Attack-Resilient TLS Certificate Transparency
The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) h...
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2020-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9099233/ |
| _version_ | 1818379549965025280 |
|---|---|
| author | Salabat Khan Liehuang Zhu Zijian Zhang Mussadiq Abdul Rahim Khalid Khan Meng Li |
| author_facet | Salabat Khan Liehuang Zhu Zijian Zhang Mussadiq Abdul Rahim Khalid Khan Meng Li |
| author_sort | Salabat Khan |
| collection | DOAJ |
| description | The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT. |
| first_indexed | 2024-12-14T02:04:34Z |
| format | Article |
| id | doaj.art-b8f73fd6306446a998d3b4a253abb711 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-12-14T02:04:34Z |
| publishDate | 2020-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-b8f73fd6306446a998d3b4a253abb7112022-12-21T23:20:55ZengIEEEIEEE Access2169-35362020-01-018989589897310.1109/ACCESS.2020.29969979099233Attack-Resilient TLS Certificate TransparencySalabat Khan0https://orcid.org/0000-0003-1470-0529Liehuang Zhu1https://orcid.org/0000-0003-3277-3887Zijian Zhang2https://orcid.org/0000-0002-6313-4407Mussadiq Abdul Rahim3Khalid Khan4Meng Li5School of Computer Science and Technology, Beijing Institute of Technology, Beijing, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing, ChinaKohat University of Science and Technology, Kohat, PakistanSchool of Computer Science and Information Engineering, Hefei University of Technology, Hefei, ChinaThe security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.https://ieeexplore.ieee.org/document/9099233/TLSPKIlog serverdelegation of trustcollaborative identity verification |
| spellingShingle | Salabat Khan Liehuang Zhu Zijian Zhang Mussadiq Abdul Rahim Khalid Khan Meng Li Attack-Resilient TLS Certificate Transparency IEEE Access TLS PKI log server delegation of trust collaborative identity verification |
| title | Attack-Resilient TLS Certificate Transparency |
| title_full | Attack-Resilient TLS Certificate Transparency |
| title_fullStr | Attack-Resilient TLS Certificate Transparency |
| title_full_unstemmed | Attack-Resilient TLS Certificate Transparency |
| title_short | Attack-Resilient TLS Certificate Transparency |
| title_sort | attack resilient tls certificate transparency |
| topic | TLS PKI log server delegation of trust collaborative identity verification |
| url | https://ieeexplore.ieee.org/document/9099233/ |
| work_keys_str_mv | AT salabatkhan attackresilienttlscertificatetransparency AT liehuangzhu attackresilienttlscertificatetransparency AT zijianzhang attackresilienttlscertificatetransparency AT mussadiqabdulrahim attackresilienttlscertificatetransparency AT khalidkhan attackresilienttlscertificatetransparency AT mengli attackresilienttlscertificatetransparency |