Measuring and Improving Management of Today's PKI - UMD - April 2017

PI(s): David Levin
Researchers: Frank Cangialosi (former UMD undergraduate; now a graduate student at MIT)

PROJECT OVERVIEW

Authentication allows a user to know, when they go to a website, that they are truly communicating with whom they expect, and not an impersonator. This critical property is made possible with a set of cryptographic and networking protocols collectively referred to as a public key infrastructure (PKI). While online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies the following questions: Are administrators doing what users of the Web need them to do in order to ensure security? And, how can we help facilitate or automate these tasks?

We are performing internet-wide measurements of how online certificates are actively being managed, including how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, we find that CDNs (content distribution networks)—which serve content for many of the most popular websites—appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., no one shares their private keys).  We are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general.

HARD PROBLEM(S) ADDRESSED

Metrics; Human Behavior.

ACCOMPLISHMENT HIGHLIGHTS

Pushing revocations to all browsers: Browsers must periodically download revocation information from CAs, or else the efforts on behalf of website administrators would be wasted.  Unfortunately, browser developers are reluctant to do this, as it consumes bandwidth and potentially increases page load times.  We have developed techniques for more efficiently disseminating revocation information.  Included in our design is a novel data structure called a cascading Bloom Filter, which yields extremely compact representations of all certificates on the web with zero false positives.  Over this quarter, we have improved this data structure by rigorously analyzing its expected size, and minimizing it through a clever parameterization of each level's false positive rate (the final level has no false positives).  Our results show that we are able to represent all 12M certificate revocations and roughly 30M non-revoked certificates in approximately 10MB — less than 7 bits per revocation.  By comparison, Google's CRLSet uses 100 bits per revocation, and Mozilla's OneCRL uses 1990 bits per revocation.  Moreover, our daily "delta updates" require on average only 580KB per day (by comparison, the average website is approximately 2.5MB).  This work demonstrates that it is now worthwhile to reinvestigate the trade-offs of complete and universal delivery of revocation information.

This paper has been accepted to appear in IEEE Security & Privacy 2017.

A longitudinal study of DNSSEC: A fundamental building block of online communication is the Domain Name Service (DNS), which maps between human-understandable domain names (like cs.umd.edu) and Internet-routable IP addresses (128.8.127.30).  If this mapping is not delivered with integrity, then attackers can compromise communication at its onset.  DNSSEC seeks to add integrity and authenticity to DNS through an in-band PKI.

We have performed the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs for 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.

Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure, including: 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them attempt to actually validate them. These results highlight systemic problems that motivate improved automation and auditing of DNSSEC management.

This work is under submission to USENIX Security 2017.

The Internet's PKI: Finally, we have begun study into the PKI underlying Internet routing, as is used in the border gateway protocol (BGP).  Compared to the other PKIs we have studied, this constitutes a unique point in the space, in that it is decentralized and largely unstructured. This is still in an exploratory stage.

COMMUNITY INTERACTION

This quarter, Levin presented the results to groups of graduate students at UMD.  Levin also presented results to international collaborators in Amman, Jordan, most recently at the University of Jordan.  Finally, Levin presented the work to the NSA Laboratory for Telecommunication Science (LTS).

Our data and code for this study are publicly available on our project website, https://securepki.org