AbridgingCertificationAuthoritiesDRAFT-PleasedonotdistributeMatthiasJacobPrincetonUniversitymjacob@tractCertificatesheyarehighlytrustedentitiesthatcanonlybeissuedbyafewtrustedcertificationauthorities(CAs),theyareacostlysecuritycomponentintoday’r,alargepartoftheInternet’orealterna-tivestotheold-fashionedCAstructureandcometotheconclusionthattheseapproachesprovidecompletelysuffitheselow-volumeserversdonotevenusecer-tificatesbecausetotlter-nativetechniques,whendeployed,willbeaninexpen-sivewayforissuingcertificatesandhenceincreasingtrustandsecurityinnetworks.1IntroductionInsecurecommunicationsuchasanSSLconnectionoveranetworkitisacommonproblemtomatchanon-lineidentirentso-lutiontothisproblemisthedeploymentofcertifily-trustedCertificationAuthorities(CA)verifywhetherthematchingbetweenahost’sDNSnameandpublickeyiscorrectandissueacertifippenzellerStanfordUniversityappenz@ingtheinitiationofthesecurecommunication,forexampleusingSSL,rtificateexiststhegenuinenessofahost’versinthenetworkarere-sponsibleforresolvingahost’sDNSnametoitsIPaddress,butitisawell-knownfactthatDNSserversarepronetoattacksinwhichanadversaryspoofstheDNSnameandmatcr,certifi,certificatesarehighlytrusted,sotheCAneedstocheckexternaldocumentationwhenitissuesacertifi,itiscrucialthattheprivatesigningkeyoftheCAdoesnotleak,,CAshavetodistributethepublickeyforcheckingthecertificatestotheclients,,ultisthatformanyhostssuchaslow-volumewebserversornodesinpeer-to-peernetworksobtainingcertifiommunitythereexistsastrongde-sireforcheapcertificates[5,1,4].However,sofar,tpopularcurrentlyavailablealternativetohighlytrustedcertifi-catesarelow-costcertificates[3,18].Intheverifica-tionprocessforthesecertificatestheCAsendsasin-gleverifihisprocessisquickandconvenient,anattackercanin-terceptthisverificationemailandforgethecertifiubtfulthatthisisaviablewaytocertifytrustinaserver.
Inthispaperweprovideanovelapproachtocheapcer-tifirvethatastate-of-the-artCAdecideswhethertocertifyahostsolelybasedoninformationitobtainsatthetimethehostrequeststhecertifiheCAhasissuedthecertificateitisvalidoveralongtimeperiod(ars).Inordertoinvali-datethecertificatetheCAhastomanuallypublishitonitscertificaterevocationlist(CRL)[16].TheprocessofmanuallyverifyingtrustinahostandpublishingtheCRLsisexpensive,tedious,andunreliable.1.1Time-basedtrustedauthenticationWeapproachtheproblemofissuingcheapcertificatesbyusing“trustovertime”:Whenahostconsistentlyrespondswiththesamepublickeyintheinitialpublitheassumacommonprincipleinthephysicalworld,editreportshowswhetherapotlienthasbeeningoodstandingoversometimeperiod,paperwedevelopCAsthatinitiateSSLcon-nectionsperiodicallyinordertofiu-tomaticallyadjuststhehost’strustlevelandissuesanewcertifihecertificationprocessworksautomaticallythesecertificatescanhavefiner-grainedexpirationdatesthantheX.509certifition2partdefinesimportanttermsofthecertifihowtomaketheCAaccountableandwhatthesecurityguaranteesareinsection4,andfinallyexplaininsection5howafullydistributedCAworks.2X.509CertificationSystemInthispaperweample,inacliensneedtomakesurethattheyarecommunicatingwiththerightserver,andhence,theyrequestthecer-tificatethatverifiized,thetypicalnetworkcon-sistsofthefollowingcomponents:•Client:Aclientinitiatesaconnertoexchangedatasecurelytheclientneedstoascertainthatitpossessesthepub-lickeythatmatchestheserver’entusescertificatestoverifywhetherthepublickeyfromtheserveristhecorrectone,•Server:AserverprovidesnetworkservicestoclientsandpublishestotheclientthatthepublickeybelongstotheservertheCAissuesacertificatethatcontainsthispublickeyandtheserver’sDNSname.•CertificationAuthority(CA):Thecertificationauthorityissuescertifier-tificatescontaininformationabouttheserver’ficateintheX.509speci-ficationalsocontainsinformationaboutthephys-icalidentityoftheserverandaccesspolicies,lly,aserveraskstheCAtoissueacertifisoper-ationtheserverpassesalongtotheCAitsDNSnameserver,itspublickeypk,andsomeexternalidentifiheckingexternalidentificationtheCAreturnsthecertificatecontainingtheDNSnameandthe
server{server, pk, id}clientserverCAcert(server, pk)cert(server, pk)Figure1:TheroleofthecertifirusesaprivatekeyfentcontactstheserverbyusingitsDNSnameandgetsthecorrectpublickeyintheserver’scertifiy,theclienttruststheCA,heassumptionthattrustistransitive,hence,ignsthecertifientinthesystemcannowrequestacertifientverifiesthesignatureofthecertificateand,ifvalid,obtainsthepublickeypk.•issuecertificate(server)(client→server):(server:client→server)⇒({certCA(server,pk)}:server→client)OncetheCAhasissuedacertificateitisvaliduntilitsexpirationdategivenonthecertifificatebecomesinvalidbeforeitsexpirationdatewhentheCApublishesitonaCRLthatcontainsalistofallinvalidcertificates.2.1SecurityAnalysisWeguaranteethesexistthreekindofattacks:First,anadversarycanma-nipulateanycontentsaserver,,,anad-versarycancompromisetheCAandgettheprivatesigningkey:•Attacksfromthenetwork:Sincethecertificationauthoritysignsallcertifi-catesitisnotpossibleforanadversarytomodifyorforgecertifihecertificationprocessdoesnottakeplaceon-lineduetoexternalidentification,modifyingtheserver’rsarycanspooftheDNSresolutionbe-tweenclientandserverinwhichcasetheclientgetsredirectedtoadifferentphysicalhost,butinordertoverifyapublickeythishostneedstohaveavalidcertificate.•Compromisingservers:Whenanadversarycompromisesaserveranditsprivatekeyleakstheadversarycandecryptallmessagestheserverreceives,buttheadversarycannotchangethekeywithoutgettinganewcer-tificasetheCAneedstoputthecer-tificateontifi-catecannotprotectagainstpassiveattackswhentheadversarycompromisestheserver.•CompromisingtheCA:versarycompromisestheCAandobtainstheprivatesigningkeytheadversarycanissuefalsecertificasthecrucialcomponentofthesystem,andithastospendalotofeffortinprotectingthepri-vatesigningkeyfromleakingwhichisoneoftherea-sonscertificatesareexpensive,extsectionwefirstlookintohowwecanauto-matetheprocessofcertifyingaserversuchthatcostlyverificationofexternalidentificationisnotnecessaryanymore.3CAusingtrustovertimeTheweaknessinthestandardX.509certificationau-thoritysystemistoestablishtrustbetweentheCAand
eedstoverifyoffly,theCAverifiesthismappingbyexaminingexternalidenti-ficationsuchasadriver’rtogetaroundthisexpensiveverificationmethodweapplythe“trustovertime”principletothecertifiverhasacertaintrustleveltheCAissuesthecertificate,orevensim-pler,itjustissuesacertifistablishesthetrustlevelbycheckingperiod-icallywheerver’eserverwantstoobtainacertificateitsubmitsitsDNShostnameandpublickeytotheCAandreceivesacertificateoftrustlevelt
本文发布于:2024-09-22 14:36:23,感谢您对本站的认可!
本文链接:https://www.17tex.com/fanyi/6034.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
留言与评论(共有 0 条评论) |