PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem

Szałachowski, Paweł; Chuat, Laurent; Perrig, Adrian

doi:10.1109/eurosp.2016.38

Cited by 34 publications

(26 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Short-lived, multisigned certificates greatly reduce the need for a revocation system, but do not completely suppress it. Given that designing a satisfactory revocation system has proven to be an extremely challenging task [25,38,39], we consider it to go beyond the scope of this paper. Nevertheless, the security of BlockPKI can be further improved by combining it with any existing revocation scheme.…”

Section: Discussionmentioning

confidence: 99%

BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure

Dykcik

Chuat

Szałachowski³

et al. 2018

2018 IEEE International Conference on Data Mining Workshops (ICDMW)

Self Cite

View full text Add to dashboard Cite

This paper describes BlockPKI, a blockchain-based public-key infrastructure that enables an automated, resilient, and transparent issuance of digital certificates. Our goal is to address several shortcomings of the current TLS infrastructure and its proposed extensions. In particular, we aim at reducing the power of individual certification authorities and make their actions publicly visible and accountable, without introducing yet another trusted third party. To demonstrate the benefits and practicality of our system, we present evaluation results and describe our prototype implementation.

show abstract

Section: Discussionmentioning

confidence: 99%

BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure

Dykcik

Chuat

Szałachowski³

et al. 2018

2018 IEEE International Conference on Data Mining Workshops (ICDMW)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In PoliCert, one Merkle tree contains both the certificates and revocation information, ordered by a hash of the certificate H(C). In yet another variant of these ideas, PKI Safety Net [24] enables verification of both the issuing time order and the non-existence of records for a domain by maintaining two trees that are similar to those in CT and AKI, respectively. Independent monitors maintain a copy of the trees and audit their consistency.…”

Section: Public Logs For Monitoring the Web Pkimentioning

confidence: 99%

Application of Public Ledgers to Revocation in Distributed Access Control

Bui

Aura

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

There has recently been a flood of interest in potential new applications of blockchains, as well as proposals for more generic designs called public ledgers. Most of the novel proposals have been in the financial sector. However, the public ledger is an abstraction that solves several of the fundamental problems in the design of secure distributed systems: global time in the form of a strict linear order of past events, globally consistent and immutable view of the history, and enforcement of some application-specific safety properties. This paper investigates the applications of public ledgers to access control and, more specifically, to group management in distributed systems where entities are represented by their public keys and authorization is encoded into signed certificates. It is particularly difficult to handle negative information, such as revocation of certificates or group membership, in the distributed setting. The linear order of events and global consistency simplify these problems, but the enforcement of internal constraints in the ledger implementation often presents problems. We show that different types of revocation require slightly different properties from the ledger. We compare the requirements with Bitcoin, the best known blockchain, and describe an efficient ledger design for membership revocation that combines ideas from blockchains and from web-PKI monitoring. While we use certificate-based groupmembership management as the case study, the same ideas can be applied more widely to rights revocation in distributed systems.

show abstract

“…Both appendonly and ordered Merkle trees enable logarithmic-size proofs of existence and non-existence for certificates, though. In yet another variant of these ideas, PKI Safety Net [36] enables verification of both the issuing time order and the nonexistence of records for a domain by maintaining two trees that are similar to those in CT and AKI, respectively. Independent monitors maintain a copy of the trees and audit their consistency.…”

Section: Public Ledgermentioning

confidence: 99%

Key Exchange with the Help of a Public Ledger

Bui

Aura

2017

Security Protocols XXV

View full text Add to dashboard Cite

Abstract. Blockchains and other public ledger structures promise a new way to create globally consistent event logs and other records. We make use of this consistency property to detect and prevent man-in-the-middle attacks in a key exchange such as Diffie-Hellman or ECDH. Essentially, the MitM attack creates an inconsistency in the world views of the two honest parties, and they can detect it with the help of the ledger. Thus, there is no need for prior knowledge or trusted third parties apart from the distributed ledger. To prevent impersonation attacks, we require user interaction. It appears that, in some applications, the required user interaction is reduced in comparison to other user-assisted key-exchange protocols.

show abstract

PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem

Cited by 34 publications

References 36 publications

BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure

BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure

Application of Public Ledgers to Revocation in Distributed Access Control

Key Exchange with the Help of a Public Ledger

Contact Info

Product

Resources

About