TwinPeaks: A new approach for certificateless public key distribution

The current PKI has problems like certificate revocations and fraudulent certificates. To address such issues, we propose TwinPeaks, which is a new infrastructure to distribute public keys of named entities online. TwinPeaks leverages certificateless public key cryptography (CL-PKC), which we extend to make the public key of an entity depend on any combination of its networking parameters; thus TwinPeaks can mitigate spoofing attacks systematically. TwinPeaks needs public key servers, which constitute a DNS-like hierarchical tree. For each parent-child link in the tree, the parent and the child interact in such a way that every named entity has its own public/secret key pair. TwinPeaks removes certificates and hence has no revocation overhead. Instead, each named entity should keep/update its IP address and public key up-to-date in its DNS server and key server, respectively. TwinPeaks also achieves scalable distribution of public keys since public keys can be cached long term without elevating security risks.

[1]  Stephen Farrell Not Reinventing PKI until We Have Something Better , 2011, IEEE Internet Computing.

[2]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[3]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[4]  Brian Wellington,et al.  Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.

[5]  Peter Gutmann,et al.  PKI: It's Not Dead, Just Resting , 2002, Computer.

[6]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[7]  Naren Ramakrishnan,et al.  The Emerging Landscape of Bioinformatics Software Systems , 2002, Computer.

[8]  Richard L. Barnes,et al.  Internet Engineering Task Force (ietf) Use Cases and Requirements for Dns-based Authentication of Named Entities (dane) , 2022 .

[9]  Rolf Oppliger Certification Authorities Under Attack: A Plea for Certificate Legitimation , 2014, IEEE Internet Computing.

[10]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[11]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[12]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[13]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Yinglian Xie,et al.  Web PKI: Closing the Gap between Guidelines and Practices , 2014, NDSS.

[15]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[16]  Xiaojiang Du,et al.  A light-weight certificate-less public key cryptography scheme based on ECC , 2014, 2014 23rd International Conference on Computer Communication and Networks (ICCCN).

[17]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[18]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.