CERTIFICATE TRANSPARENCY

What is certificate transparency?Mistakenly issued certificates have been

used by hackers for malicious attacks that have dire consequences, but the fallout after mitigation can be far ranging and harmful, too

Figure 1

What is certificate transparency? (cont.) Modern cryptography isn’t enough for

detecting malicious websites Certificates should be public record so that

you can see what CAs are asserting about your organization

Publically verifiable certificate append-only logs

Certificate Transparency to the rescueHere three things are kept in mind-

1. No illegal issuance of certificate for a domain without being detected

2. Open auditing and monitoring system

3. Protection of users from fake website certificates

Certificate Transparency to the rescue (cont.)An open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates Three main components – 1. Certificate logs2. Monitors3. Auditors

Figure 2

Certificate Transparency to the rescue (cont.)

Fewer Missteps, Safer Browsing

Figure 3

How it WorksBasic log features:

At the center of the Certificate Transparency system lie certificate logs

A simple network service that maintains a record of SSL certificates

Append-onlyCryptographically assuredPublically auditableappend-only nature of a log allows it to use

a special type of cryptographic hash (Merkley’s Hash) to prove that it’s not corrupt

How it Works (cont.)Basic log operations:

Anyone can submit a certificate to a log

When someone submits a valid certificate to a log, the log responds with a signed certificate timestamp (SCT)

a TLS server must deliver the SCT with the certificate during the TLS handshake

How it Works (cont.)Basic log operations: Certificate

Transparency supports three methods for delivering an SCT with a certificate, namely-

1. X.509v3 Extension2. TLS(Transport Layer Security) Extension3. OCSP(Online Certificate Status Protocol ) Stapling

Figure 4

How it Works (cont.)Basic log operations:

Figure 5

How it Works (cont.)Basic Monitor and Auditor Operations: Monitors watch for suspicious certificates in logs,

such as illegitimate or unauthorized certificates, unusual certificate extensions, or certificates with strange permissions

verify that all logged certificates are visible in the log Auditors verify the overall integrity of logs also verify whether a particular certificate appears in

a log - they do this by periodically fetching and verifying log proofs

To facilitate verification of consistency of logs, auditors and monitors exchange information about logs through a gossip protocol

How Log Proofs works? Special cryptographic

mechanism, known as a Merkle hash tree, is a simple binary tree consisting of hashed leaves and nodes

When the log server signs the Merkle tree hash (along with other information) it’s known as the signed tree head (STH)

When log is appended, a new hash is calculated which is combined with old hash to make a new one. This is then again signed with a new STH

Figure 6

How Log Proofs works? (cont.)Merkle hash trees make it possible for a log to prove two things very efficiently and quickly:

That all certificates have been consistently appended to the log

That a particular certificate has been appended to the log

A log does this by providing two cryptographic proofs:

Merkle consistency proof Merkle audit proof

Merkle consistency proofA Merkle consistency proof lets you verify that any two versions of a log are consistent The consistency proof is the minimum set of intermediate node hashes you need to compute these two things – 1. verify that the old Merkle tree hash

is a subset of the new Merkle tree hash

2. verify that the new Merkle tree hash is the concatenation of the old Merkle tree hash plus all the intermediate node hashes of the newly appended certificates

Figure 7

Merkle consistency proof (cont.)

Figure 8

Merkle consistency proof (cont.)In this case, the consistency proof consists of the following intermediate node hashes: k, l, and m (see figure 8).

Use k and m to create the old Merkle tree hash, thereby verifying that the old tree exists and is unchanged

Then you can use l with k to create n, and then use n with m to create the new Merkle tree hash for the log

If your computed Merkle tree hash matches the one advertised by the log, then you know the log is consistent

Merkle Audit Proofs

Figure 9

Audit proofs is to verify that a specific certificate is included in a log

Certificate Transparency model demands that all TLS clients reject any certificates that do not show up in a certificate log (a critical task)

Merkle Audit Proofs (cont.)In this case, the Merkle audit proof consists of the following node hashes: c, i, n (see figure 9)

Because you already know d, you can use c to compute j

You can then use i and j to compute m, and

you can use n and m to compute the Merkle tree hash for the log

If a Merkle audit proof fails to produce a root hash that matches the Merkle tree hash, it means the certificate is not in the log

Figure 9

Benefits and AdvantagesGradual rollout: Certificate Transparency does not

have to be adopted by every certificate authority (CA) and every TLS client to be useful or effective

Minimal Impact to Existing Infrastructure: It doesn’t require any significant change to a CA’s current business model

Expanded Service Offerings for CAs: It gives CAs the opportunity to provide several new services to their customers

Better Industry Conformance and Oversight: It makes it easier for CAs to monitor their own certificates and certificate operations

Flexible and Extensible Framework: Extendable to various types of security verification

Comparison with other Technologies

NSC (No side-channels)IR (Instant recovery from loss of key)GA (Detects Global Attack)TA (Detects targeted attack)NTTP (No trusted third parties)IS (Instant start-up)US (Unmodified Servers)

THANK YOU