A Complete Study of P.K.I. (PKI’s Known Incidents)

Serrano, Nicolás; Hadan, Hilda; Camp, L. Jean

doi:10.2139/ssrn.3425554

Cited by 13 publications

(6 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A number of weaknesses have however been identified for the PKI, an academic research report authored by a team from the school of informatics and computing at Indiana University Bloomington, Software bugs and misinterpretations of industry standards accounts for 42% of incorrectly-issued SSL certificates. The research looked at 379 instances of miss-issued SSL certificates from a total of over 1300 known incidents [16].…”

Section: Literature Review and Related Workmentioning

confidence: 99%

“…This involves people, technology and processes, not everything is dependent on cryptography, [23], an employee from StartCom was able to get a domain certificate for "mozilla.com" from CertStar, a Registration Authority of Comodo. There was no validation at all at the Registration Authority in the certificate request [16].…”

Section: Cases Of Breached Pki Securitymentioning

confidence: 99%

“…Certificate Authorities have had several slips where they issued certificates without adhering to rules. CAs have issued SSL certificates that have been used to perform man-in-the-middle (MitM) attacks and intercept HTTPS traffic have been used for malware operations or CAs issued certificates without following standard procedures because of human errors, accident, or to cut costs and increase profits [16]. As long as certificate issuance remains a business, the motivation to increase profit and cut down cost is eminent.…”

Section: Public Key Infrastructure Weaknessesmentioning

confidence: 99%

See 2 more Smart Citations

Public Key Infrastructure: An Enhanced Validation Framework

Danquah¹,

Kwabena-Adade²

2020

JIS

View full text Add to dashboard Cite

Public Key Infrastructure (PKI) is a comprehensive information security framework for providing secure information and communication over the internet. Its need and use has grown over the years and continually grows. This research work examines the current PKI framework's validation process as operated by vendors and subscribers to identify the drawbacks and propose enhanced approaches to its validation mechanism. Using an approach of reviewing secondary data, critical weaknesses of integrity, proof of trust and single point-of-failure were identified with the current PKI framework. This study therefore advances proposed solutions to address the identified weaknesses by specifically introducing multiple Certificate Authorities, storage, visibility and searchability of subscriber information in public repository. A comprehensive detail of its implementation is proposed to address the identified weaknesses of uncertain integrity, trust for certificate authorities and prevent a single point of failure. Furthermore, the proposed enhancements are validated with the protection motivation theory and a framework for empirically testing the enhancements is suggested. Further research would be required to factor in multi-factor authentication without compromising performance.

show abstract

Section: Literature Review and Related Workmentioning

confidence: 99%

Section: Cases Of Breached Pki Securitymentioning

confidence: 99%

Section: Public Key Infrastructure Weaknessesmentioning

confidence: 99%

See 1 more Smart Citation

Public Key Infrastructure: An Enhanced Validation Framework

Danquah¹,

Kwabena-Adade²

2020

JIS

View full text Add to dashboard Cite

show abstract

“…Several CAs in the past have been found deviating from the guidelines and requirements regarding certificate issuance and management of private keys as set by the Certification Authority Browser (CAB) Forum [18]. A comprehensive study by Serrano et al [19] revealed notable incidents of private key exposure, which include: eight cases by Comodo, five by WoSign, four by Symantec and VeriSign, two by DigiCert, and one by DigiNotar, India CCA, Let's Encrypt, StartCom and Thawte. In most cases, operating systems and browsers distrusted CAs after publicly published incidents.…”

Section: Introductionmentioning

confidence: 99%

Blindfold: Keeping Private Keys in PKIs and CDNs out of Sight

Galal,

Mannan,

Youssef

2022

Preprint

View full text Add to dashboard Cite

Public key infrastructure (PKI) is a certificate-based technology that helps in authenticating systems identities. HTTPS/TLS relies mainly on PKI to minimize fraud over the Internet. Nowadays, websites utilize CDNs to improve user experience, performance, and resilience against cyber attacks. However, combining HTTPS/TLS with CDNs has raised new security challenges. In any PKI system, keeping private keys private is of utmost importance. However, it has become the norm for CDN-powered websites to violate that fundamental assumption. Several solutions have been proposed to make HTTPS CDN-friendly. However, protection of private keys from the very instance of generation; and how they can be made secure against exposure by malicious (CDN) administrators and malware remain unexplored. We utilize trusted execution environments to protect private keys by never exposing them to human operators or untrusted software. We design Blindfold to protect private keys in HTTPS/TLS infrastructures, including CAs, website on-premise servers, and CDNs. We implemented a prototype to assess Blindfold's performance and performed several experiments on both the micro and macro levels. We found that Blindfold slightly outperforms SoftHSM in key generation by 1% while lagging by 0.01% for certificate issuance operations.

show abstract

“…On the CA side, automation bolsters security by reducing opportunities for human error, historically a frequent cause of misissuance events [86]. The only way for Let's Encrypt to validate a domain and issue a certificate is through the normal API; there is no manual override.…”

Section: Introductionmentioning

confidence: 99%

Let's Encrypt

Aas¹,

Barnes

Case

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Let's Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA-server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure. CCS CONCEPTS • Networks → Web protocol security; • Security and privacy → Security services; Usability in security and privacy.

show abstract

A Complete Study of P.K.I. (PKI’s Known Incidents)

Cited by 13 publications

References 27 publications

Public Key Infrastructure: An Enhanced Validation Framework

Public Key Infrastructure: An Enhanced Validation Framework

Blindfold: Keeping Private Keys in PKIs and CDNs out of Sight

Let's Encrypt

Contact Info

Product

Resources

About