certificate transparency
DESCRIPTION
This is a new technique used by google to ensure better security than dnssecTRANSCRIPT
CERTIFICATE TRANSPARENCY
What is certificate transparency?Mistakenly issued certificates have been
used by hackers for malicious attacks that have dire consequences, but the fallout after mitigation can be far ranging and harmful, too
Figure 1
What is certificate transparency? (cont.) Modern cryptography isn’t enough for
detecting malicious websites Certificates should be public record so that
you can see what CAs are asserting about your organization
Publically verifiable certificate append-only logs
Certificate Transparency to the rescueHere three things are kept in mind-
1. No illegal issuance of certificate for a domain without being detected
2. Open auditing and monitoring system
3. Protection of users from fake website certificates
Certificate Transparency to the rescue (cont.)An open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates Three main components – 1. Certificate logs2. Monitors3. Auditors
Figure 2
Certificate Transparency to the rescue (cont.)
Fewer Missteps, Safer Browsing
Figure 3
How it WorksBasic log features:
At the center of the Certificate Transparency system lie certificate logs
A simple network service that maintains a record of SSL certificates
Append-onlyCryptographically assuredPublically auditableappend-only nature of a log allows it to use
a special type of cryptographic hash (Merkley’s Hash) to prove that it’s not corrupt
How it Works (cont.)Basic log operations:
Anyone can submit a certificate to a log
When someone submits a valid certificate to a log, the log responds with a signed certificate timestamp (SCT)
a TLS server must deliver the SCT with the certificate during the TLS handshake
How it Works (cont.)Basic log operations: Certificate
Transparency supports three methods for delivering an SCT with a certificate, namely-
1. X.509v3 Extension2. TLS(Transport Layer Security) Extension3. OCSP(Online Certificate Status Protocol ) Stapling
Figure 4
How it Works (cont.)Basic log operations:
Figure 5
How it Works (cont.)Basic Monitor and Auditor Operations: Monitors watch for suspicious certificates in logs,
such as illegitimate or unauthorized certificates, unusual certificate extensions, or certificates with strange permissions
verify that all logged certificates are visible in the log Auditors verify the overall integrity of logs also verify whether a particular certificate appears in
a log - they do this by periodically fetching and verifying log proofs
To facilitate verification of consistency of logs, auditors and monitors exchange information about logs through a gossip protocol
How Log Proofs works? Special cryptographic
mechanism, known as a Merkle hash tree, is a simple binary tree consisting of hashed leaves and nodes
When the log server signs the Merkle tree hash (along with other information) it’s known as the signed tree head (STH)
When log is appended, a new hash is calculated which is combined with old hash to make a new one. This is then again signed with a new STH
Figure 6
How Log Proofs works? (cont.)Merkle hash trees make it possible for a log to prove two things very efficiently and quickly:
That all certificates have been consistently appended to the log
That a particular certificate has been appended to the log
A log does this by providing two cryptographic proofs:
Merkle consistency proof Merkle audit proof
Merkle consistency proofA Merkle consistency proof lets you verify that any two versions of a log are consistent The consistency proof is the minimum set of intermediate node hashes you need to compute these two things – 1. verify that the old Merkle tree hash
is a subset of the new Merkle tree hash
2. verify that the new Merkle tree hash is the concatenation of the old Merkle tree hash plus all the intermediate node hashes of the newly appended certificates
Figure 7
Merkle consistency proof (cont.)
Figure 8
Merkle consistency proof (cont.)In this case, the consistency proof consists of the following intermediate node hashes: k, l, and m (see figure 8).
Use k and m to create the old Merkle tree hash, thereby verifying that the old tree exists and is unchanged
Then you can use l with k to create n, and then use n with m to create the new Merkle tree hash for the log
If your computed Merkle tree hash matches the one advertised by the log, then you know the log is consistent
Merkle Audit Proofs
Figure 9
Audit proofs is to verify that a specific certificate is included in a log
Certificate Transparency model demands that all TLS clients reject any certificates that do not show up in a certificate log (a critical task)
Merkle Audit Proofs (cont.)In this case, the Merkle audit proof consists of the following node hashes: c, i, n (see figure 9)
Because you already know d, you can use c to compute j
You can then use i and j to compute m, and
you can use n and m to compute the Merkle tree hash for the log
If a Merkle audit proof fails to produce a root hash that matches the Merkle tree hash, it means the certificate is not in the log
Figure 9
Benefits and AdvantagesGradual rollout: Certificate Transparency does not
have to be adopted by every certificate authority (CA) and every TLS client to be useful or effective
Minimal Impact to Existing Infrastructure: It doesn’t require any significant change to a CA’s current business model
Expanded Service Offerings for CAs: It gives CAs the opportunity to provide several new services to their customers
Better Industry Conformance and Oversight: It makes it easier for CAs to monitor their own certificates and certificate operations
Flexible and Extensible Framework: Extendable to various types of security verification
Comparison with other Technologies
NSC (No side-channels)IR (Instant recovery from loss of key)GA (Detects Global Attack)TA (Detects targeted attack)NTTP (No trusted third parties)IS (Instant start-up)US (Unmodified Servers)
THANK YOU