Advertisement

LocalPKI: An Interoperable and IoT Friendly PKI

  • Jean-Guillaume DumasEmail author
  • Pascal Lafourcade
  • Francis Melemedjian
  • Jean-Baptiste Orfila
  • Pascal Thoniel
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)

Abstract

A public-key infrastructure (PKI) binds public keys to identities of entities. Usually, this binding is established through a process of registration and issuance of certificates by a certificate authority (CA) where the validation of the registration is performed by a registration authority. In this paper, we propose an alternative scheme, called LocalPKI , where the binding is performed by a local authority and the issuance is left to the end user or to the local authority. The role of a third entity is then to register this binding and to provide up-to-date status information on this registration. The idea is that many more local actors could then take the role of a local authority, thus allowing for an easier spread of public-key certificates in the population. Moreover, LocalPKI represents also an appropriate solution to be deployed in the Internet of Things context. Our scheme’s security is formally proven with the help of Tamarin, an automatic verification tool for cryptographic protocols.

Notes

Acknowledgment

We thank Amaury Huot for his help in implementing the prototype web-based interface to LocalPKI certificates.

References

  1. 1.
    Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010).  https://doi.org/10.1016/j.comnet.2010.05.010. http://www.sciencedirect.com/science/article/pii/S1389128610001568CrossRefzbMATHGoogle Scholar
  2. 2.
    Badrignans, B., et al.: Security architecture for point-to-point splitting protocols. In: IEEE World Congress on Industrial Control Systems Security, Cambridge, UK, p. 8, December 2017. https://hal.archives-ouvertes.fr/hal-01657605
  3. 3.
    Baek, J., Safavi-Naini, R., Susilo, W.: Certificateless public key encryption without pairing. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 134–148. Springer, Heidelberg (2005).  https://doi.org/10.1007/11556992_10CrossRefGoogle Scholar
  4. 4.
    Basin, D., Cremers, C., Kim, T.H.-J., Perrig, A., Sasse, R., Szalachowski, P.: ARPKI: attack resilient public-key infrastructure. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 382–393, November 2014 (2014).  https://doi.org/10.1145/2660267.2660298
  5. 5.
    Bau, J., Mitchell, J.C.: A security evaluation of DNSSEC with NSEC3. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February–3rd March 2010. The Internet Society (2010). http://www.isoc.org/isoc/conferences/ndss/10/pdf/17.pdf
  6. 6.
    Bouzefrane, S., Garri, K., Thoniel, P.: A user-centric PKI based-protocol to manage FC2 digital identities. IJCSI Int. J. Comput. Sci. Issues 8(1), 74–80 (2011). https://hal.archives-ouvertes.fr/hal-00628633Google Scholar
  7. 7.
    Buterin, V., et al.: Ethereum white paper (2013)Google Scholar
  8. 8.
    Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. Sci. Comput. Program. 50(1–3), 51–71 (2004).  https://doi.org/10.1016/j.scico.2003.12.002MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Cooper, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, May 2008.  https://doi.org/10.17487/rfc5280. https://rfc-editor.org/rfc/rfc5280.txt
  10. 10.
    Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 2081, Washington, DC, USA, pp. 350–357. IEEE Computer Society (1981). http://dx.doi.org/10.1109/SFCS.1981.32
  11. 11.
    Dumas, J.-G., Lafourcade, P., Melemedjian, F., Orfila, J.-B., Thoniel, P.: LOCALPKI: a user-centric formally proven alternative to PKIX. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications: SECRYPT, (ICETE 2017), vol. 6, pp. 187–199. INSTICC, SciTePress (2017).  https://doi.org/10.5220/0006461101870199
  12. 12.
    Dumas, J.-G., Lafourcade, P., Orfila, J.-B., Puys, M.: Private multi-party matrix multiplication and trust computations. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016), pp. 61–72 (2016).  https://doi.org/10.5220/0005957200610072
  13. 13.
    Gentry, C.: Certificate-based encryption and the certificate revocation problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 272–293. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_17CrossRefGoogle Scholar
  14. 14.
    Giusto, D., Iera, A., Morabito, G., Atzori, L.: The Internet of Things: 20th Tyrrhenian Workshop on Digital Communications. Springer, New York (2010).  https://doi.org/10.1007/978-1-4419-1674-7CrossRefzbMATHGoogle Scholar
  15. 15.
    Hall, W.E., Jutla, C.S.: Parallelizable authentication trees. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 95–109. Springer, Heidelberg (2006).  https://doi.org/10.1007/11693383_7CrossRefGoogle Scholar
  16. 16.
    Kim, T.H.-J., Huang, L.-S., Perrig, A., Jackson, C., Gligor, V.: Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure. In: Proceedings of the 22nd International Conference on World Wide Web, WWW 2013, New York, NY, USA, pp. 679–690. ACM (2013). http://doi.acm.org/10.1145/2488388.2488448
  17. 17.
    Kolkman, O.M., Mekking, M., Gieben, R.M.: DNSSEC operational practices, Version 2. RFC 6781, December 2012.  https://doi.org/10.17487/rfc6781. https://rfc-editor.org/rfc/rfc6781.txt
  18. 18.
    Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, June 2013.  https://doi.org/10.17487/RFC6962. https://rfc-editor.org/rfc/rfc6962.txt
  19. 19.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39799-8_48CrossRefGoogle Scholar
  20. 20.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-48184-2_32CrossRefGoogle Scholar
  21. 21.
    Morrison, D.R.: PATRICIA - practical algorithm to retrieve information coded in alphanumeric. J. ACM 15(4), 514–534 (1968).  https://doi.org/10.1145/321479.321481CrossRefGoogle Scholar
  22. 22.
    Muñoz, J.L., Esparza, O., Forné, J., Pallares, E.: H-OCSP: a protocol to reduce the processing burden in online certificate status validation. Electron. Commer. Res. 8(4), 255 (2008).  https://doi.org/10.1007/s10660-008-9024-yCrossRefzbMATHGoogle Scholar
  23. 23.
    Peylo, M., Kause, T.: Internet X.509 Public Key Infrastructure - HTTP Transfer for the Certificate Management Protocol (CMP). RFC 6712, September 2012. http://dx.doi.org/10.17487/rfc6712. https://rfc-editor.org/rfc/rfc6712.txt
  24. 24.
    Reddy, R., Wallace, C.: Trust anchor management requirements. RFC 6024, RFC Editor, October 2010. https://rfc-editor.org/rfc/rfc6024.txt
  25. 25.
    Ryan, M.D.: Enhanced certificate transparency and end-to-end encrypted mail. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014. The Internet Society (2014). http://www.internetsociety.org/doc/enhanced-certificate-transparency-and-end-end-encrypted-mail
  26. 26.
    Santesson, S., Ankney, R., Myers, M., Malpani, A., Galperin, S., Adams, D.C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960, June 2013.  https://doi.org/10.17487/rfc6960. https://rfc-editor.org/rfc/rfc6960.txt
  27. 27.
    Schmidt, B., Meier, S., Cremers, C.J.F., Basin, D.A.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: Chong, S. (ed.) 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, 25–27 June 2012, pp. 78–94. IEEE Computer Society (2012). http://dx.doi.org/10.1109/CSF.2012.25
  28. 28.
    Vcelak, J., Goldberg, S., Papadopoulos, D.: NSEC5, DNSSEC Authenticated Denial of Existence. Internet-Draft draft-vcelak-nsec5-03, Internet Engineering Task Force, September 2016 (2016, Work in Progress). https://tools.ietf.org/html/draft-vcelak-nsec5-03
  29. 29.
    Yu, J., Cheval, V., Ryan, M.: DTKI: a new formalized PKI with verifiable trusted parties. Comput. J. 59(11), 1695–1713 (2016).  https://doi.org/10.1093/comjnl/bxw039CrossRefGoogle Scholar
  30. 30.
    Zimmermann, P.R.: The Official PGP User’s Guide. MIT Press, Cambridge (1995)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Jean-Guillaume Dumas
    • 1
    Email author
  • Pascal Lafourcade
    • 2
  • Francis Melemedjian
    • 3
  • Jean-Baptiste Orfila
    • 1
  • Pascal Thoniel
    • 3
  1. 1.Université Grenoble Alpes, CNRS, Laboratoire Jean KuntzmannGrenoble cedex 9France
  2. 2.University Clermont Auvergne, LIMOSAubière CedexFrance
  3. 3.NTX Research SAParisFrance

Personalised recommendations