Certification authorities under attack: A plea for certificate legitimation

IEEE Internet Computing

Volumn 18, Issue 1, 2014, Pages 40-47

  Oppliger, Rolf ^a  

^a UNIVERSITY OF ZURICH   (Switzerland)

Author keywords

certificate authorization; certificate legitimation; certificate revocation; Internet security; man in the middle attack; public key certificates; public key infrastructure; SSL; TLS

Indexed keywords

CERTIFICATE AUTHORIZATION; CERTIFICATE LEGITIMATION; CERTIFICATE REVOCATION; INTERNET SECURITY; MAN IN THE MIDDLE ATTACKS; PUBLIC KEY CERTIFICATES; PUBLIC KEY INFRASTRUCTURE; SSL; TLS;

INTERNET;

EID: 84896469488     PISSN: 10897801     EISSN: None     Source Type: Journal    
DOI: 10.1109/MIC.2013.5     Document Type: Article

References (21)

1. L.M. Kohnfelder, Towards a Practical Public-Key Cryptosystem, bachelor's thesis, Dept. of Electrical Engineering, MIT, May 1978; http://groups.csail.mit. edu/cis/theses/kohnfelder-bs.
2. C. Ellison and B. Schneier, "Ten Risks of PKI: What You're Not Being Told about Public Key Infrastructure," Computer Security J., vol. 16, no. 1, 2000, pp. 1-7. (Pubitemid 30565287)
3. P. Gutmann, "PKI: It's Not Dead, Just Resting," Computer, vol. 35, no. 8, 2002, pp. 41-49. (Pubitemid 34950479)
4. J. Lopez, R. Oppliger, and G. Pernul, "Why Have Public Key Infrastructures Failed So Far?" Internet Research, vol. 15, no. 5, 2005, pp. 544-556. (Pubitemid 41649219)
5. A. Sotirov et al., MD5 Considered Harmful Today-Creating a Rogue CA Certificate, tech. report, Eindhoven Univ. Tech., 30 Dec. 2008; www.win.tue.nl/hashclash/rogue-ca.
6. M. Myers et al., X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP, IETF RFC 2560, June 1999; http://tools.ietf. org/html/rfc2560.
7. C. Soghoian and S. Stamm, "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL," LNCS 7035, Springer, 2012, pp. 250-259.
8. R. Oppliger, R. Hauser, and D. Basin, "SSL/TLS Session-Aware User Authentication," Computer, vol. 41, no. 3, 2008, pp. 59-65.
9. R. Langner, "Stuxnet: Dissecting a Cyberwarfare Weapon," IEEE Security & Privacy, vol. 9, no. 3, 2011, pp. 49-51.
10. R. Anderson et al., The Global Internet Trust Register, MIT Press, 1999.
11. B.C. Popescu, B. Crispo, and A.S. Tanenbaum, "A Certificate Revocation Scheme for a Large-Scale Highly Replicated Distributed System," Proc. 8th IEEE Int'l Symp. Computers and Communication (ISCC), IEEE CS, 2003, pp. 225-231.
12. D. Cooper et al., Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF RFC 5280, May 2008; http://tools.ietf.org/html/rfc5280.
13. Y. Elley et al., "Building Certification Paths: Forward vs. Reverse," Proc. 2001 Network and Distributed System Security Symp. (NDSS 2001), ISOC, 2001, pp. 153-160.
14. M. Marlinspike, "Defeating OCSP with the Character '3,'" 29 July 2009; www.thoughtcrime.org/papers/ocsp-attack.pdf.
15. B. Laurie and A. Langley, "Certificate Authority Transparency and Auditability," white paper, 22 Nov. 2011; www.links.org/files/ CertificateAuthorityTransparencyandAuditability. pdf.
16. A. Shamir, "How to Share a Secret," Comm. ACM, vol. 22, no. 11, 1979, pp. 612-613.
17. C. Evans, C. Palmer, and R. Sheeri, "Public Key Pinning Extension for HTTP," IETF Internet draft, work in progress, June 2013.
18. R. Barnes, Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE), IETF RFC 6394, Oct. 2011; http://tools.ietf.org/html/ rfc6394.
19. P. Hoffman and J. Schlyter, The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, IETF RFC 6698, Aug. 2012; http://tools.ietf.org/html/rfc6698.
20. R. Arends et al., DNS Security Introduction and Requirements, IETF RFC 4033, Mar. 2005; http://tools. ietf.org/html/rfc4033.
21. D. Wendtandt, D.G. Andersen, and A. Perrig, "Perspectives: Improving SSH-Style Host Authentication with Multi-Path Probing," Proc. Usenix 2008 Annual Tech. Conf. (ATC 08), Usenix Assoc., 2008, pp. 321-334.