25 research outputs found
X.509 certificate error testing
X.509 Certificates are used by a wide range of technologies to verify identities, while the SSL protocol is used to provide a secure encrypted tunnel through which data can be sent over a public network. Combined both of these technologies provides the basis of the public key infrastructure (PKI). While the concept of PKI is a good idea, the different implementation of the technologies in different operating system and clients often lead to weaknesses. This paper proposes a methodology to automate the testing of SSL clients by generating both bogus and malformed certificates in order to evaluate the client’s response and identify potential threats to network infrastructures
Key exchange with the help of a public ledger
Blockchains and other public ledger structures promise a new way to create
globally consistent event logs and other records. We make use of this
consistency property to detect and prevent man-in-the-middle attacks in a key
exchange such as Diffie-Hellman or ECDH. Essentially, the MitM attack creates
an inconsistency in the world views of the two honest parties, and they can
detect it with the help of the ledger. Thus, there is no need for prior
knowledge or trusted third parties apart from the distributed ledger. To
prevent impersonation attacks, we require user interaction. It appears that, in
some applications, the required user interaction is reduced in comparison to
other user-assisted key-exchange protocols
Mind the Gap: Where Provable Security and Real-World Messaging Don\u27t Quite Meet
Secure messaging apps have enjoyed huge uptake, and with the headline figure of one billion active WhatsApp users there has been a corresponding burst of academic research on the topic. One might therefore wonder: how far is the academic community from providing concrete, applicable guarantees about the apps that are currently in widespread use?
We argue that there are still significant gaps between the security properties that users might expect from a communication app, and the security properties that have been formally proven. These gaps arise from dubious technical assumptions, tradeoffs in the name of reliability, or simply features out of scope of the analyses. We survey these gaps, and discuss where the academic community can contribute. In particular, we encourage more transparency about analyses\u27 restrictions: the easier they are to understand, the easier they are to solve
BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure
This paper describes BlockPKI, a blockchain-based public-key infrastructure
that enables an automated, resilient, and transparent issuance of digital
certificates. Our goal is to address several shortcomings of the current TLS
infrastructure and its proposed extensions. In particular, we aim at reducing
the power of individual certification authorities and make their actions
publicly visible and accountable, without introducing yet another trusted third
party. To demonstrate the benefits and practicality of our system, we present
evaluation results and describe our prototype implementation.Comment: Workshop on Blockchain and Sharing Economy Application
Certificate Transparency with Enhancements and Short Proofs
Browsers can detect malicious websites that are provisioned with forged or
fake TLS/SSL certificates. However, they are not so good at detecting malicious
websites if they are provisioned with mistakenly issued certificates or
certificates that have been issued by a compromised certificate authority.
Google proposed certificate transparency which is an open framework to monitor
and audit certificates in real time. Thereafter, a few other certificate
transparency schemes have been proposed which can even handle revocation. All
currently known constructions use Merkle hash trees and have proof size
logarithmic in the number of certificates/domain owners.
We present a new certificate transparency scheme with short (constant size)
proofs. Our construction makes use of dynamic bilinear-map accumulators. The
scheme has many desirable properties like efficient revocation, low
verification cost and update costs comparable to the existing schemes. We
provide proofs of security and evaluate the performance of our scheme.Comment: A preliminary version of the paper was published in ACISP 201
Certificate Transparency with Enhancements and Short Proofs
Browsers can detect malicious websites that are provisioned with forged or
fake TLS/SSL certificates. However, they are not so good at detecting malicious
websites if they are provisioned with mistakenly issued certificates or
certificates that have been issued by a compromised certificate authority.
Google proposed certificate transparency which is an open framework to monitor
and audit certificates in real time. Thereafter, a few other certificate
transparency schemes have been proposed which can even handle revocation. All
currently known constructions use Merkle hash trees and have proof size
logarithmic in the number of certificates/domain owners.
We present a new certificate transparency scheme with short (constant size)
proofs. Our construction makes use of dynamic bilinear-map accumulators. The
scheme has many desirable properties like efficient revocation, low
verification cost and update costs comparable to the existing schemes. We
provide proofs of security and evaluate the performance of our scheme.Comment: A preliminary version of the paper was published in ACISP 201