Checks and balances

A tripartite public key infrastructure for secure web-based connections

Jing Chen, Shixiong Yao, Quan Yuan, Ruiying Du, Guoliang Xue

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.

Original languageEnglish (US)
Title of host publicationINFOCOM 2017 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781509053360
DOIs
StatePublished - Oct 2 2017
Event2017 IEEE Conference on Computer Communications, INFOCOM 2017 - Atlanta, United States
Duration: May 1 2017May 4 2017

Other

Other2017 IEEE Conference on Computer Communications, INFOCOM 2017
CountryUnited States
CityAtlanta
Period5/1/175/4/17

Fingerprint

Servers
Experiments

Keywords

  • DNS-based
  • Mutual Verification
  • Public Key Infrastructure

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering

Cite this

Chen, J., Yao, S., Yuan, Q., Du, R., & Xue, G. (2017). Checks and balances: A tripartite public key infrastructure for secure web-based connections. In INFOCOM 2017 - IEEE Conference on Computer Communications [8057201] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/INFOCOM.2017.8057201

Checks and balances : A tripartite public key infrastructure for secure web-based connections. / Chen, Jing; Yao, Shixiong; Yuan, Quan; Du, Ruiying; Xue, Guoliang.

INFOCOM 2017 - IEEE Conference on Computer Communications. Institute of Electrical and Electronics Engineers Inc., 2017. 8057201.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chen, J, Yao, S, Yuan, Q, Du, R & Xue, G 2017, Checks and balances: A tripartite public key infrastructure for secure web-based connections. in INFOCOM 2017 - IEEE Conference on Computer Communications., 8057201, Institute of Electrical and Electronics Engineers Inc., 2017 IEEE Conference on Computer Communications, INFOCOM 2017, Atlanta, United States, 5/1/17. https://doi.org/10.1109/INFOCOM.2017.8057201
Chen J, Yao S, Yuan Q, Du R, Xue G. Checks and balances: A tripartite public key infrastructure for secure web-based connections. In INFOCOM 2017 - IEEE Conference on Computer Communications. Institute of Electrical and Electronics Engineers Inc. 2017. 8057201 https://doi.org/10.1109/INFOCOM.2017.8057201
Chen, Jing ; Yao, Shixiong ; Yuan, Quan ; Du, Ruiying ; Xue, Guoliang. / Checks and balances : A tripartite public key infrastructure for secure web-based connections. INFOCOM 2017 - IEEE Conference on Computer Communications. Institute of Electrical and Electronics Engineers Inc., 2017.
@inproceedings{692d6c3123c74105bc694e0fd7a874fc,
title = "Checks and balances: A tripartite public key infrastructure for secure web-based connections",
abstract = "Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.",
keywords = "DNS-based, Mutual Verification, Public Key Infrastructure",
author = "Jing Chen and Shixiong Yao and Quan Yuan and Ruiying Du and Guoliang Xue",
year = "2017",
month = "10",
day = "2",
doi = "10.1109/INFOCOM.2017.8057201",
language = "English (US)",
booktitle = "INFOCOM 2017 - IEEE Conference on Computer Communications",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

TY - GEN

T1 - Checks and balances

T2 - A tripartite public key infrastructure for secure web-based connections

AU - Chen, Jing

AU - Yao, Shixiong

AU - Yuan, Quan

AU - Du, Ruiying

AU - Xue, Guoliang

PY - 2017/10/2

Y1 - 2017/10/2

N2 - Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.

AB - Recent real-world attacks against Certification Authorities (CAs) and fraudulently issued certificates arouse the public to rethink the security of public key infrastructure for web-based connections. To distribute the trust of CAs, notaries, as an independent party, are introduced to record certificates, and a client can request an audit proof of certificates from notaries directly. However, there are two challenges. On one hand, existing works consider the security of notaries insufficiently. Due to lack of systematic mutual verification, notaries might bring safety bottlenecks. On the other hand, the service of these works is not sustainable, when any party leaks its private key or fails. In this paper, we propose a Tripartite Public Key Infrastructure (TriPKI), using Certificates Authorities, Integrity Log Servers, and Domain Name Servers, to provide a basis for establishing secure SSL/TLS connections. Specifically, we apply checks-and balances among those three parties in the structure to make them verify mutually, which avoids any single party compromise. Furthermore, we design a collaborative certificate management scheme to provide sustainable services. The security analysis and experiment results demonstrate that our scheme is suitable for practical usage with moderate overhead.

KW - DNS-based

KW - Mutual Verification

KW - Public Key Infrastructure

UR - http://www.scopus.com/inward/record.url?scp=85034034723&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85034034723&partnerID=8YFLogxK

U2 - 10.1109/INFOCOM.2017.8057201

DO - 10.1109/INFOCOM.2017.8057201

M3 - Conference contribution

BT - INFOCOM 2017 - IEEE Conference on Computer Communications

PB - Institute of Electrical and Electronics Engineers Inc.

ER -