TY - GEN
T1 - Checks and balances
T2 - 2017 IEEE Conference on Computer Communications, INFOCOM 2017
AU - Chen, Jing
AU - Yao, Shixiong
AU - Yuan, Quan
AU - Du, Ruiying
AU - Xue, Guoliang
N1 - Funding Information:
Chen and Yao are with State Key Laboratory of Software Engineering, Computer School, Wuhan University, Wuhan, China 430072. Email: {chenjing, derekysx}@whu.edu.cn. Yuan is with University of Texas-Permian Basin, TX, 79762. Email: dantes.yuan@gmail.com. Du is with Collaborative Innovation Center of Geospatial Technology, Wuhan, China 430072. Email: duraying@whu.edu.cn. Xue is with Arizona State University, Tempe, AZ 85287. Email: xue@asu.edu. This research was supported in part by NSF grants 1457262 and 1421685, the National Natural Science Foundation of China under Grant No. 61272451, 61173154, 61232002, 61373169, 61332019, and the Major State Basic Research Development Program of China under Grant No. 2014CB340600. The information reported here does not reflect the position or the policy of the funding agencies. The corresponding author is Shixiong Yao.
Publisher Copyright:
© 2017 IEEE.
PY - 2017/10/2
Y1 - 2017/10/2
N2 - Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.
AB - Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.
KW - DNS-based
KW - Mutual Verification
KW - Public Key Infrastructure
UR - http://www.scopus.com/inward/record.url?scp=85034034723&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85034034723&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2017.8057201
DO - 10.1109/INFOCOM.2017.8057201
M3 - Conference contribution
AN - SCOPUS:85034034723
T3 - Proceedings - IEEE INFOCOM
BT - INFOCOM 2017 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 1 May 2017 through 4 May 2017
ER -