Abstract
Secure end-to-end communication requires endpoint authenticity. Authenticating an endpoint in large networks, that is assuring that the other communication party is indeed who he or she claims to be, is a non-trivial task. Currently, the adopted solution is to rely on trusted third parties, who vouch for a certain host’s authenticity. Recent incidents at renowned trusted third parties, as well as long standing problems, indicate a need for alternative solutions. We propose STUNT, a system that helps users to assess a host’s authenticity by its trust relationships with other hosts. Hosts operated by service providers have to establish mutual trust relationships with other service providers to appear trustworthy to a user. These trust relationships are both limited and expensive, and thus STUNT enforces careful trust decisions by service operators. Clients are able to verify these trust relationships by cryptographic means. The verified trust relationships are presented to the users, to assist them with assessing the authenticity of the host. Ultimately, the trust decision rests with the user, leading to an individual, self-maintained trust base. We believe that, given the right tools, people are very well able to decide on a host’s authenticity, and describe a possible technical concept to support informed decision-making.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abdul-Rahman, A., Hailes, S.: A Distributed Trust Model. In: Proceedings of the 1997 Workshop on New Security Paradigms, pp. 48–60. ACM Press, New York (1997)
Arnbak, A.M., van Eijk, N.A.N.M.: Certificate Authority Collapse - Regulating Systemic Vulnerabilities in the HTTPS Value Chain. In: Telecommunications Policy Research Conference (2012), http://www.ssrn.com/link/2012-TPRC.html
Artz, D., Gil, Y.: A Survey of Trust in Computer Science and the Semantic Web. Web Sem. 5(2), 58–71 (2007)
Back, A.: Hashcash - A Denial of Service Counter-Measure. Technical Report (2002)
Bartsch, S., Volkamer, M., Theuerling, H., Karayumak, F.: Contextualized Web Warnings, and How They Cause Distrust. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 205–222. Springer, Heidelberg (2013)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized Trust Management. In: IEEE Symposium on Security and Privacy, pp. 164–173. IEEE Press, Washington DC (1996)
Blaze, M., Feigenbaum, J., Keromytis, A.D.: KeyNote: Trust Management for Public-Key Infrastructures. In: 6th International Workshop on Security Protocols, pp. 59–63. Springer, London (1999)
Chu, Y.-H., Feigenbaum, J., LaMacchia, B., Resnick, P., Strauss, M.: REFEREE: Trust Management for Web Applications. World Wide Web 2(3), 127–139 (1997)
Dang, Q., Blank, R.M., Gallagher, P.: Recommendation for Applications Using Approved Hash Algorithms. NIST Special Publication 800-107, Rev. 1. National Institute of Standards and Technology (2012)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. on Inf. Theory 29(2), 198–207 (1983)
Ellison, C., Schneier, B.: Ten Risks of PKI: What You’re Not Being Told About Public Key Infrastructure. Comp. Sec. 16(1), 1–7 (2000)
European Network and Information Security Agency (ENISA): Operation Black Tulip: Certificate Authorities lose authority (2011), http://www.enisa.europa.eu/media/news-items/operation-black-tulip/view
Evans, C., Palmer, C., Sleevi, R.: Public Key Pinning Extension for HTTP, IETF Experimental Draft (2012), https://tools.ietf.org/html/draft-ietf-websec-key-pinning-04
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In: Computer and Communications Security, pp. 38–49. ACM Press, New York (2012)
Gutmann, P.: PKI: It’s Not Dead, Just Resting. Computer 35(8), 41–49 (2002)
Hoogstraaten, H., Prins, R., Niggebrugge, D., Heppener, D., Groenewegen, F., Wettinck, J., Strooy, K., Arends, P., Pols, P., Kouprie, R., Moorress, S., van Pelt, X., Zheng, H.Y.: Black Tulip - Fox-IT Report of the Investigation into the DigiNotar Certificate Authority Breach (2012), http://tinyurl.com/942cr6h
ITU-T, Series X: Data Networks, Open System Communication and Security: Public-Key and attribute certificate frameworks. ITU-T Recommendation X.509 (2009)
Jøsang, A., Ismail, R., Boyd, D.: A Survey of Trust and Reputation Systems for Online Service Provision. Decision Support Systems 43(2), 618–644 (2007)
Juels, A., Brainard, B.: Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In: Kent, S. (ed.) Network and Distributed System Security Symposium, pp. 151–165 (1999)
Laurie, B., Langley, A., Kasper, E.: Certificate Transparency, IETF Experimental Draft (2012), https://tools.ietf.org/html/draft-laurie-pki-sunlight-05
Marlinspike, M., Perrin, T.: Trust Assertions for Certificate Keys, IETF Experimental Draft (2013), https://tools.ietf.org/html/draft-perrin-tls-tack-02
Microsoft Corporation: Windows and Windows Phone 8 SSL Root Certificate Program, Member CAs (2013), http://tinyurl.com/c2qa5nh
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008), http://bitcoin.org/bitcoin.pdf
Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)
Sotirakopoulos, A., Hawkey, K., Beznosov, K.: On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In: 7th Symposium on Usable Privacy and Security, pp. 1–18. ACM, New York (2011)
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In: 18th USENIX Security Symposium, pp. 399–416. USENIX Association, Berkeley (2009)
Thoughtcrime Labs: Convergence - an Agile, Distributed and Secure Strategy for Replacing Certificate Authorities (2013), http://www.convergence.io
Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: USENIX Annual Technical Conference, pp. 321–334. USENIX Association, Berkeley (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Potzmader, K., Winter, J., Hein, D. (2014). STUNT: A Simple, Transparent, User-Centered Network of Trust. In: Katsikas, S., Agudo, I. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2013. Lecture Notes in Computer Science, vol 8341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-53997-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-53997-8_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-53996-1
Online ISBN: 978-3-642-53997-8
eBook Packages: Computer ScienceComputer Science (R0)