CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Management and X.509 Certificates
DESIGNING A PUBLIC KEY INFRASTRUCTURE
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Josh Benaloh Brian LaMacchia Winter Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely John Deere presents:
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Configuring Directory Certificate Services Lesson 13.
Certificate revocation list
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Serverless Network File Systems Overview by Joseph Thompson.
OCSP
SIP working group IETF#70 Essential corrections Keith Drage.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Key management issues in PGP
BUILD SECURE PRODUCTS AND SERVICES
TOPIC: HTTPS (Security protocol)
Presented by Edith Ngai MPhil Term 3 Presentation
Document update - what has happened since GGF11
OGF PGI – EDGI Security Use Case and Requirements
Enabling Secure Internet Access with TMG
DNSSEC Deployment Challenges
The Development Process of Web Applications
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Practical Censorship Evasion Leveraging Content Delivery Networks
Chapter 15 Key Management
MICROSOFT OUTLOOK and Outlook service Provider
Authentication Applications
Certificates An increasingly popular form of authentication
Certificates A ubiquitous form of authentication
How to Check if a site's connection is secure ?
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
563.10: Bloom Cookies Web Search Personalization without User Tracking
The Web PKI In Theory and Malpractice
Security in ebXML Messaging
Welcome and thank you for choosing SharkGate
Communications IGTF RAT Comms Challenge 3 Fall 2015
Information Security message M one-way hash fingerprint f = H(M)
Digital Certificates and X.509
CS 465 Certificates Last Updated: Oct 14, 2017.
MaGrid CA Self audit and update
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
CS2911 Week 9, Class 1 Today Discussion on RSA Video Eavesdropping
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Certificate Revocation
Kai Bu 05 Secure Connection The topic to be covered this week is secure connection. Apparently, the.
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
Hinari Basic Course Module 3 Appendix 1
Certificates An increasingly popular form of authentication
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Chapter 15 Key Management
Presentation transcript:

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel

Motivation Browsers require certificate to be checked on each search. There are invalid certificates on the web which provide access to sites where they should not be granted Certificates need to be revoked if they are expired or private keys compromised Browsers are assuming certificate are valid There needs to be a system which will perform this efficiently without leaking or crashing user data, and will perform checks on all the certificates, not just a subset. And access is granted based on that But there are reasons why certificated need to be revoked,

Introduction TLS relies on certificates to be issued and cryptographically signed by Certificate Authorities (CAs) which provides: integrity, confidentiality, and authentication. When a client makes a search, the certificate needs to be validated each time through a TLS handshake. CA also erroneously issue certificates, and when a certificate’s private key is compromised, it needs to be revoked. Two common certificate revocation check methods: Certificate Revocation List (CRL): Contains all the certificates that have been revoked Open Certificate Status Protocol (OCSP): Query is sent and a response will be sent back describing whether the certificate is valid or not. What is a certificate (This is how a client determines the validity of the site and are valid for a certain time period which is determined by the start time and the expirable time) Once a certificate has reached its expiry date, it is to be revoked. The browser trusts the CA so it can trust the browser it is talking to The two common factors, is performed automatically by the web browsers Article showed many revocation methods, but the commonly discussed and also that are well known by people are CRL and OCSP

CRL Request CRL - certificates Signed Certificate TLS Handshake Once they have been revoked, how do browsers get access to this information. There are two common ways. Here the browser asks the certification authority for a list of all their revoked certificates, if this certificate is on the list, it blocks access. CRL is a list of serial numbers Downloads the list of certificates TLS Handshake

OCSP Is this cert. revoked Yes or No Signed Certificate TLS Handshake Here the website can ask whether a given certificate has been revoked rather than obtaining the entire list every time. The browser the responds and acts accordingly. TLS Handshake

Problem Chrome only make CRL or OCSP requests for extended validation certificates which is a very small subset of all the certificates. Firefox only supports revocation checks via OCSP Mobiles don’t perform browser checks for certificate revocations at all. Browsers that use a pull base method incur the following issues: Latency concerns (contacting third parties to perform revocation checks increases latency) Bandwidth considerations (Some CRLs over 70MB) Privacy risks (OCSP checks and leaks the users browser behavior) Ambiguity (Sometimes CRL and OCSP may not be available due to network errors or an active attack) Why browsers don’t perform checks due to the time it takes to pull the certificates, also this is the reason it is sceiptible to MITM attack and phishing attacks Firefox no longer supports CRL Mobile phones don’t perform due to the latency and the bandwidth performances

Aim Efficiency – Do not want browsers to sacrifice efficiency for security Timeliness – Ways to keep clients updated efficiently Fail-Closed – Way to stop non response certificates being treated as valid Privacy – Does not leak browser behavior Deployable – Goal is to release it today Auditability – Way to allow third parties to be able to audit it What we would like Didn’t want the browser to sacrifice Efficiency for security Wanted a fail closed system where if the certificate was unavailable it will treat it as revoked rather than valid Making personal data not being leaked Deployable today Making third parties to be able to audit it

Table compares CRLite to 6 other revocations and incorporates the best a parts of the existing systems like, user privacy, no centralizations of trust, a fail-closed security posture, instant deployability.

Solution CRLite CRLite is a proactive system which pushes all certificate revocations to browsers on a regular basis. Moving from pull method where browsers download certificates to a push method where CRLite pushes certificates to browsers. Personal web browser behavior is not leaked Server-side system aggregates revocation information for all known valid TLS certificates on the web and places them in a filter. Client-side component that downloads the filters and uses them to check for revocations of observed certificates. Uses a filter to provide browsers with a precise mapping of all certificates to their revocation status. solution presented in the article should be explained based on your understanding. The core idea should be clear, and you are expected to explain some details of the proposed technique in a way that can be easily followed by your classmates. Daily updates provide a fail-closed posture To make sure this is efficient, the first initial set of certificates that are sent are 10MB and the initial updates per day is 580KB This filter does not contain any false positives and false negatives

Server Side Obtain certificates - IPv4 search on port 443 and Google CT logs Validating Certificates – looking for non expired certificates, leaf and intermediate certificates (chain to trusted root). Revoked certificates – Extracts all CRL and OCSP certificates from the validating certificates. Filter Cascade – Compresses the certificates through bloom filter Delta Updates – Taking two sets of of bloom filters and XOR to get diff filter Audit log – Designed to address the issue of trust

Filter Cascading - Inserting All the revoked certificates are inserted into the bloom filter. Can contain false positives so you check with all the non-revoked certificates giving you a white list. Check revoked certificates with BF2 gives you another set of of false positives which is then checked with the non revoked certificates And the size of the bloom filter decreases each time, therefore eventually there will be no false positives left. Used to provide precise mapping of all certificates to their revocation status. All the revoked certificates are inserted into a bloom filter. Then you run into the false positive problem You then have access to all the non-revoked certificates that the user could encounter You then ship this bloom filter and false positives (white lists) When the client checks to see if a certificate is revoked, it checks in the bloom filter and if it is revoked, then it checks if it is in the whitelists and if it is in there then it is not revoked, if it is not in the white list it is revoked. You know all the revocations that a user can encounter, you then look this up in the white list

Filter Cascading – Inserting All the revoked certificates are put into a bloom filter which can contain false positives. This then checked with the non revoked certificates which can give you all the false positives. Therefore this is then checked in the revoked certificates again which will give us another bloom filter of all the false positives. This process is then repeated until there are no false positives.

Client Side Obtain the bloom filters Download regular delta updates Perform update – compare the difference between delta update and bloom filter Checking certificates on searches

Filter Cascading - Lookup Client checks to see if a certificate has been revoked by checking in the bloom filter and if it is not in there, then it has not been revoked. If it is in the first bloom filter, it then checks the false positives and if it is not in there, then it has been revoked. This process continues to the last bloom filter until there is no more… This bloom filter cascade is then shipped to clients where they will perform he search for the revoked certificates If an element is in BF1 and BF2 but not in BF3, then it is definitely not in R Odd levels showed white lists and even numbers showed black lists So if I is odd then u is definitely not in R If I is even then u is definitely in R

Delta Updates Provides up-to-date changes of certificates to the client of the new revoked certificates Delta updates are created on a daily basis Clients only need to download the complete bloom filter once The file is approximate ~580Kb

CRLite Address Six Challenges Efficiency: Compresses the revocation status of all certificates using a cascading filter. Timeliness: Uses delta-updates to keep clients up-to-date with recent revocations. Allows clients to download just the changes once, as they are created on a daily basis. Failure Model: Uses a fail-closed security posture. When revocation information about a certificate is unavailable, it assumes that the certificate is invalid. Privacy: Does not reveal their browsing history to third parties. Deployability: Deployable today and requires no support from CAs or changes to TLS, with easy integration into modern browsers. Auditability: Uses cryptographically-signed logs that allow any interested party to audit each filter to check for erroneous certificates Currently you have to pull the certificates on all browsers Current browsers user fail-open FireFox leaks information

Criticisms and Improvements There are changes made during the day, clients are not updated about the new revoked certificates as this is only conducted once per day and falls back on existing methods. Improvement: CRLite should push all new updates soon as a new change has been made to clients Users can opt in and use CRLite, not deployed automatically in browsers Has to go through browser extension. Solves man in the middle attack but attackers can replicate a fake extension which can track users information If the list of delta updates get compromised on the way (MITM), then the client will have an incorrect version Improvement: Implement a published copy online which performs an automatic check with the users copy. you should share your own comments on this article, such as what is the limitation of the proposed idea and how one can overcome it. Note that you should come up with your own limitations instead of explaining ones already listed in the article!

Summary CRLite solves the major issue of latency which is the deal breaker between downloading new certificates through previous certificate revocation methods. Mobile browsers are now non-constrained by latency and bandwidth of the file size of the revoked certificates. Personal information is no longer leaked as there is a cached set of certificates, rather than contacting the CA to obtain a certificate. Clients always have access to the revoked certificates even when there is a network error No more false positive responses or false negatives

Questions?