Cryptology ePrint Archive: Report 2016/452

Secure Logging Schemes and Certificate Transparency

Benjamin Dowling and Felix GŁnther and Udyani Herath and Douglas Stebila

Abstract: Since hundreds of certificate authorities (CAs) can issue browser-trusted certificates, it can be difficult for domain owners to detect certificates that have been fraudulently issued for their domain. Certificate Transparency (CT) is a recent standard by the Internet Engineering Task Force (IETF) that aims to construct public logs of all certificates issued by CAs, making it easier for domain owners to monitor for fraudulently issued certificates. To avoid relying on trusted log servers, CT includes mechanisms by which monitors and auditors can check whether logs are behaving honestly or not; these mechanisms are primarily based on Merkle tree hashing and authentication proofs. Given that CT is now being deployed, it is important to verify that it achieves its security goals.

In this work, we define four security properties of logging schemes such as CT that can be assured via cryptographic means, and show that CT does achieve these security properties. We consider two classes of security goals: those involving security against a malicious logger attempting to present different views of the log to different parties or at different points in time, and those involving security against malicious monitors who attempt to frame an honest log for failing to include a certificate in the log. We show that Certificate Transparency satisfies these security properties under various assumptions on Merkle trees all of which reduce to collision resistance of the underlying hash function (and in one case with the additional assumption of unforgeable signatures).

Category / Keywords: applications / Certificate Transparency; public key infrastructures (PKI); logging schemes; Merkle trees

Original Publication (with major differences): ESORICS 2016

Date: received 9 May 2016, last revised 23 Sep 2016

Contact author: stebilad at mcmaster ca

Available format(s): PDF | BibTeX Citation

Note: Full version of paper in proceedings of ESORICS 2016.

Version: 20160923:181113 (All versions of this report)

Short URL: ia.cr/2016/452

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]