• English
  • Deutsch
  • Log In
    Password Login
    or
  • Research Outputs
  • Projects
  • Researchers
  • Institutes
  • Statistics
Repository logo
Fraunhofer-Gesellschaft
  1. Home
  2. Fraunhofer-Gesellschaft
  3. Konferenzschrift
  4. Domain validation++ for MitM-resilient PKI
 
  • Details
  • Full
Options
2018
Conference Paper
Titel

Domain validation++ for MitM-resilient PKI

Abstract
The security of Internet-based applications fundamentally relies on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a weak off-path attacker can effectively subvert the trustworthiness of popular commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market. The attack utilises DNS Cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own -- namely certificates binding the attacker's public key to a victim domain. We discuss short and long term defences, but argue that they fall short of securing DV. To mitigate the threats we propose Domain Validation ++ (DV++). DV++ replaces the need in cryptography through assumptions in distributed systems. While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers. Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs. We demonstrate security of DV++ under realistic assumptions and provide open source access to DV++ implementation.
Author(s)
Brandt, Markus
Fraunhofer-Institut für Sichere Informationstechnologie SIT
Dai, Tiaxing
Fraunhofer-Institut für Sichere Informationstechnologie SIT
Klein, Amit
Fraunhofer-Institut für Sichere Informationstechnologie SIT
Shulman, Haya
Fraunhofer-Institut für Sichere Informationstechnologie SIT
Waidner, Michael
Fraunhofer-Institut für Sichere Informationstechnologie SIT
Hauptwerk
CCS 2018, ACM SIGSAC Conference on Computer and Communications Security. Proceedings
Konferenz
Conference on Computer and Communications Security (CCS) 2018
Thumbnail Image
DOI
10.1145/3243734.3243790
Language
English
google-scholar
Fraunhofer-Institut für Sichere Informationstechnologie SIT
  • Cookie settings
  • Imprint
  • Privacy policy
  • Api
  • Send Feedback
© 2022