CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure

CNS 核心：大型：协作研究：迈向可进化的公钥基础设施

• 批准号: 1900996
• 负责人: Bryan Parno
• 金额: $ 19.08万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2024-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1900996&HistoricalAwards=false
• 关键词: CNS; Core; Large; Collaborative; Research

The importance of the Transport Layer Security (TLS) public key infrastructure (PKI) to the success of the Internet cannot be overstated. From social networking to banking, from mobile devices to cloud computing, the PKI allows communicating parties to be sure of whom they are communicating with, that their communication is confidential, and that their communication has not been tampered with. Despite its incredible importance, the PKI has been notoriously difficult to evolve to meet new security concerns and Internet demands. This project introduces new, deployable alternatives to key parts of the PKI to make it more evolvable, manageable, and secure.The project has three primary thrusts. The first introduces a key enabling technology behind the subsequent thrusts, called assertion-carrying certificates (ACCs). ACCs expand today's certificates with the capability of including a small amount of code (in the form of assertions) to be evaluated as part of the certificate validation process. The second thrust applies ACCs to enable certificate authorities to more readily evolve to new demands for certificate delegation and automated issuance. The third thrust applies ACCs and trusted execution environments to enable web-hosting services like content delivery networks to securely manage their customers' cryptographic keys.Correct operation of the PKI is paramount to ensuring a secure, authenticated Internet. Recent efforts have proven that progress towards a more secure PKI is possible, but a more fundamental focus is needed to address the underlying challenges. This project will do just that by developing a new, extensible approach to constraining when identities on the Internet should be trusted. This project will make it straightforward and safe to extend the basic abstractions offered by the PKI, thereby enabling it to evolve to meet changing trends.The project's code and data will be made publicly available and maintained at https://securepki.orgThis award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

运输层安全性（TLS）公共密钥基础架构（PKI）对互联网成功的重要性不能被夸大。 从社交网络到银行业，从移动设备到云计算，PKI允许沟通各方确定他们正在与谁交流，他们的交流是机密的，并且他们的交流尚未受到篡改。 尽管它的重要性令人难以置信，但众所周知，PKI很难发展，以满足新的安全问题和互联网需求。 该项目引入了PKI关键部分的新的，可部署的替代方案，以使其更具可变，可管理和安全性。该项目具有三个主要推力。 第一个引入了随后推力背后的关键促成技术，称为断言证书（ACC）。 ACCS扩展了今天的证书，其能力包括作为证书验证过程的一部分进行评估的少量代码（以断言的形式）。 第二个推力适用于ACC，使证书机构更容易地发展为证书委托和自动发行的新需求。 第三个推力应用ACC和值得信赖的执行环境来启用Web托管服务，例如内容交付网络，以安全地管理其客户的加密密钥。正确的PKI操作对于确保安全，身份验证的互联网至关重要。 最近的努力证明，朝着更安全的PKI取得进展是可能的，但是需要更根本的重点来应对潜在的挑战。 该项目将通过开发一种新的，可扩展的方法来限制何时应信任互联网上的身份。 该项目将使PKI提供的基本抽象变得直接且安全，从而使其能够发展以满足不断变化的趋势。该项目的代码和数据将在https：//securepki.orggi.orgki.orgthis奖上公开可用，并维护了NSF的法定任务，并反映了通过评估的构成群体的范围，该奖项反映了构成群体的范围。

项目成果

Transparency Dictionaries with Succinct Proofs of Correct Operation

具有正确操作的简洁证明的透明字典

• 发表时间: 2022
• 期刊: ISOC Conference on Network and Distributed System Security (NDSS
• 作者: Tzialla, Ioanna;Kothapalli, Abhiram;Parno, Bryan;Setty, Srinath
• 通讯作者: Setty, Srinath

CAPS: Smoothly Transitioning to a More Resilient Web PKI

CAPS：平稳过渡到更具弹性的 Web PKI

• DOI: 10.1145/3427228.3427284
• 发表时间: 2020
• 期刊: Annual Computer Security Applications Conference
• 作者: Matsumoto, Stephanos;Bosamiya, Jay;Dai, Yucheng;van Oorschot, Paul;Parno, Bryan
• 通讯作者: Parno, Bryan

Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies

Hammurabi：可插入、基于逻辑的 X.509 证书验证策略框架

• DOI: 10.1145/3548606.3560594
• 发表时间: 2022
• 期刊: Proceedings of the ACM Conference on Computer and Communications Security (CCS
• 作者: Larisch, James;Aqeel, Waqar;Lum, Michael;Goldschlag, Yaelle;Kannan, Leah;Torshizi, Kasra;Wang, Yujie;Chung, Taejoong;Levin, Dave;Maggs, Bruce M.
• 通讯作者: Maggs, Bruce M.