Abstract
This paper presents a novel framework to substantiate self-signed certificates in the absence of a trusted certificate authority. In particular, we aim to address the problem of web-based SSL man-in-the-middle attacks. This problem originates from the fact that public keys are distributed through insecure channels prior to encryption. Therefore, a man-in-the-middle attacker may substitute an arbitrary public key during the exchange process and compromise communication between a client and server. Typically, web clients (browsers) recognize this potential security breach and display warning prompts, but often to no avail as users simply accept the certificate since they lack the understanding of Public Key Infrastructures (PKIs) and the meaning of these warnings. In order to enhance the security of public key exchanges, we have devised an automated system to leverage one or more vantage points of a certificate from hosts that have distinct pathways to a remote server. That is, we have a set of distributed servers simultaneously retrieve the server’s public key. By comparing the keys received by peers, we can identify any deviations and verify that an attacker has not compromised the link between a client and server. This is attributable to the fact that an attacker would have to compromise all paths between these vantage points and the server. Therefore, our technique greatly reduces the likelihood of a successful attack, and removes the necessity for human interaction.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bahl, P., Balachandran, A., Venkatachary, S.: Secure Wireless Internet Access in Public Places. In: Proc. of the International Communications Conference (ICC), Helsinki, Finland (June 2001)
Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: A Secure Address Resolution Protocol. In: Proc. of the Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV (December 2003)
Burkholder, P.: SSL Man-in-the-Middle Attacks. The SANS Institute (February 2002)
Cahill, V., Shand, B., Gray, E.: Using Trust for Secure Collaboration in Uncertain Environments. Pervasive Computing 2(3), 52–61 (2003)
Chomsiri, T.: HTTPS Hacking Protection. In: Proc. of Advanced Information Networking and Applications Workshops (AINAW), Mahasarakham, Thailand (May 2007)
Demerjian, J., Serhrouchni, A., Achemlal, M.: Certificate-based Access Control and Authentication for DHCP. In: Proc. of the International Conference on E-Business and Telecommunication Networks (ICETE), Setubal, Portugal (August 2004)
Eastlake, D.: Domain Name System Security Extensions. RFC 2535 (March 1999)
Ettercap, http://ettercap.sourceforge.net/
Gouda, M., Huang, C.: A Secure Address Resolution Protocol. The Computer Networks Journal 41(1), 57–71 (2003)
Komori, T., Saito, T.: The Secure DHCP System with User Authentication. In: Proc. of Local Computer Networks (LCN), Washington DC (November 2002)
Lootah, W., Enck, W., McDaniel, P.: TARP: ticket-based address resolution protocol. In: Proc. of the Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (December 2005)
Meyer, D.: University of Oregon Route Views Project, http://www.antc.uoregon.edu/route-views/
Morley Mao, Z., Rexford, J., Wang, J., Katz, R.: Towards an Accurate AS-Level Traceroute Tool. In: Proc. of the Special Interest Group on Data Communication (SIGCOMM), Karlsruhe, Germany (August 2003)
PlanetLab: An Open Platform for Developing, Deploying, and Accessing Planetary-Scale Services, http://www.planet-lab.org/
Poole, L., Pai, V.S.: ConfiDNS: Leveraging scale and history to improve DNS security. In: Proc. of Third Workshop on Real, Large Distributed Systems (WORLDS), Seattle, WA (November 2006)
Routing Assets Database (RADb), http://www.radb.net/
Routing Information Service (RIS), http://www.ripe.net/ris/ris-index.html
Spring, N., Wetherall, D., Anderson, T.: Scriptroute: A Public Internet Measurement Facility. In: Proc. of the Internet Technologies and Systems (ITS), Seattle, WA (March 2003)
Wagner, R.: Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. The SANS Institute (August 2001)
Xia, H., Brustoloni, J.C.: Hardening Web Browsers Against Man-in-the-Middle and Eavesdropping Attacks. In: Proc. of the 14th International World Wide Web (WWW) Conference, Chiba, Japan (May 2005)
Zhou, L., Schneider, F., van Renesse, R.: COCA: A Secure Distributed On-line Certification Authority. ACM Transactions on Computer Systems 20(4), 329–368 (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stone-Gross, B., Sigal, D., Cohn, R., Morse, J., Almeroth, K., Kruegel, C. (2008). VeriKey: A Dynamic Certificate Verification System for Public Key Exchanges. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-70542-0_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70541-3
Online ISBN: 978-3-540-70542-0
eBook Packages: Computer ScienceComputer Science (R0)