Abstract
IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.
This work has been supported by grant PID2020–113795RB–C32 funded by MCIN/AEI/10.13039/501100011033, by Madrid regional CYNAMON project (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER and supported by the Madrid Government (Comunidad de Madrid-Spain) under the Multiannual Agreement with UC3M in the line of Excellence of University Professors (EPUC3M21), and in the context of the V PRICIT (Regional Programme of Research and Technological Innovation).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
PowerDNS Open Source project can be found at https://www.powerdns.com/.
- 2.
Memgraph community can be found at https://memgraph.com/community.
References
Ashmore, S., Wallace, C.: Using trust anchor constraints during certification path processing. RFC (Informational) 5937, 1–8 (2010). https://doi.org/10.17487/RFC5937. https://www.rfc-editor.org/rfc/rfc5937.txt
Barnes, R.L.: Let the names speak for themselves: improving domain name authentication with DNSSEC and DANE. Internet Protoc. J. 15(1), 201–213 (2015)
Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_25
Berkowsky, J.A., Hayajneh, T.: Security issues with certificate authorities. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 449–455 (2017). https://doi.org/10.1109/UEMCON.2017.8249081
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC 5280 (Proposed Standard) (2008), , updated by RFC 6818. https://doi.org/10.17487/RFC5280. https://www.rfc-editor.org/rfc/rfc5280.txt
De la Cruz Sánchez, J.M., Sánchez, D.D.: Timestamping service over bitcoin blockchain and prove of ownership by ERC-721 standard and ethereum database implementation. Bachelor’s thesis, Carlos III University of Madrid (2022)
Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version 1.2. RFC 5246 (Proposed Standard) (2008), updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919. https://doi.org/10.17487/RFC5246. https://www.rfc-editor.org/rfc/rfc5246.txt
Díaz-Sánchez, D., Marín-Lopez, A., Almenarez, F., Arias, P., Sherratt, R.S.: TLS/PKI challenges and certificate pinning techniques for IoT and M2M secure communications. IEEE Commun. Surv. Tutorials, 21, 3502-3531 (2019). https://doi.org/10.1109/COMST.2019.2914453
Eckersley, P.: How secure is HTTPS today? How often is it attacked? (2011). https://www.eff.org/deeplinks/2011/10/how-secure-https-today. Accessed 11 Apr 2018
Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. RFC 7469 (Proposed Standard) (2015). https://doi.org/10.17487/RFC7469. https://www.rfc-editor.org/rfc/rfc7469.txt
Fielding, R.T.: REST: architectural styles and the design of network-based software architectures, Doctoral dissertation, University of California, Irvine (2000). http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
Foundation, E.F.: The EFF SSL Observatory (2010). https://www.eff.org/observatory. Accessed 11 Apr 2018
Hallam-Baker, P., Stradling, R.: Dns certification authority authorization (caa) resource record. RFC 6844 (Proposed Standard) (2013). https://doi.org/10.17487/RFC6844. https://www.rfc-editor.org/rfc/rfc6844.txt
Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC 6698 (Proposed Standard) (2012), updated by RFCs 7218, 7671. https://doi.org/10.17487/RFC6698. https://www.rfc-editor.org/rfc/rfc6698.txt
Hoogstraaten, H.: Black Tulip : report of the investigation into the DigiNotar Certificate Authority breach. Cybercrime report PR-110202, Fox-IT BV (2012)
Inc., G.: Certificate transparency website (2016). https://www.certificate-transparency.org/
Karaman, D., Gozuacik, N., Alagoz, M.O., Ilhan, H., Cagal, U., Yavuz, O.: Managing 6LoWPAN sensors with CoAP on internet. In: Signal Processing and Communications Applications Conference (SIU), 2015 23th, pp. 1389–1392. IEEE (2015)
Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301 (Proposed Standard) (2005), updated by RFCs 6040, 7619. https://doi.org/10.17487/RFC4301. https://www.rfc-editor.org/rfc/rfc4301.txt
Kushalnagar, N., Montenegro, G., Schumacher, C.: IPv6 over low-power wireless personal area networks (6LoWPANs): Overview, assumptions, problem statement, and goals. RFC 4919 (Informational) (2007). https://doi.org/10.17487/RFC4919. https://www.rfc-editor.org/rfc/rfc4919.txt
Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962 (Experimental) (2013). https://doi.org/10.17487/RFC6962. https://www.rfc-editor.org/rfc/rfc6962.txt
Laurie, B.: Secure the internet. Nature 491, 325–326 (2012)
Locke, D.: MQ telemetry transport (MQTT) v3.1 protocol specification. Tech. rep., IBM (2010)
Marlinspike, M.: Trust assertions for certificate keys. Internet-Draft draft-perrin-tls-tack-02, IETF Secretariat (2013). http://www.ietf.org/internet-drafts/draft-perrin-tls-tack-02.txt. http://www.ietf.org/internet-drafts/draft-perrin-tls-tack-02.txt
Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24
Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic updates in the domain name system (DNS UPDATE). RFC 2136 (Proposed Standard) (1997), updated by RFCs 3007, 4035, 4033, 4034. https://doi.org/10.17487/RFC2136. https://www.rfc-editor.org/rfc/rfc2136.txt
Wang, Q., Li, R., Wang, Q., Chen, S.: Non-fungible token (NFT): overview, evaluation, opportunities and challenges (2021). https://doi.org/10.48550/ARXIV.2105.07447. https://arxiv.org/abs/2105.07447
Wang, S., Xu, J., Zhang, N., Liu, Y.: A survey on service migration in mobile edge computing. IEEE Access 6, 23511–23528 (2018). https://doi.org/10.1109/ACCESS.2018.2828102
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Díaz-Sanchez, D., Mendoza, F.A., Lopez, A.M., Rivas, M.I.R. (2023). A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing. In: Bravo, J., Ochoa, S., Favela, J. (eds) Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022). UCAmI 2022. Lecture Notes in Networks and Systems, vol 594. Springer, Cham. https://doi.org/10.1007/978-3-031-21333-5_104
Download citation
DOI: https://doi.org/10.1007/978-3-031-21333-5_104
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21332-8
Online ISBN: 978-3-031-21333-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)