Tiffany Hyun-Jin Kim
ABSTRACT
In today's Internet, authenticating online entities is challenging since people lack the real-world cues upon which to base their context-dependent trust decisions. For example, how can a user confirm that a Facebook invitation truly originates from the claimed sender, as anyone can trivially set up a bogus online identity with someone else's photo? Given an SSL certificate warning, how can a user validate it be- fore proceeding, as the certificate could be legitimate (e.g., the certificate is signed by a legitimate authority that the browser does not recognize) or malicious (e.g., it is signed by a compromised CA)? This talk demonstrates that providing useful evidence can empower users to make informed context-dependent trust decisions regarding previously unknown entities in the context of identity and public-key authentication. We first introduce an identity authentication logic called RelationGram that visualizes interpersonal tie strength of virtual entities using both physical and social proximities [2,4]. RelationGram enables casual users to authenticate online identities in a safe and easy manner, and build trust in previously unknown online entities. We then introduce new public-key validation proposals called Accountable Key Infrastructure (AKI) [3] and Attack Resilient Public-Key Infrastructure (ARPKI) [1] that reduce the amount of trust in any single entity to improve the resilience of the current PKI systems. AKI and ARPKI support trust agility such that entities select a security policy for their public-key certificates, and checks and balances such that entities monitor each other for misbehavior and prevent a single point of failure. When users are given pieces of evidence to which they can easily relate, they can make context-dependent authentication decisions online and build trust in online entities. As concluding remarks, we highlight some of the remaining challenges and future research directions to truly empower users to make informed trust decisions.
- D. Basin, C. Cremers, T. H.-J. Kim, A. Perrig, R. Sasse, and P. Szalachowski. ARPKI: Attack-Resilient Public-Key Infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014. Google Scholar
Digital Library
- T. H.-J. Kim, V. Gligor, J. Guajardo, J. Hong, and A. Perrig. Soulmate or Acquaintance? Visualizing Tie Strength for Trust Inference. In Proceedings of the Workshop on Usable Security (USEC), 2013.Google Scholar
- T. H.-J. Kim, L.-S. Huang, A. Perrig, C. Jackson, and V. Gligor. Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure. In Proceedings of the International World Wide Web Conference (WWW), May 2013. Google ScholarDigital Library
- T. H.-J. Kim, A. Yamada, V. Gligor, J. I. Hong, and A. Perrig. RelationGram: Tie-Strength Visualization for User-Controlled Online Identity Authentication. In Proceedings of the Financial Cryptography and Data Security, 2013.Google ScholarCross Ref
Index Terms
- Challenges of Establishing Trust in Online Entities and Beyond
Recommendations
Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure
WWW '13: Proceedings of the 22nd international conference on World Wide WebRecent trends in public-key infrastructure research explore the tradeoff between decreased trust in Certificate Authorities (CAs), resilience against attacks, communication overhead (bandwidth and latency) for setting up an SSL/TLS connection, and ...
Breaking yum and lee generic constructions of certificate-less and certificate-based encryption schemes
EuroPKI 2006: Proceedings of the Third European conference on Public Key Infrastructure: theory and PracticeIdentity-based public key cryptography is aimed at simplifying the management of certificates in traditional public key infrastructures by means of using the identity of a user as its public key. The user must identify itself to a trusted authority in ...
Eliminating counterevidence with applications to accountable certificate management
This paper presents a method to increase the accountability of certificate management by making it intractable for the certification authority (CA) to create contradictory statements about the validity of a certificate. The core of the method is a new ...
Comments