poster

Evaluating Resilience of Domains in PKI

Authors:

Michael WaidnerAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 2444 - 2446

https://doi.org/10.1145/3460120.3485356

Published: 13 November 2021 Publication History

Abstract

Domain Validation of PKI, allows to verify ownership over domains and poses the basis for cryptography. A number of recent attacks led to efforts to enhance the security of domain validation by improving the resilience of the vantage points used by the certificate authorities.

In this work we measure the resilience of the domains to attacks. We show that even when the certificate authorities are secure, the domains introduce a weak link in the PKI ecosystem. Our simulations with a dataset of 2.3M popular Internet domains shows that 50% of the targets are vulnerable, allowing the network adversaries to issue fraudulent certificates even when the more secure distributed domain validation is used.

Through Internet measurements we discover that the factors for such a large attack surface include the topological location of the domains, network prefix configuration of the vantage points. Importantly, our work shows that not only the vantage points have to be secure, but also the domains' resilience has to be enhanced.

References

[1]

R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten. 2019. RFC 8555: Automatic Certificate Management Environment (ACME). In Proposed Standard.

[2]

Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling certificate authorities with BGP. In 27th $$USENIX$$ Security Symposium (USENIX Security 18). 833--849.

[3]

Henry Birge-Lee, Liang Wang, Daniel McCarney, Roland Shoemaker, Jennifer Rexford, and Prateek Mittal. 2020. Experiences Deploying Multi-Vantage-Point Domain Validation at Let's Encrypt. (Dec. 2020).

[4]

Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain Validation

[5]

For MitM-Resilient PKI. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2060--2076.

[6]

Markus Brandt and Haya Shulman. 2021. Optimized BGP Simulator for Evaluation of Internet Hijacks. In 2021 IEEE Conference on Computer Communications Workshops, INFOCOM Workshops 2021, Vancouver, BC, Canada, May 10--13, 2021. IEEE, 1--2.

[7]

CAIDA. 2020. Inferred AS Relationships Dataset. (2020). https://www.caida.org/data/as-relationships

[8]

CAIDA. 2021. BGP Stream. (2021). https://bgpstream.caida.org/

[9]

Avichai Cohen, Yossi Gilad, Amir Herzberg, and Michael Schapira. 2016. Jumpstarting BGP Security with Path-End Validation. In Proceedings of the ACM SIGCOMM 2016 Conference, Florianopolis, Brazil, August 22--26, 2016, Marinho P. Barcellos, Jon Crowcroft, Amin Vahdat, and Sachin Katti (Eds.). ACM, 342--355.

Digital Library

[10]

Tianxiang Dai, Haya Shulman, and Michael Waidner. 2018. Off-Path Attacks Against PKI. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2213--2215.

Digital Library

[11]

Tianxiang Dai, Haya Shulman, and Michael Waidner. 2021. Let's Downgrade Let's Encrypt. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[12]

Phillipa Gill, Michael Schapira, and Sharon Goldberg. 2012. Modeling on quicksand: dealing with the scarcity of ground truth in interdomain routing data. Comput. Commun. Rev., Vol. 42, 1 (2012), 40--46.

Digital Library

[13]

Tomas Hlavacek, Italo Cunha, Yossi Gilad, Amir Herzberg, Ethan Katz-Bassett, Michael Schapira, and Haya Shulman. 2020. DISCO: Sidestepping RPKI's Deployment Barriers. Network and Distributed System Security Symposium (NDSS).

[14]

RIPE NCC. 2021. RIS Raw Data. (2021). https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ris-raw-data

[15]

University of Oregon Route Views Project. 2021. Route Views Project. (2021). http://www.routeviews.org/routeviews/

Cited By

Yin LZhang HPeng JNing ZZhang ZZhang KZhang Y(2024)A Certificate Transparency-Based Certificate Monitoring Scheme for the Power GridNetwork Simulation and Evaluation10.1007/978-981-97-4519-7_18(256-270)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-4519-7_18
Patil VShyamasundar R(2022)Evolving Role of PKI in Facilitating Trust2022 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA)10.1109/PKIA56009.2022.9952249(1-7)Online publication date: 9-Sep-2022
https://doi.org/10.1109/PKIA56009.2022.9952249

Index Terms

Evaluating Resilience of Domains in PKI

Recommendations

Off-Path Attacks Against PKI
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The security of Internet-based applications fundamentally relies on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak attacker, namely, an off-path attacker, can effectively subvert ...
PKI Security in Large-Scale Healthcare Networks

During the past few years a lot of PKI (Public Key Infrastructures) infrastructures have been proposed for healthcare networks in order to ensure secure communication services and exchange of data among healthcare professionals. However, there is a ...
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Research Center for Applied Cybersecurity ATHENE,
CROSSING

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
268
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)3

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yin LZhang HPeng JNing ZZhang ZZhang KZhang Y(2024)A Certificate Transparency-Based Certificate Monitoring Scheme for the Power GridNetwork Simulation and Evaluation10.1007/978-981-97-4519-7_18(256-270)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-4519-7_18
Patil VShyamasundar R(2022)Evolving Role of PKI in Facilitating Trust2022 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA)10.1109/PKIA56009.2022.9952249(1-7)Online publication date: 9-Sep-2022
https://doi.org/10.1109/PKIA56009.2022.9952249

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten