Greenpass Client Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project seeks to provide strong access control to a wireless network while simultaneously providing flexible guest access; to do so, it augments the Wi-Fi Alliance\u27s existing WPA standard, which offers sufficiently strong user authentication and access control, with authorization based on SPKI certificates. SPKI allows certain local users to delegate network access to guests by issuing certificates that state, in essence, he should get access because I said it\u27s okay. The Greenpass RADIUS server described in Kim\u27s thesis [55] performs an authorization check based on such statements so that guests can obtain network access without requiring a busy network administrator to set up new accounts in a centralized database. To our knowledge, Greenpass is the first working delegation-based solution to Wi-Fi access control. My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work.My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work

LocalPKI: An Interoperable and IoT Friendly PKI

International audienceA public-key infrastructure (PKI) binds public keys to identities of entities. Usually, this binding is established through a process of registration and issuance of certificates by a certificate authority (CA) where the validation of the registration is performed by a registration authority. In this paper, we propose an alternative scheme, called LOCALPKI, where the binding is performed by a local authority and the issuance is left to the end user or to the local authority. The role of a third entity is then to register this binding and to provide up-to-date status information on this registration. The idea is that many more local actors could then take the role of a local authority, thus allowing for an easier spread of public-key certificates in the population. Moreover, LOCALPKI represents also an appropriate solution to be deployed in the Internet of Things context. Our scheme's security is formally proven with the help of Tamarin, an automatic verification tool for cryptographic protocols

Establishment of Public Key Infrastructure for Digital Signatures

Open Security Socket Layer (SSL) is a cryptographic library that uses appropriate security systems such as encryption, digital signatures, digital certificates, public/private key pairs, non-repudiation and time-stamping to participate in the cryptography. A Public Key Infrastructure (PKI) comprises a system of certificates, certificate authorities, subjects, relying partners, registration authorities and key repositories that provide for safe and reliable communications. In this paper, open SSL has been implemented to provide an alternative to the Transmission Control Protocol (TCP). Open SSL is a real time protocol in which the parties negotiate interactively to authenticate each other and establish a session key, in contrast to a protocol such as email in which one party prepares a message encrypt and send, that can later be decrypted and authenticated by the intended recipient. Keywords: Open SSL, Public Key Infrastructure, Digital signature

Why have public key infrastructures failed so far

Abstract Purpose -To overview and discuss the technical, economical, legal, and social reasons why public key infrastructures (PKIs) have failed so far, summarizing the lessons learned, and giving expectations about the future development of the field. Design/methodology/approach -A detailed analysis of the developments in the PKI field, pointing out the achievements so far and the issues that still remain unsolved. Findings -The possible reasons for the failure of PKI technology. Originality/value -Identifies and analyses the problems of PKIs considering the different perspectives, i.e. not only the technical issues but also other issues like the economical, legal, and social issues that have also influenced the failure of PKIs

Blockchain-Enabled DPKI Framework

Public Key Infrastructures (PKIs), which rely on digital signature technology and establishment of trust and security association parameters between entities, allow entities to interoperate with authentication proofs, using standardized digital certificates (with X.509v3 as the current reference). Despite PKI technology being used by many applications for their security foundations (e.g. WEB/HTTPS/TLS, Cloud-Enabled Services, LANs/WLANs Security, VPNs, IP-Security), there are several concerns regarding their inherent design assumptions based on a centralized trust model. To avoid some problems and drawbacks that emerged from the centralization assumptions, a Decentralized Public Key Infrastructure (DPKI), is an alternative approach. The main idea for DPKIs is the ability to establish trust relations between all parties, in a web-of-trust model, avoiding centralized authorities and related root-of-trust certificates. As a possible solution for DPKI frameworks, the Blockchain technology, as an enabler solution, can help overcome some of the identified PKI problems and security drawbacks. Blockchain-enabled DPKIs can be designed to address a fully decentralized ledger for managed certificates, providing data-replication with strong consistency guarantees, and fairly distributed trust management properties founded on a P2P trust model. In this approach, typical PKI functions are supported cooperatively, with validity agreement based on consistency criteria, for issuing, verification and revocation of X509v3 certificates. It is also possible to address mechanisms to provide rapid reaction of principals in the verification of traceable, shared and immutable history logs of state-changes related to the life-cycle of certificates, with certificate validation rules established consistently by programmable Smart Contracts executed by peers. In this dissertation we designed, implemented and evaluated a Blockchain-Enabled Decentralized Public Key Infrastructure (DPKI) framework, providing an implementation prototype solution that can be used and to support experimental research. The proposal is based on a framework instantiating a permissioned collaborative consortium model, using the service planes supported in an extended Blockchain platform leveraged by the Hyperledger Fabric (HLF) solution. In our proposed DPKI framework model, X509v3 certificates are issued and managed following security invariants, processing rules, managing trust assumptions and establishing consistency metrics, defined and executed in a decentralized way by the Blockchain nodes, using Smart Contracts. Certificates are issued cooperatively and can be issued with group-oriented threshold-based Byzantine fault-tolerant (BFT) signatures, as group-oriented authentication proofs. The Smart Contracts dictate how Blockchain peers participate consistently in issuing, signing, attestation, validation and revocation processes. Any peer can validate certificates obtaining their consistent states consolidated in closed blocks in a Meckle tree structure maintained in the Blockchain. State-transition operations are managed with serializability guarantees, provided by Byzantine Fault Tolerant (BFT) consensus primitives

Last Mile Transfer: enabling local data transfers on the global WLCG infrastructure

The computing challenge at CERN is of a global nature. To make real world-wide distributed computing possible, more than 150 computer centers must be seamlessly integrated. This means integrating CPU, storage and network. The File Transfer Service (FTS) is a tool that emerges to solve the data movement problem. It is used to schedule data transfers between different storage resources. Its optimizer takes care of increasing the parallelism to improve throughput, without exhausting the storage resources. It also has a web interface (WebFTS) which makes it quite easy for users to invoke reliable, managed data transfers on distributed infrastructure. However, FTS only solves part of the problem, as an increasing number of grid users run simulations on their personal laptops, generating files that can amount to several gigabytes. Normally, users would want to move these files from their personal computers to a remote Grid storage for long-term archiving, sharing, or running further processing on them. The issue here is that these users might be sitting behind a firewall, which means that their computer will not be able to listen to inbound connections. Last Mile Transfer is a solution that was developed to enable local file uploads on the Worldwide LHC Computing Grid (WLCG) infrastructure

The Viability of Post-quantum X.509 Certificates

If quantum computers were built, they would pose concerns for public key cryptography as we know it. Among other cryptographic techniques, they would jeopardize the use of PKI X.509 certificates (RSA, ECDSA) used today for authentication. To overcome the concern, new quantum secure signature schemes have been proposed in the literature. Most of these schemes have significantly larger public key and signature sizes than the ones used today. Even though post-quantum signatures could work well for some usecases like software signing, there are concerns about the effect their size and processing cost would have on technologies using X.509 certificates. In this work, we investigate the viability of post-quantum signatures in X.509 certificates and protocols that use them (e.g. TLS, IKEv2). We prove that, in spite of common concerns, they could work in today\u27s protocols and could be a viable solution to the emergence of quantum computing. We also quantify the overhead they introduce in protocol connection establishment and show that even though it is significant, it is not detrimental. Finally, we formalize the areas of further testing necessary to conclusively establish that the signature schemes standardized in NIST\u27s PQ Project can work with X.509 certs in a post-quantum Internet

Extended Validation using DNSSEC

Abstract Remote trust on the web is mostly handled by so called Certificate Authorities. companies, government bodies or other types of organisations that users go to to obtain their own certificates. There is a significant leap of faith involved: why should you blindly trust the hundreds of Certificate Authorities preloaded in your browser to not abuse their root certificates, when many Certificate Authorities are organisations you don't know anything about -which means you might not want to trust them for all purposes, certainly not if you can avoid it. What if the websites and services you care about can publish the certificates they use safely and authoritatively through the DNS? Historically, the answer was that DNS itself was not safe enough. With DNSSEC you get a chain of trust from the signed root of the internet to the service you want to connect to. We have researched different ways of doing this and made available an add-on to the new Firefox 4.0 browser software which enables end-users and server administrators to leverage the DNSSEC chain of trust as anchor for their certificates. February 7, 2011 Acknowledgements We would like to thank the following people and organisations for their guidance and support during our project: • Michiel Leenaars (NLnet Foundation) for his supervision and incredible support; • Rick van Rein (OpenFortress) for his insight, ideas and feedback; • The System and Network Engineering (University of Amsterdam) group for the means and opportunity to conduct the research project.