

doi = "10.1109/ACCESS.2020.2996997",

language = "English",

volume = "8",

pages = "98958--98973",

journal = "IEEE Access",

issn = "2169-3536",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Attack-Resilient TLS Certificate Transparency

AU - Khan, Salabat

AU - Zhu, Liehuang

AU - Zhang, Zijian

AU - Rahim, Mussadiq Abdul

AU - Khan, Khalid

AU - Li, Meng

PY - 2020

Y1 - 2020

N2 - The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

AB - The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

KW - PKI

KW - TLS

KW - collaborative identity verification

KW - delegation of trust

KW - log server

UR - https://www.scopus.com/pages/publications/85086308822

U2 - 10.1109/ACCESS.2020.2996997

DO - 10.1109/ACCESS.2020.2996997

M3 - Article

AN - SCOPUS:85086308822

SN - 2169-3536

VL - 8

SP - 98958

EP - 98973

JO - IEEE Access

JF - IEEE Access

M1 - 9099233

ER -

Attack-Resilient TLS Certificate Transparency

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this