revocaton protocols of webpki and revocaton transparency
play

Revocaton protocols of WebPKI and Revocaton Transparency Nikita - PowerPoint PPT Presentation

Aug 11, 2023 •265 likes •377 views

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate

  1. Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

  2. Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate Client Server Key exchange, communication ... 3. Expiration Certificate Certificate Name : www.liu.se From : January 1 To : February 30 www.liu.se Hello Certificate ⏰ April, 1 st Client Server You shall not pass!

  3. Revoking a certfcate 1. Revocation – is a process of invalidating a certificate prior its expiration. Certificate Certificate Name : www.liu.se From : January 1 To : February 30 Revocation status found at : R Let the private key of the certificate be compromised, and the certificate owner asks the CA to revoke the certificate. Then: Revocation + Revocation reason Certificate Certificate Authority status endpoint, R* *OCSP and/or CRL 2. Status delivery ⏰ February, 1 st Hello Certificate Is Certificate OK? Server Client Revocation Revoked status endpoint, R* You shall not pass!

  4. Certfcate Revocaton List (RFC 5280)* http://ca.liu.se/revoked.crl serial# [issuer] [date] [reasonCode] 52 liu.se Feb, 4 1 liu.se Feb, 9 5 412 ... CRL date, next update, signature *CRLs are being phased out.

  5. Online Certfcate Status Protocol (RFC 6960) http://ocsp.liu.se/ Serial#, H(issuerDN), H(issuerKey) OCSP responder Client Status, [Revocation Date], [Next update], [Signature] OCSP ”stapling” (RFC 6066, 6961) Hello Is Certificate OK? Good, OCSP responder Server Client Signed status , Signed status Certificate ...

  6. CA CA Web server Web server CRL OCSP 1 2 1 2 Client Client (a) CRL (b) OCSP CA Web server CA Web server 1 1 OCSP OCSP OCSP 2 3 2 OCSP OCSP Client Client (c) OCSP Stapling (d) OCSP Must-Staple Steps in the process of checking revocation status with different protocols: (a) with CRLs, the client fetches the (potentially large) CRL after obtaining the certificate in the TLS handshake; (b) with OCSP, the client asks for the revocation status of only the particular certificate; (c) with OCSP Stapling, the server is supposed to prefetch the OCSP response and provide it in the handshake, and if it does not, the client can fetch the OCSP response as in (b); and (d) with OCSP Must-Staple, the server must provide an OCSP response in the handshake or the client will reject the certificate. Chung et al., Is the Web Ready for OCSP Must-Staple? IMC '18

  7. Revocaton does not work ● Liu et al., An End-to-End Measurement of Certfiate Revoiaton in the Web’s PKI , IMC 2015 – obtaining certfcate status is expensive – most browsers don’t check certfcate status – custom revocaton set (CRLSet by Google) only covers 0.35% of all revocatons ● Chung et al., Is the Web Ready for OCSP Must-Staple? IMC 2018 – not yet ● Mass revocatons happen, and their exact scale is unclear – Zhang et al., Analysis of SSL Certfiate Reissues and Revoiatons in the Wake of Heartbleed , IMC 2014 – htps://arstechnica.com/informaton-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued- certfcates/ Other issues with current revocaton status protocols: ● Performance (OCSP, CRL) ● Availability (OCSP, CRL) ● Replay atacks (OCSP, CRL) ● Privacy (OCSP) ● Sof-fails (Browsers ignore failed status requests) ● Transparency

  8. Revocaton does not work – Fixes Possible fxes: ● Must-staple ● Custom revocaton sets (CRLSet, OneCRL, ...) ● Short validity periods ● A totally new WebPKI … – Yu et al., DTKI: a new Formalized PKI with Verifable Trusted Partes , 2016 – Kubilay et al., CertLedger: A new PKI model with Certfcate Transparency based on blockchain , 2019 ● Revocaton Transparency

  9. Revocaton Transparency • Broadly, a mechanism for logging (and optonally, delivery) of revocatons. • Could be used to create up-to-date revocaton sets, detect revocaton- related misbehavior by CAs, immutably preserve revocaton history. • Several schemes, standalone or as a part of a new PKI: – Laurie & Kasper, Revocaton Transparency , Google, 2012 – CertLedger (Kubilay et al., 2019), AKI (Hyun-Jin Kim et al., 2013), DTKI (Yu et al., 2016), CertChain (Chen et al., 2018) ● Our research goal: ● Motvate the need for Revocaton Transparency through (an ongoing) measurement ● Develop a feasible and low-deployment-cost Revocaton Transparency scheme on top of existng Certfcate Transparency ● Compare with other proposals

  10. Thank you! www.liu.se

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency & Advisory Management Section Prescription Medicines Authorisation Branch Market Authorisation Division, TGA ARCS Scientific Congress Canberra 2016 Two transparency

652 views • 36 slides
PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency Application mixing Free your Audio Interoperability with arbitrary protocols More testing of the PulseAudio code Yet another

604 views • 23 slides
www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India is the accredited Indian National Chapter of Transparency International. It was established in 1997. Transparency International India endeavors

603 views • 45 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Capacity-building Initiative for Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement Article 13: Transparency To build mutual trust and confidence and to promote effective implementation

643 views • 15 slides
Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

September 28, 2017 Alex Hathaway Center for State and Local Finance Fiscal Transparency and Accountability Overview Importance of Institutional Transparency Review of the Literature Methodology Volcker Alliance questions

343 views • 16 slides
NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation Activities of NTW Workshop on Environmental Mapping: Mobilising Trust in Measurements and Engaging Scientific Citizenry Nadja Zeleznik nzeleznik@rec.org

338 views • 30 slides
Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency an organisational view Transparency is all about the release of information by institutions or companies that is relevant for the evaluation of

883 views • 32 slides
transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

Driving change in fisheries trade through transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI Sub-Committee on Fish trade / Busan, 6 September 2017 The necessity of transparency in fisheries International

346 views • 15 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum Mykkah Herner, MA, CCP Director of Professional Services Paige Hanley, CCP Sr. Compensation Professional 14,000 Positions 3000 Customers 11 Countries

371 views • 35 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Wes Hubert Computing in Kansas Information Services June 3, 2004 The University of Kansas Why? PKI adoption will continue growing to support

1.28k views • 46 slides
Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document proving you are who you claim to be Often used to help distribute other keys Lecture 5 Page 1 CS 236

339 views • 29 slides
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

661 views • 50 slides
Cryptography (+ Web Security): Certificates Spring 2015

Cryptography (+ Web Security): Certificates Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography (+ Web Security): Certificates Spring 2015 Franziska (Franzi) Roesner

505 views • 21 slides
Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides

More recommend