Measuring and Improving Management of Today's PKI - UMD - April 2016

PI(s): David Levin
Researchers: Frank Cangialosi (UMD, undergraduate)

PROJECT OVERVIEW

Authentication allows a user to know, when they go to a website, that they are truly communicating with whom they expect, and not an impersonator. This critical property is made possible with a set of cryptographic and networking protocols collectively referred to as a public key infrastructure (PKI). While online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies the following questions: Are administrators doing what users of the Web need them to do in order to ensure security? And, how can we help facilitate or automate these tasks?

We are performing internet-wide measurements of how online certificates are actively being managed, including how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, we find that CDNs (content distribution networks)—which serve content for many of the most popular websites—appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., no one shares their private keys).  We are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general.

HARD PROBLEM(S) ADDRESSED

Metrics; Human Behavior.

ACCOMPLISHMENT HIGHLIGHTS

• We performed an analysis of the certificates on the Web's PKI that are invalid, and find that invalid certicicates (that fail to verify for popular browsers and operating systems by default) constitute 80-90% of all certificates on the publicly reachable Web. We have developed techniques that allow us to better understand the proliferation of these certificates. Also, by leveraging the observation that some features of a certificate form a unique identifer, we are able to use multiple datasets over a long period of time to track where hosts move geographically, how IP addresses are reassigned, and so on. We have preliminary results in each of these applications.
• We refined our techniques for detecting who is managing a company's certificates, and our techniques for determining when two domains correspond to the same company.  We have optimized our implementation that solves the "domain equivalence problem" in order to run it on all pairs of domains in our dataset.

COMMUNITY INTERACTION

This quarter, Levin presented the results to groups of graduate and undergraduate students at UMD, as well as students and faculty at several other universities.