EVLA: Extended-Validation Certificates with Location Assurance
Pages 73 - 79
Abstract
Transport Layer Security (TLS) is a de facto standard for secure communication over the Internet and other critical infrastructures. The trust model deployed in the TLS is based on digital certificates which contain signed assertions on bindings between identities and their public key. Such a certificate is issued by a trusted certification authority (CA) that verifies an identity-key binding during a certificate validation process. As different applications require different grades of security, CAs have introduced different types of certificates and validations. So-called, extended validation (EV) certificates are believed to be the most secure, as to issue such a certificate a CA has to conduct a rigorous identity verification procedure. However, it turns out that in practice such certificates may not provide any additional security, as it is challenging to check whether a CA indeed has verified an identity according to the procedure. In this paper, we consider how to add value to the security of EV certificates. We propose Extended-Validation Certificates with Location Assurance (EVLA), a blockchain-based system that increases the security of EV certificates through checking and asserting that a CA and a given entity indeed have met during the certification process. We discuss possible ways of realizing EVLA and their implications.
References
[1]
Let's Encrypt! "https://letsencrypt.org/".
[2]
3GPP. Functional stage 2 description of location services (lcs), 2015.
[3]
AbdelRahman Abdou, Ashraf Matrawy, and Paul Van Oorschot. Cpv: Delay-based location verification for the internet. IEEE Transactions on Dependable and Secure Computing, 2015.
[4]
AbdelRahman Abdou and Paul C Van Oorschot. Server location verification (slv) and server location pinning: Augmenting tls authentication. ACM Transactions on Privacy and Security (TOPS), 21(1):1, 2018.
[5]
Hadi Asghari, Michel Van Eeten, Axel Arnbak, and Nico ANM van Eijk. Security economics in the https value chain. 2013.
[6]
Henry Birge-Lee, Yixin Sun, Annie Edmundson, Jennifer Rexford, and Prateek Mittal. Bamboozling certificate authorities with $$BGP$$. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association.
[7]
Claude Castelluccia, Mohamed Ali Kaafar, Pere Manils, and Daniele Perito. Geolocalization of proxied services and its application to fast-flux hidden servers. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement, pages 184--189. ACM, 2009.
[8]
Adam Caudill. Looking for value in ev certificates, 2017.
[9]
D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard), May 2008.
[10]
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008.
[11]
Chris Evans, Chris Palmer, and Ryan Sleevi. Public Key Pinning Extension for HTTP. RFC 7469, April 2015.
[12]
CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates, 2017.
[13]
Artyom Gavrichenkov. Breaking https with bgp hijacking. Black Hat. Briefings, 2015.
[14]
Bamba Gueye, Artur Ziviani, Mark Crovella, and Serge Fdida. Constraint-based geolocation of internet hosts. IEEE/ACM Transactions on Networking (TON), 14(6):1219--1232, 2006.
[15]
Josef Gustafsson, Gustaf Overier, Martin Arlitt, and Niklas Carlsson. A first look at the ct landscape: Certificate transparency logs in practice. In International Conference on Passive and Active Network Measurement, pages 87--99. Springer, 2017.
[16]
Ryan Hurst. How to tell dv and ov certificates apart, 2012.
[17]
Collin Jackson and Adam Barth. Beware of finer-grained origins. In In Web 2.0 Security and Privacy (W2SP 2008), 2008.
[18]
Antoine Delignat-Lavaud Karthikeyan Bhargavan and Nadim Kobeissi. Formal modeling and verification for domain validation and acme. In Financial Cryptography and Data Security (FC), 2017.
[19]
Tiffany Hyun-Jin Kim, Virgil Gligor, and Adrian Perrig. Geopki: Converting spatial trust into certificate trust. In European Public Key Infrastructure Workshop, pages 128--144. Springer, 2012.
[20]
Ben Laurie, Adam Langley, and Emilia Kasper. Certificate Transparency. RFC 6962, June 2013.
[21]
Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008.
[22]
Devon O'Brien, Ryan Sleevi, and Emily Stark. Distrust of the symantec pki: Immediate action needed by site operators, 2018.
[23]
Gustaf Ouvrier, Michel Laterman, Martin Arlitt, and Niklas Carlsson. Characterizing the https trust landscape: a passive view from the edge. IEEE Communications Magazine, 55(7), 2017.
[24]
Ryan Sleevi et al. On the value of ev, 2017.
[25]
Stephan Somogyi and Adam Eijdenberg. Improved digital certificate security, 2015.
[26]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the intel sgx kingdom with transient out-of-order execution. In 27th USENIX Security Symposium, pages 991--1008, 2018.
[27]
Shu Wang, Jungwon Min, and Byung K Yi. Location based services for mobiles: Technologies and standards. In IEEE international conference on communication (ICC), volume 19, 2008.
[28]
Yong Wang, Daniel Burgener, Marcel Flores, Aleksandar Kuzmanovic, and Cheng Huang. Towards street-level client-independent ip geolocation. In NSDI, volume 11, pages 27--27, 2011.
[29]
Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151, 2014.
[30]
Der-Yeuan Yu, Aanjhan Ranganathan, Ramya Jayaram Masti, Claudio Soriente, and Srdjan Capkun. Salve: server authentication with location verification. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking, pages 401--414. ACM, 2016.
[31]
Der-Yeuan Yu, Elizabeth Stobert, David Basin, and Srdjan Capkun. Exploring website location as a security indicator. arXiv preprint arXiv:1610.03647, 2016.
Index Terms
- EVLA: Extended-Validation Certificates with Location Assurance
Recommendations
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement ConferenceCritical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
Measuring and Applying Invalid SSL Certificates: The Silent Majority
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceSSL and TLS are used to secure the most commonly used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weaknesses of the certificates accepted by most ...
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols
In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2019
134 pages
ISBN:9781450367868
DOI:10.1145/3327960
- Program Chairs:
- Keke Gai,
- Kim-Kwang Raymond Choo,
- Debiao He,
- Sheng Wen
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 July 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- SUTD
Conference
Asia CCS '19
Sponsor:
Asia CCS '19: ACM Asia Conference on Computer and Communications Security
July 8, 2019
Auckland, New Zealand
Acceptance Rates
BSCI '19 Paper Acceptance Rate 44 of 12 submissions, 367%;
Overall Acceptance Rate 44 of 12 submissions, 367%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 142Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)4
Reflects downloads up to 24 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in