nach oben

Erschienen in:

2021 | OriginalPaper | Buchkapitel

Exploring the Security Issues of Trusted CA Certificate Management

verfasst von : Yanduo Fu, Qiongxiao Wang, Jingqiang Lin, Aozhuo Sun, Linli Lu

Erschienen in: Information and Communications Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Public Key Infrastructure (PKI) is widely used in security protocols, and the root certification authority (CA) plays a role as the trust anchor of PKI. However, as researches show, not all root CAs are trustworthy and malicious CAs might issue fraudulent certificates, which can cause Man-in-the-Middle attacks and eavesdropping attacks. Besides, massive CAs and CA certificates make it hard for users to manage the CA certificates by themselves. Though PKI applications generally provide the implementation of trusted CA certificate management (called CA manager in this paper) to store, manage, and verify CA certificates, security incidents still exist, and a malicious CA certificate can damage the entire security. This work explores the security issues of CA managers for three popular operating systems and eight applications installed on them. We make a systematic analysis of the CA managers, such as the modification of the certificate trust list, the source of trust, and the security check of the CA certificates, and propose the functionalities that a CA manager should have. Our work shows that all CA managers we analyzed have security issues, e.g., silent addition of CA certificates, inefficient validation on CA certificates, which will result in insecure CA certificates being falsely trusted. We also make some suggestions on the security enhancement for CA managers.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Improving Convolutional Neural Network-Based Webshell Detection Through Reinforcement Learning

Nächstes Kapitel Effective Anomaly Detection Model Training with only Unlabeled Data by Weakly Supervised Learning Techniques

Alsaid, A., Mitchell, C.J.: Installing fake root keys in a PC. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 227–239. Springer, Heidelberg (2005). https://doi.org/10.1007/11533733_16CrossRef

Sloppy Security Software Exposes Dell Laptop to Hackers — Laptop Mag. https://www.laptopmag.com/articles/dell-certificate-security-flaw

Superfish - Wikipedia. https://en.wikipedia.org/wiki/Superfish

Braun, J., Volk, F., Classen, J., Buchmann, J., Mühlhäuser, M.: CA trust management for the web PKI. J. Comput. Secur. 22(6), 913–959 (2014)CrossRef

de Carnavalet, X.D.C., Mannan, M.: Killed by proxy: analyzing client-end tls interception software. In: Network and Distributed System Security Symposium (2016)

Chung, T., et al.: Measuring and applying invalid ssl certificates: the silent majority. In: IMC (2016)

Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: IMC (2013)

Durumeric, Z., et al.: The security impact of https interception. In: NDSS (2017)

Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.: " I have no idea what i’m doing”-on the usability of deploying \(\{\)HTTPS\(\}\). In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17) (2017)

10.

Li, B., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)

11.

Li, B., Lin, J., Wang, Q., Wang, Z., Jing, J.: Locally-centralized certificate validation and its application in desktop virtualization systems. IEEE Trans. Inf. Forensics Secur. 16, 1380–1395 (2020)CrossRef

12.

Li, B., Wang, W., Meng, L., Lin, J., Liu, X., Wang, C.: Elaphurus: ensemble defense against fraudulent certificates in TLS. In: Liu, Z., Yung, M. (eds.) Inscrypt 2019. LNCS, vol. 12020, pp. 246–259. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42921-8_14CrossRef

13.

Perl, H., Fahl, S., Smith, M.: You won’t be needing these any more: on removing unused certificates from trust stores. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 307–315. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_20CrossRef

14.

Adobe Approved Trust List members. https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html, Accessed 30 Apr 2021

15.

Top 1 Million Analysis - March 2020. https://scotthelme.co.uk/top-1-million-analysis-march-2020/

16.

Apple Root Certificate Program. https://www.apple.com/certificateauthority/ca_program.html

17.

List of available trusted root certificates in macOS High Sierra. https://support.apple.com/en-us/HT208127, Accessed 11 May 2021

18.

About System Integrity Protection on your Mac. https://support.apple.com/en-us/HT204899

19.

Certificate Contents for Baseline SSL - CAB Forum. https://cabforum.org/baseline-requirements-certificate-contents/

20.

CA/Browser Forum - CAB Forum. https://cabforum.org/

21.

Censys. https://censys.io/certificates?q=, Accessed 30 Apr 2021

22.

ETSI - Welcome to the World of Standards!. https://www.etsi.org/

23.

European Union Trusted Lists. https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html, Accessed 30 Apr 2021

24.

MICROSOFT Included CA Certificate List. https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT, Accessed 30 Apr 2021

25.

Program Requirements - Microsoft Trusted Root Program. https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

26.

MOZILLA Included CA Certificate List. https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport, Accessed 30 Apr 2021

27.

Mozilla Root Store Policy-Mozilla. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/, Accessed 1 May 2021

28.

Why Does Mozilla Maintain Our Own Root Certificate Store? - Mozilla Security Blog. https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

29.

StatCounter Global Stats - Browser, OS, Search Engine including Mobile Usage Share. https://gs.statcounter.com/, Accessed 30 Apr 2021

30.

Principles and criteria and practitioner guidance. https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria

31.

Root CA Certificate: When you shouldn’t trust a trusted root certificate — Malwarebytes Labs. https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

32.

Vallina-Rodriguez, N., Amann, J., Kreibich, C., Weaver, N., Paxson, V.: A tangled mass: the android root certificate stores. In: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies (2014)

Titel: Exploring the Security Issues of Trusted CA Certificate Management
verfasst von: Yanduo Fu
Qiongxiao Wang
Jingqiang Lin
Aozhuo Sun
Linli Lu
Verlag: Springer International Publishing
Buch: Information and Communications Security
Print ISBN: 978-3-030-86889-5

Electronic ISBN: 978-3-030-86890-1

Copyright-Jahr: 2021
DOI: https://doi.org/10.1007/978-3-030-86890-1_22

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner