Public Key Infrastructures

Project Description

Today's PKIs suffer from many severe problems - CA compromises can affect any site in the Internet due to their almost unrestricted global authority, most users cannot competently assess the trustworthiness of CAs without restricting access to many HTTPS sites, and revocation of certificates and misbehaving CAs is difficult and ineffective. Our research focuses on addressing these problems through a variety of approaches. We build on log-based PKI proposals such as Sovereign Keys and Certificate Transparency, using public, append-only logs to monitor CA behavior and ensure that certificates are issued according to domain-specified policies. We also leverage public logs to handle revocations and key updates in response to events such as key loss or compromise. On a larger scale, we are redesigning the global PKI infrastructure for routing, naming, and end-entity certification (such as TLS) to further restrict global CA authority without hindering access to HTTPS sites worldwide.

Project Participants

Stephanos Matsumoto, Laurent Chuat, Raphael M. Reischuk, Pawel Szalachowski, Adrian Perrig

Publications

by David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, Pawel Szalachowski
Reference:
ARPKI: Attack Resilient Public-Key Infrastructure  [bibtex] [doi]David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, Pawel Szalachowski. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2014. Research Area: Public Key Infrastructures
Bibtex Entry:
@inproceedings{Basin:2014:AAR:2660267.2660298,
    author = {Basin, David and Cremers, Cas and Kim, Tiffany Hyun-Jin and Perrig, Adrian and Sasse, Ralf and Szalachowski, Pawel},
    title = {ARPKI: Attack Resilient Public-Key Infrastructure},
    booktitle = {Proceedings of the ACM Conference on Computer and Communications Security (CCS)},
    month = {November},
    year = {2014},
    isbn = {978-1-4503-2957-6},
    location = {Scottsdale, Arizona, USA},
    pages = {382--393},
    url = {http://www.netsec.ethz.ch/publications/papers/ccsfp200s-cremersA.pdf},
    doi = {10.1145/2660267.2660298},
    keywords = {pki, attack resilience, certificate validation, formal validation, public log servers, public-key infrastructure, tls},
}