Attack-Resilient TLS Certificate Transparency

Salabat Khan, Liehuang Zhu*, Zijian Zhang, Mussadiq Abdul Rahim, Khalid Khan, Meng Li

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

7 Citations (Scopus)

Abstract

The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

Original languageEnglish
Article number9099233
Pages (from-to)98958-98973
Number of pages16
JournalIEEE Access
Volume8
DOIs
Publication statusPublished - 2020

Keywords

  • PKI
  • TLS
  • collaborative identity verification
  • delegation of trust
  • log server

Fingerprint

Dive into the research topics of 'Attack-Resilient TLS Certificate Transparency'. Together they form a unique fingerprint.

Cite this