Skip to main content
SpringerLink
Log in

A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing

  • Conference paper
  • First Online:
Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022) (UCAmI 2022)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 594))

  • 862 Accesses

Abstract

IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.

This work has been supported by grant PID2020–113795RB–C32 funded by MCIN/AEI/10.13039/501100011033, by Madrid regional CYNAMON project (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER and supported by the Madrid Government (Comunidad de Madrid-Spain) under the Multiannual Agreement with UC3M in the line of Excellence of University Professors (EPUC3M21), and in the context of the V PRICIT (Regional Programme of Research and Technological Innovation).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    PowerDNS Open Source project can be found at https://www.powerdns.com/.

  2. 2.

    Memgraph community can be found at https://memgraph.com/community.

References

  1. Ashmore, S., Wallace, C.: Using trust anchor constraints during certification path processing. RFC (Informational) 5937, 1–8 (2010). https://doi.org/10.17487/RFC5937. https://www.rfc-editor.org/rfc/rfc5937.txt

  2. Barnes, R.L.: Let the names speak for themselves: improving domain name authentication with DNSSEC and DANE. Internet Protoc. J. 15(1), 201–213 (2015)

    Google Scholar 

  3. Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_25

    Chapter  Google Scholar 

  4. Berkowsky, J.A., Hayajneh, T.: Security issues with certificate authorities. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 449–455 (2017). https://doi.org/10.1109/UEMCON.2017.8249081

  5. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC 5280 (Proposed Standard) (2008), , updated by RFC 6818. https://doi.org/10.17487/RFC5280. https://www.rfc-editor.org/rfc/rfc5280.txt

  6. De la Cruz Sánchez, J.M., Sánchez, D.D.: Timestamping service over bitcoin blockchain and prove of ownership by ERC-721 standard and ethereum database implementation. Bachelor’s thesis, Carlos III University of Madrid (2022)

    Google Scholar 

  7. Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version 1.2. RFC 5246 (Proposed Standard) (2008), updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919. https://doi.org/10.17487/RFC5246. https://www.rfc-editor.org/rfc/rfc5246.txt

  8. Díaz-Sánchez, D., Marín-Lopez, A., Almenarez, F., Arias, P., Sherratt, R.S.: TLS/PKI challenges and certificate pinning techniques for IoT and M2M secure communications. IEEE Commun. Surv. Tutorials, 21, 3502-3531 (2019). https://doi.org/10.1109/COMST.2019.2914453

  9. Eckersley, P.: How secure is HTTPS today? How often is it attacked? (2011). https://www.eff.org/deeplinks/2011/10/how-secure-https-today. Accessed 11 Apr 2018

  10. Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. RFC 7469 (Proposed Standard) (2015). https://doi.org/10.17487/RFC7469. https://www.rfc-editor.org/rfc/rfc7469.txt

  11. Fielding, R.T.: REST: architectural styles and the design of network-based software architectures, Doctoral dissertation, University of California, Irvine (2000). http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

  12. Foundation, E.F.: The EFF SSL Observatory (2010). https://www.eff.org/observatory. Accessed 11 Apr 2018

  13. Hallam-Baker, P., Stradling, R.: Dns certification authority authorization (caa) resource record. RFC 6844 (Proposed Standard) (2013). https://doi.org/10.17487/RFC6844. https://www.rfc-editor.org/rfc/rfc6844.txt

  14. Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC 6698 (Proposed Standard) (2012), updated by RFCs 7218, 7671. https://doi.org/10.17487/RFC6698. https://www.rfc-editor.org/rfc/rfc6698.txt

  15. Hoogstraaten, H.: Black Tulip : report of the investigation into the DigiNotar Certificate Authority breach. Cybercrime report PR-110202, Fox-IT BV (2012)

    Google Scholar 

  16. Inc., G.: Certificate transparency website (2016). https://www.certificate-transparency.org/

  17. Karaman, D., Gozuacik, N., Alagoz, M.O., Ilhan, H., Cagal, U., Yavuz, O.: Managing 6LoWPAN sensors with CoAP on internet. In: Signal Processing and Communications Applications Conference (SIU), 2015 23th, pp. 1389–1392. IEEE (2015)

    Google Scholar 

  18. Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301 (Proposed Standard) (2005), updated by RFCs 6040, 7619. https://doi.org/10.17487/RFC4301. https://www.rfc-editor.org/rfc/rfc4301.txt

  19. Kushalnagar, N., Montenegro, G., Schumacher, C.: IPv6 over low-power wireless personal area networks (6LoWPANs): Overview, assumptions, problem statement, and goals. RFC 4919 (Informational) (2007). https://doi.org/10.17487/RFC4919. https://www.rfc-editor.org/rfc/rfc4919.txt

  20. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962 (Experimental) (2013). https://doi.org/10.17487/RFC6962. https://www.rfc-editor.org/rfc/rfc6962.txt

  21. Laurie, B.: Secure the internet. Nature 491, 325–326 (2012)

    Google Scholar 

  22. Locke, D.: MQ telemetry transport (MQTT) v3.1 protocol specification. Tech. rep., IBM (2010)

    Google Scholar 

  23. Marlinspike, M.: Trust assertions for certificate keys. Internet-Draft draft-perrin-tls-tack-02, IETF Secretariat (2013). http://www.ietf.org/internet-drafts/draft-perrin-tls-tack-02.txt. http://www.ietf.org/internet-drafts/draft-perrin-tls-tack-02.txt

  24. Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24

    Chapter  Google Scholar 

  25. Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic updates in the domain name system (DNS UPDATE). RFC 2136 (Proposed Standard) (1997), updated by RFCs 3007, 4035, 4033, 4034. https://doi.org/10.17487/RFC2136. https://www.rfc-editor.org/rfc/rfc2136.txt

  26. Wang, Q., Li, R., Wang, Q., Chen, S.: Non-fungible token (NFT): overview, evaluation, opportunities and challenges (2021). https://doi.org/10.48550/ARXIV.2105.07447. https://arxiv.org/abs/2105.07447

  27. Wang, S., Xu, J., Zhang, N., Liu, Y.: A survey on service migration in mobile edge computing. IEEE Access 6, 23511–23528 (2018). https://doi.org/10.1109/ACCESS.2018.2828102

Download references

Author information

Authors and Affiliations

  1. Pervasive Computing Laboratory, Carlos 3rd University of Madrid, Leganés, Madrid, 28911, Spain

    Daniel Díaz-Sanchez, Florina Almenarez Mendoza, Andres Marin Lopez & María Isabel Rojo Rivas

Authors
  1. Daniel Díaz-Sanchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Florina Almenarez Mendoza
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andres Marin Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. María Isabel Rojo Rivas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Díaz-Sanchez .

Editor information

Editors and Affiliations

  1. Castilla-La Mancha University, Ciudad Real, Spain

    José Bravo

  2. Computer Science Department, University of Chile, Santiago, Chile

    Sergio Ochoa

  3. CICESE, Ensenada, Mexico

    Jesús Favela

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Díaz-Sanchez, D., Mendoza, F.A., Lopez, A.M., Rivas, M.I.R. (2023). A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing. In: Bravo, J., Ochoa, S., Favela, J. (eds) Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022). UCAmI 2022. Lecture Notes in Networks and Systems, vol 594. Springer, Cham. https://doi.org/10.1007/978-3-031-21333-5_104

Download citation

Publish with us

Policies and ethics

Search

Navigation