Skip to main content
SpringerLink
Log in

Elaphurus: Ensemble Defense Against Fraudulent Certificates in TLS

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12020))

Included in the following conference series:

Abstract

Recent security incidents indicate that certificate authorities (CAs) might be compromised to sign certificates with fraudulent information. The fraudulent certificates are exploited to launch successful TLS man-in-the-middle (MitM) attacks, even when TLS clients strictly verify the server certificates. Various security-enhanced certificate verification schemes have been proposed to defend against fraudulent certificates, such as Pinning, CAge, CT, DANE, and DoubleCheck. However, none of the above schemes perfectly solves the problem, which hinders them from being widely deployed. This paper analyzes these schemes in terms of security, usability and performance. Based on the analysis, we propose Elaphurus, an integrated security-enhanced certificate verification scheme on the TLS client side. Elaphurus is designed on top of Pinning, while integrating other schemes to eliminate their disadvantages and improving the overall security and usability. We implement the prototype system with OpenSSL. Experimental results show that it introduces a reasonable overhead, while effectively enhancing the security of certificate verification.

This work was partially supported by Cyber Security Program of National Key RD Plan of China (No. 2017YFB0802100), National Cryptography Development Fund (No. MMJJ20180221), and 13th Five-year Informatization Plan of Chinese Academy of Sciences (No. XXH13507-01).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In Chinese, Elaphurus is the hybrid of cow, deer, donkey, and horse. So we name the integrated scheme Elaphurus.

  2. 2.

    However, the design of Elaphurus needs to handle the scenarios that some security-enhanced verification schemes (e.g., CT and DANE) are not deployed.

References

  1. Alicherry, M., Keromytis, A.: DoubleCheck: multi-path verification against man-in-the-middle attacks. In: 14th IEEE ISCC (2009)

    Google Scholar 

  2. Amann, J., et al.: Mission accomplished? HTTPS security after DigiNotar. In: 17th IMC (2017)

    Google Scholar 

  3. Arends, R., et al.: IETF RFC 4033 - DNS security introduction and requirements

    Google Scholar 

  4. Basin, D., et al.: ARPKI: attack resilient public-key infrastructure. In: 21th ACM CCS (2014)

    Google Scholar 

  5. Bates, A., et al.: CertShim: securing SSL certificate verification through dynamic linking. In: 21th ACM CCS (2014)

    Google Scholar 

  6. Biilmann, M.: Be afraid of HTTP public key pinning (HPKP) (2016). https://www.smashingmagazine.com/be-afraid-of-public-key-pinning

  7. Cooper, D., et al.: IETF RFC 5280 - Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008)

    Google Scholar 

  8. Evans, C., et al.: IETF RFC 7469 - Public key pinning extension for HTTP (2015)

    Google Scholar 

  9. Hallam-Baker, P., Stradling, R.: IETF RFC 6844 - DNS certification authority authorization (CAA) resource record (2013)

    Google Scholar 

  10. Hoffman, P., Schlyter, J.: IETF RFC 6698 - The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA (2012)

    Google Scholar 

  11. Internet Society: DANE test sites. https://www.internetsociety.org/resources/deploy360/dane-test-sites

  12. Kasten, J., Wustrow, E., Halderman, J.A.: CAge: taming certificate authorities by inferring restricted scopes. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 329–337. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_28

    Chapter  Google Scholar 

  13. Kim, T., et al.: Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure. In: 22nd WWW (2013)

    Google Scholar 

  14. Langley, A.: Public key pinning (2011). https://www.imperialviolet.org/2011/05/04/pinning.html

  15. Laurie, B., et al.: IETF RFC 6962 - Certificate transparency (2013)

    Google Scholar 

  16. Liu, X., Li, B., Wang, C., Lin, J.: An integrated security-enhanced PKI certificate verification scheme. Appl. Res. Comput. (2019). (in Chinese)

    Google Scholar 

  17. Marlinspike, M.: Trust assertions for certificate keys (2013). http://tack.io/draft.html

  18. Morton, B.: More Google fraudulent certificates (2014). https://www.entrust.com/google-fraudulent-certificates/

  19. Oltrogge, M., et al.: To pin or not to pin: helping APP developers bullet proof their TLS connections. In: 24th USENIX Security (2015)

    Google Scholar 

  20. O’Neill, M., et al.: TrustBase: an architecture to repair and strengthen certificate-based authentication. In: 26th USENIX Security (2017)

    Google Scholar 

  21. OpenSSL Software Foundation: OpenSSL: Cryptography and SSL/TLS toolkit. https://www.openssl.org

  22. Ristic, I.: Is HTTP public key pinning dead? (2016). https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

  23. Soghoian, C., Stamm, S.: Certified lies: detecting and defeating government interception attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_20

    Chapter  Google Scholar 

  24. Stark, E., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 40th IEEE S&P (2019)

    Google Scholar 

  25. Szalachowski, P., et al.: PoliCert: secure and flexible TLS certificate management. In: 21th ACM CCS (2014)

    Google Scholar 

  26. Tor project: anonymity online. https://www.torproject.org/index.html

  27. Vandersloot, B., et al.: Towards a complete view of the certificate ecosystem. In: 16th IMC (2016)

    Google Scholar 

  28. Wendlandt, D., et al.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX ATC (2008)

    Google Scholar 

  29. Wikipedia: Dig for querying domain name system (DNS) servers. https://en.wikipedia.org/wiki/Dig_(command)

  30. Wilson, K.: Distrusting new CNNIC certificates (2015). https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Bingyu Li, Wei Wang, Lingjia Meng, Jingqiang Lin & Congli Wang

  2. Data Assurance and Communication Security Research Center, CAS, Beijing, China

    Bingyu Li, Wei Wang, Lingjia Meng, Jingqiang Lin & Congli Wang

  3. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Bingyu Li, Lingjia Meng, Jingqiang Lin & Congli Wang

  4. China Communications Construction Company Limited, Beijing, China

    Xuezhong Liu

Authors
  1. Bingyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lingjia Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jingqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xuezhong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Congli Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Wang .

Editor information

Editors and Affiliations

  1. College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China

    Zhe Liu

  2. Computer Science Department, Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, B., Wang, W., Meng, L., Lin, J., Liu, X., Wang, C. (2020). Elaphurus: Ensemble Defense Against Fraudulent Certificates in TLS. In: Liu, Z., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2019. Lecture Notes in Computer Science(), vol 12020. Springer, Cham. https://doi.org/10.1007/978-3-030-42921-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42921-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42920-1

  • Online ISBN: 978-3-030-42921-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation