Amir Herzberg (University of Connecticut, US)
Toward Secure Public Key Infrastructure (PKI): Fixing the Foundations of Applied Cryptography
The Public Key Infrastructure (PKI) is a critical foundation to applications of public key cryptography, and crucial for security in open networks and systems. Since its introduction in 1988, the PKI landscape was dominated by the X.509 standard, widely deployed by many protocols and systems, most notably TLS/SSL, used to secure connections between web server and browser (web-PKI).
Unfortunately, the web-PKI deployment has inherent weaknesses. In particular, any CA is trusted to issue certificates for any domain. This makes CAs a prime target for attackers. Over the years, there were multiple CA failures. For example, hackers stole the master keys of CAs and issued fake certificates for major websites. Furthermore, some CAs abused their powers by improperly delegating their certificate-issuing authority or issuing unauthorized certificates. Such PKI failures allow attackers to issue fake certificates, launch website spoofing and man-in-the-middle attacks, possibly leading to identity theft, surveillance, compromises of personal and confidential information, and other serious security breaches.
These failures motivated efforts to develop and adopt improved-security PKI schemes, i.e., PKI schemes that ensure security even if some CAs may be corrupt or negligent. During the recent years, there have been extensive efforts toward this goal by researchers, developers and the IETF, with multiple PKI proposals and implementations. These efforts focus on advanced requirements such as improved revocation, transparency, non-equivocation, privacy and more. One challenge is that these requirements are not stated precisely, making it hard to compare designs and their security guaranteed – which are also not proven.
In this tutorial, we will discuss the design, goals and challenges of existing PKI systems, focusing on the most applicable: web-PKi and Certificate Transparency. We will discuss how to define and prove security, and some designs achieving improved security and/or performance.
The tutorial will require only basic understanding of applied crypto (PKC, CRHFs, and Merkle trees).
The tutorial consists of three parts:
- Day 1: Introduction, X.509 and constraints [slides] [presentation]
- Day 2: Revocations and Merkle Digests [slides] [presentation]
- Day 3: CA failures and Certificate Transparency [slides] [presentation]
About the speaker: Amir Herzberg is Comcast endowed professor for security innovation at the Dept. of Computer Science and Engineering at the University of Connecticut.