Skip to main content
SpringerLink
Log in

STUNT: A Simple, Transparent, User-Centered Network of Trust

  • Conference paper
Public Key Infrastructures, Services and Applications (EuroPKI 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8341))

Included in the following conference series:

  • 798 Accesses

Abstract

Secure end-to-end communication requires endpoint authenticity. Authenticating an endpoint in large networks, that is assuring that the other communication party is indeed who he or she claims to be, is a non-trivial task. Currently, the adopted solution is to rely on trusted third parties, who vouch for a certain host’s authenticity. Recent incidents at renowned trusted third parties, as well as long standing problems, indicate a need for alternative solutions. We propose STUNT, a system that helps users to assess a host’s authenticity by its trust relationships with other hosts. Hosts operated by service providers have to establish mutual trust relationships with other service providers to appear trustworthy to a user. These trust relationships are both limited and expensive, and thus STUNT enforces careful trust decisions by service operators. Clients are able to verify these trust relationships by cryptographic means. The verified trust relationships are presented to the users, to assist them with assessing the authenticity of the host. Ultimately, the trust decision rests with the user, leading to an individual, self-maintained trust base. We believe that, given the right tools, people are very well able to decide on a host’s authenticity, and describe a possible technical concept to support informed decision-making.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abdul-Rahman, A., Hailes, S.: A Distributed Trust Model. In: Proceedings of the 1997 Workshop on New Security Paradigms, pp. 48–60. ACM Press, New York (1997)

    Chapter  Google Scholar 

  2. Arnbak, A.M., van Eijk, N.A.N.M.: Certificate Authority Collapse - Regulating Systemic Vulnerabilities in the HTTPS Value Chain. In: Telecommunications Policy Research Conference (2012), http://www.ssrn.com/link/2012-TPRC.html

  3. Artz, D., Gil, Y.: A Survey of Trust in Computer Science and the Semantic Web. Web Sem. 5(2), 58–71 (2007)

    Article  Google Scholar 

  4. Back, A.: Hashcash - A Denial of Service Counter-Measure. Technical Report (2002)

    Google Scholar 

  5. Bartsch, S., Volkamer, M., Theuerling, H., Karayumak, F.: Contextualized Web Warnings, and How They Cause Distrust. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 205–222. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  6. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized Trust Management. In: IEEE Symposium on Security and Privacy, pp. 164–173. IEEE Press, Washington DC (1996)

    Google Scholar 

  7. Blaze, M., Feigenbaum, J., Keromytis, A.D.: KeyNote: Trust Management for Public-Key Infrastructures. In: 6th International Workshop on Security Protocols, pp. 59–63. Springer, London (1999)

    Chapter  Google Scholar 

  8. Chu, Y.-H., Feigenbaum, J., LaMacchia, B., Resnick, P., Strauss, M.: REFEREE: Trust Management for Web Applications. World Wide Web 2(3), 127–139 (1997)

    Google Scholar 

  9. Dang, Q., Blank, R.M., Gallagher, P.: Recommendation for Applications Using Approved Hash Algorithms. NIST Special Publication 800-107, Rev. 1. National Institute of Standards and Technology (2012)

    Google Scholar 

  10. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. on Inf. Theory 29(2), 198–207 (1983)

    Article  MATH  MathSciNet  Google Scholar 

  11. Ellison, C., Schneier, B.: Ten Risks of PKI: What You’re Not Being Told About Public Key Infrastructure. Comp. Sec. 16(1), 1–7 (2000)

    Article  Google Scholar 

  12. European Network and Information Security Agency (ENISA): Operation Black Tulip: Certificate Authorities lose authority (2011), http://www.enisa.europa.eu/media/news-items/operation-black-tulip/view

  13. Evans, C., Palmer, C., Sleevi, R.: Public Key Pinning Extension for HTTP, IETF Experimental Draft (2012), https://tools.ietf.org/html/draft-ietf-websec-key-pinning-04

  14. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In: Computer and Communications Security, pp. 38–49. ACM Press, New York (2012)

    Google Scholar 

  15. Gutmann, P.: PKI: It’s Not Dead, Just Resting. Computer 35(8), 41–49 (2002)

    Article  Google Scholar 

  16. Hoogstraaten, H., Prins, R., Niggebrugge, D., Heppener, D., Groenewegen, F., Wettinck, J., Strooy, K., Arends, P., Pols, P., Kouprie, R., Moorress, S., van Pelt, X., Zheng, H.Y.: Black Tulip - Fox-IT Report of the Investigation into the DigiNotar Certificate Authority Breach (2012), http://tinyurl.com/942cr6h

  17. ITU-T, Series X: Data Networks, Open System Communication and Security: Public-Key and attribute certificate frameworks. ITU-T Recommendation X.509 (2009)

    Google Scholar 

  18. Jøsang, A., Ismail, R., Boyd, D.: A Survey of Trust and Reputation Systems for Online Service Provision. Decision Support Systems 43(2), 618–644 (2007)

    Article  Google Scholar 

  19. Juels, A., Brainard, B.: Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In: Kent, S. (ed.) Network and Distributed System Security Symposium, pp. 151–165 (1999)

    Google Scholar 

  20. Laurie, B., Langley, A., Kasper, E.: Certificate Transparency, IETF Experimental Draft (2012), https://tools.ietf.org/html/draft-laurie-pki-sunlight-05

  21. Marlinspike, M., Perrin, T.: Trust Assertions for Certificate Keys, IETF Experimental Draft (2013), https://tools.ietf.org/html/draft-perrin-tls-tack-02

  22. Microsoft Corporation: Windows and Windows Phone 8 SSL Root Certificate Program, Member CAs (2013), http://tinyurl.com/c2qa5nh

  23. Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008), http://bitcoin.org/bitcoin.pdf

  24. Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  25. Sotirakopoulos, A., Hawkey, K., Beznosov, K.: On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In: 7th Symposium on Usable Privacy and Security, pp. 1–18. ACM, New York (2011)

    Google Scholar 

  26. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In: 18th USENIX Security Symposium, pp. 399–416. USENIX Association, Berkeley (2009)

    Google Scholar 

  27. Thoughtcrime Labs: Convergence - an Agile, Distributed and Secure Strategy for Replacing Certificate Authorities (2013), http://www.convergence.io

  28. Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: USENIX Annual Technical Conference, pp. 321–334. USENIX Association, Berkeley (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Applied Information Processing and Communications, Inffeldgasse 16a, 8010, Graz, Austria

    Klaus Potzmader, Johannes Winter & Daniel Hein

Authors
  1. Klaus Potzmader
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Johannes Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Hein
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Digital Systems, University of Piraeus, 150 Androutsou St., 185 32, Piraeus, Greece

    Sokratis Katsikas

  2. Department of Computer Science, University of Malaga, Campus de Teatinos s/n, 29071, Málaga, Spain

    Isaac Agudo

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Potzmader, K., Winter, J., Hein, D. (2014). STUNT: A Simple, Transparent, User-Centered Network of Trust. In: Katsikas, S., Agudo, I. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2013. Lecture Notes in Computer Science, vol 8341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-53997-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-53997-8_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-53996-1

  • Online ISBN: 978-3-642-53997-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation