TY - GEN
T1 - Elaphurus
T2 - 15th International Conference on Information Security and Cryptology, Inscrypt 2019
AU - Li, Bingyu
AU - Wang, Wei
AU - Meng, Lingjia
AU - Lin, Jingqiang
AU - Liu, Xuezhong
AU - Wang, Congli
N1 - Publisher Copyright:
© 2020, Springer Nature Switzerland AG.
PY - 2020
Y1 - 2020
N2 - Recent security incidents indicate that certificate authorities (CAs) might be compromised to sign certificates with fraudulent information. The fraudulent certificates are exploited to launch successful TLS man-in-the-middle (MitM) attacks, even when TLS clients strictly verify the server certificates. Various security-enhanced certificate verification schemes have been proposed to defend against fraudulent certificates, such as Pinning, CAge, CT, DANE, and DoubleCheck. However, none of the above schemes perfectly solves the problem, which hinders them from being widely deployed. This paper analyzes these schemes in terms of security, usability and performance. Based on the analysis, we propose Elaphurus, an integrated security-enhanced certificate verification scheme on the TLS client side. Elaphurus is designed on top of Pinning, while integrating other schemes to eliminate their disadvantages and improving the overall security and usability. We implement the prototype system with OpenSSL. Experimental results show that it introduces a reasonable overhead, while effectively enhancing the security of certificate verification.
AB - Recent security incidents indicate that certificate authorities (CAs) might be compromised to sign certificates with fraudulent information. The fraudulent certificates are exploited to launch successful TLS man-in-the-middle (MitM) attacks, even when TLS clients strictly verify the server certificates. Various security-enhanced certificate verification schemes have been proposed to defend against fraudulent certificates, such as Pinning, CAge, CT, DANE, and DoubleCheck. However, none of the above schemes perfectly solves the problem, which hinders them from being widely deployed. This paper analyzes these schemes in terms of security, usability and performance. Based on the analysis, we propose Elaphurus, an integrated security-enhanced certificate verification scheme on the TLS client side. Elaphurus is designed on top of Pinning, while integrating other schemes to eliminate their disadvantages and improving the overall security and usability. We implement the prototype system with OpenSSL. Experimental results show that it introduces a reasonable overhead, while effectively enhancing the security of certificate verification.
KW - Certificate
KW - Certificate transparency (CT)
KW - DNS-based authentication of named entities (DANE)
KW - Pinning
KW - TLS
UR - https://www.scopus.com/pages/publications/85085258546
U2 - 10.1007/978-3-030-42921-8_14
DO - 10.1007/978-3-030-42921-8_14
M3 - 会议稿件
AN - SCOPUS:85085258546
SN - 9783030429201
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 246
EP - 259
BT - Information Security and Cryptology - 15th International Conference, Inscrypt 2019, Revised Selected Papers
A2 - Liu, Zhe
A2 - Yung, Moti
PB - Springer
Y2 - 6 December 2019 through 8 December 2019
ER -