RITM: Revocation in the Middle

Although TLS is used on a daily basis by many critical applications, the public-key infrastructure that it relies on still lacks an adequate revocation mechanism. An ideal revocation mechanism should be inexpensive, efficient, secure, and privacypreserving. Moreover, rising trends in pervasive encryption pose new scalability challenges that a modern revocation system should address. In this paper, we investigate how network nodes can deliver certificate-validity information to clients. We present RITM, a framework in which middleboxes (as opposed to clients, servers, or certification authorities) store revocation-related data. RITM provides a secure revocation-checking mechanism that preserves user privacy. We also propose to take advantage of content-delivery networks (CDNs) and argue that they would constitute a fast and cost-effective way to disseminate revocations. Additionally, RITM keeps certification authorities accountable for the revocations that they have issued, and it minimizes overhead at clients and servers, as they have to neither store nor download any messages. We also describe feasible deployment models and present an evaluation of RITM to demonstrate its feasibility and benefits in a real-world deployment.

[1]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[2]  Adrian Perrig,et al.  PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[3]  Khaled Elmeleegy,et al.  Overclocking the Yahoo!: CDN for faster web page loads , 2011, IMC '11.

[4]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[5]  Karthikeyan Bhargavan,et al.  Network-based Origin Confusion Attacks against HTTPS Virtual Hosting , 2015, WWW.

[6]  Adrian Perrig,et al.  Efficient gossip protocols for verifying the consistency of Certificate logs , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[7]  Yngve N. Pettersen The Transport Layer Security (TLS) Multiple Certificate Status Request Extension , 2013, RFC.

[8]  Tudor Dumitras,et al.  Analysis of SSL certificate reissues and revocations in the wake of heartbleed , 2014, Internet Measurement Conference.

[9]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[10]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[11]  Ralf Sasse,et al.  ARPKI: Attack Resilient Public-Key Infrastructure , 2014, CCS.

[12]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[13]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[14]  C. Jackson,et al.  Towards Short-Lived Certificates , 2012 .

[15]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[16]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[17]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[18]  Adrian Perrig,et al.  PoliCert: Secure and Flexible TLS Certificate Management , 2014, CCS.

[19]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[20]  Ralph E. Droms,et al.  Authentication for DHCP Messages , 2001, RFC.

[21]  Bruce M. Maggs,et al.  An End-to-End Measurement of Certificate Revocation in the Web's PKI , 2015, Internet Measurement Conference.

[22]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[23]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[24]  Dave Levin,et al.  RevCast: Fast, Private Certificate Revocation over FM Radio , 2014, CCS.

[25]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[26]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[27]  Christoph Sorge,et al.  Analysis of the current state in website certificate validation , 2014, Secur. Commun. Networks.

[28]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[29]  Dan Boneh,et al.  The Case for Prefetching and Prevalidating TLS Server Certificates , 2012, NDSS.

[30]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.