assertion carrying certificates
play

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James - PowerPoint PPT Presentation

Nov 21, 2023 •17 likes •157 views

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola, Taejoong Chung, Dave Levin, Bruce Maggs, Alan Mislove, Bryan Parno, Christo Wilson The Public Key Infrastructure is how users know with whom they

  1. Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola, 
 Taejoong Chung, Dave Levin, Bruce Maggs, Alan Mislove, Bryan Parno, Christo Wilson

  2. The Public Key Infrastructure is 
 how users know with whom they are communicating online

  3. Certificates encapsulate identity (who hosts are) 
 and capability (what they can do)

  4. Certificates encapsulate identity (who hosts are) 
 and capability (what they can do) Traditional PKI roles Subject Name Who the cert is about Issuer Name Who vetted the subject’s identity Expiration Dates When is the certificate no longer valid Public key and signature Attestation of cryptographic identity

  5. The PKI has had to evolve to meet new 
 threats, deployments, and opportunities Traditional PKI roles New additions to the PKI Subject Name Key Usage Who the cert is about Certificate signing, authentication Issuer Name Subject Alternate Names Who vetted the subject’s identity Support deployments in CDNs Expiration Dates When is the certificate no longer valid Public key and signature Attestation of cryptographic identity

  6. The PKI has had to evolve to meet new 
 threats, deployments, and opportunities Traditional PKI roles New additions to the PKI Subject Name Key Usage Who the cert is about Certificate signing, authentication Issuer Name Subject Alternate Names Who vetted the subject’s identity Support deployments in CDNs Expiration Dates Revocation Information When is the certificate no longer valid New ways to deliver revocations Public key and signature Certificate Transparency Attestation of cryptographic identity Allows greater insight into CA (mis)behavior

  7. The PKI must continue to evolve 
 but adding new features is slow and laborious Traditional PKI roles New additions to the PKI Future additions Subject Name Key Usage Naming constraints Who the cert is about Certificate signing, authentication Let non-CAs issue their own certs, 
 limited to domains they control Issuer Name Subject Alternate Names Signed exchanges Who vetted the subject’s identity Support deployments in CDNs Sign-over the hosting of some 
 resources to a third party Expiration Dates Revocation Information Multi-rooted certificates When is the certificate no longer valid New ways to deliver revocations Minimize the reliance on a small 
 set of trusted certificate authorities Public key and signature Certificate Transparency Attestation of cryptographic identity Allows greater insight into CA (mis)behavior And many more!

  8. • More evolvable Is there one extension we could add 
 • More customizable to new deployments that would make the PKI: • Easier to formally verify Insight: A certificate is a set of constraints Name Validity period Allowed usages Why not encode constraints in small programs in the certificate?

  9. Assertion-Carrying Certificates (ACCs) Rules

  10. Assertion-Carrying Certificates (ACCs) 
 Add small programs that must be run as part of the certificate’s validation Rules Assertions

  11. Assertion-Carrying Certificates (ACCs) 
 Add small programs that must be run as part of the certificate’s validation Rules Define new capabilities What it means to be name-constrained Assertions Enforce them as constraints All certificates following this one must be name-constrained

  12. Assertion-Carrying Certificates (ACCs) 
 Language goals All constraints across all certs in the chain must hold Certs can never relax constraints further up the chain Rules Browsers can add their own constraints, as well The language should be concise and expressive Does not need to be Turing-complete Assertions Should be formally verifiable Must not broaden the attack surface A logic-based programming language is a natural fit

  13. Assertion-Carrying Certificates (ACCs) 
 What is the appropriate constraint language? Prolog Datalog ✅ Non-Turing-complete X ✅ X Declarative X Termination guaranteed ✅ ½ ✅ Amenable to static analysis ✅ Fully expressive ½ We might not need these ✅ Negation ½ Unbounded lists, numbers, strings ✅ X

  14. Assertion-Carrying Certificates (ACCs) 
 Allow for a far more agile PKI Ongoing and Future E ff orts Today’s PKI is slow to evolve Implementing long-desired features ACCs add small programs that must be run as part of the certificate’s validation Naming constraints, signed exchanges, and more Re-implementing various browsers’ validation logic in Prolog/Datalog Chrome, Firefox, mbedTLS — in far fewer lines of code Exploring ways to verify correctness: - Static analysis - Certificate fuzzing - Using the languages’ imputation Is there any certificate that is valid 
 but where constraint X does not hold?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

4/25/08 Smart Cards Carrying certificates around How do you use your [digital] identity? Install your certificate in browser On-computer keychain file Need there be more? 1 4/25/08 Smart cards Smart card Portable device

316 views • 4 slides
8. Assertion Based Design and 8.1 Assertion-based design Assertion Languages Assertions

8. Assertion Based Design and 8.1 Assertion-based design Assertion Languages Assertions

Fachgebiet Rechnersysteme Technische Universitt Verification Technology Darmstadt 8. Assertion-Based Design and Assertion Languages 1 8. Assertion-Based Design and Assertion Languages 3 Fachgebiet Rechnersysteme 8. Assertion Based Design

815 views • 13 slides
8. Assertion Based Design and Assertion Languages Verification Technology Content 8.1

8. Assertion Based Design and Assertion Languages Verification Technology Content 8.1

8. Assertion-Based Design and Assertion Languages 1 Fachgebiet Rechnersysteme 8. Assertion Based Design and Assertion Languages Verification Technology Content 8.1 Assertion-Based Design 8.2 Introduction to ITL 8.3 Introduction to SVA

856 views • 51 slides
10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who

10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who

Jekyll Island Carrying Capacity & Infrastructure Assessment 10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who can be supported within a given area without degrading the natural, social,

698 views • 23 slides
Assertion how to communicate well and improve relationships Sarah Patterson Therapist,

Assertion how to communicate well and improve relationships Sarah Patterson Therapist,

Assertion how to communicate well and improve relationships Sarah Patterson Therapist, Health & Wellbeing Service From Newcastle. For the world. What is assertion? Assertiveness enables us to act in our own best interests, to stand up

368 views • 16 slides
RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

https://res212.telecom-paristech.fr TP01v2 2018/05/22 RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with creating and managing cryptographic certificates for use in your application, for the Web

851 views • 16 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in

Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in

Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in Chinese bays of aquaculture in Chinese bays *1,*2 *1,*2 http://www.ecowin.org/china/ J.G. Ferreira Universidade Nova de Lisboa Faculdade de

595 views • 33 slides
Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1

Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1

Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1 Definition Carrying Capacity = Number of individuals or biomass the resources of a given area can support usually through the most unfavorable period of the

185 views • 16 slides
Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship

Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship

Workshop: Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship Certificates England (ACE) Gregg Moreton UK Systems Integration Manager Gregg.moreton@fisss.org www.apprenticeships.org.uk/certificates MY

812 views • 17 slides
Beyond assertion: setup and teardown UN IT TES TIN G F OR DATA S CIEN CE IN P YTH ON Dibya

Beyond assertion: setup and teardown UN IT TES TIN G F OR DATA S CIEN CE IN P YTH ON Dibya

Beyond assertion: setup and teardown UN IT TES TIN G F OR DATA S CIEN CE IN P YTH ON Dibya Chakravorty Test Automation Engineer The preprocessing function def preprocess(raw_data_file_path, 1,801 201,411 clean_data_file_path

1.21k views • 104 slides
Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM

Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM

Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM (AEDT) Friday 14 December 2018 To hear the webinar, phone 1800 896 323 and enter code 33532697# Am I eligible for RET exemption certificates? For

357 views • 15 slides
Commitment and implicit assertion Dave Ripley University of Connecticut http://davewripley.rocks

Commitment and implicit assertion Dave Ripley University of Connecticut http://davewripley.rocks

1/ 36 Commitment and implicit assertion Dave Ripley University of Connecticut http://davewripley.rocks De La Salle University April 2015 davewripley@gmail.com Commitment and implicit assertion 2/ 36 From bounds to meaning Commitment

390 views • 36 slides
STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE

STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE

STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE BONZOUR! WHAT WELL ACCOMPLISH Purpose of Snapshot of Carrying Current Capacity Study Conditions Understanding Defining a of Key Issues Path

964 views • 59 slides
Chronic Treatment with Medication Assertion: May be unnecessary or even harmful for some

Chronic Treatment with Medication Assertion: May be unnecessary or even harmful for some

Chronic Treatment with Medication Assertion: May be unnecessary or even harmful for some Refutation: Medication Reduces risk of relapse for many but not all Spontaneous remission occurs No current reliable method to

201 views • 5 slides
An Assertion Language for Debugging SDN Applications Ryan Beckett with X. Kelvin Zou,

An Assertion Language for Debugging SDN Applications Ryan Beckett with X. Kelvin Zou,

An Assertion Language for Debugging SDN Applications Ryan Beckett with X. Kelvin Zou, Shuyuan Zhang, Sharad Malik, Jennifer Rexford, David Walker Princeton University 1 Data Plane Verification Controller Find

579 views • 37 slides
Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of

Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of

Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of HTML HTML5 Feature overview Browser support Creating an HTML5 page Canvas 2D 2D drawing on the client Does many things that

492 views • 22 slides
COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by

COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by

COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by Prof. Dan Ariely, Duke University 2 What is big data? No standard definition! Wikipedia: Big data is a field that treats ways to

1.47k views • 53 slides
Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University

Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University

Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University March 11, 2013 UMass Boston Ohio State University, Biomedical Informatics Large Scale Graph Analysis Erik Saule :: 1 / 43 HPC Lab

1.32k views • 74 slides
HTTP/2, HTTP/3 and QUIC Kristian A. Hiorth University of Oslo, Norway September 7, 2020 IN5150:

HTTP/2, HTTP/3 and QUIC Kristian A. Hiorth University of Oslo, Norway September 7, 2020 IN5150:

HTTP/2, HTTP/3 and QUIC Kristian A. Hiorth University of Oslo, Norway September 7, 2020 IN5150: HTTP/2, HTTP/3 and QUIC Kristian A. Hiorth Dept. of Informatics University of Oslo [Photo: Jason Coates] Overview: first, a look back at legacy

742 views • 57 slides
When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy Web Traffic Needs Security! Goals = CIA triad Confidentiality

192 views • 18 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

849 views • 25 slides
Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

848 views • 29 slides

More recommend