Cryptology ePrint Archive: Report 2016/126

Server Notaries: A Complementary Approach to the Web PKI Trust Model

Emre Yüce and Ali Aydın Selçuk

Abstract: SSL/TLS is the de facto protocol for providing secure communication over the Internet. It relies on the Web PKI model for authentication and secure key exchange. Despite its relatively successful past, the number of Web PKI incidents observed have increased recently. These incidents revealed the risks of forged certificates issued by certificate authorities without the consent of the domain owners. Several solutions have been proposed to solve this problem, but no solution has yet received widespread adaption due to complexity and deployability issues. In this paper, we propose a practical mechanism that enables servers to get their certificate views across the Internet, making detection of a certificate substitution attack possible. The origin of the certificate substitution attack can also be located by this mechanism. We have conducted simulation experiments and evaluated our proposal using publicly available, real-world BGP data. We have obtained promising results on the AS-level Internet topology.

Category / Keywords: applications / Web PKI, SSL/TLS, man-in-the-middle attack, notary

Date: received 11 Feb 2016

Contact author: emreyuce2003 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20160214:005757 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]