CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure

CNS 核心：大型：协作研究：迈向可进化的公钥基础设施

• 批准号: 1901325
• 负责人: David Levin
• 金额: $ 61.76万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2024-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1901325&HistoricalAwards=false
• 关键词: CNS; Core; Large; Collaborative; Research

The importance of the Transport Layer Security (TLS) public key infrastructure (PKI) to the success of the Internet cannot be overstated. From social networking to banking, from mobile devices to cloud computing, the PKI allows communicating parties to be sure of whom they are communicating with, that their communication is confidential, and that their communication has not been tampered with. Despite its incredible importance, the PKI has been notoriously difficult to evolve to meet new security concerns and Internet demands. This project introduces new, deployable alternatives to key parts of the PKI to make it more evolvable, manageable, and secure.The project has three primary thrusts. The first introduces a key enabling technology behind the subsequent thrusts, called assertion-carrying certificates (ACCs). ACCs expand today's certificates with the capability of including a small amount of code (in the form of assertions) to be evaluated as part of the certificate validation process. The second thrust applies ACCs to enable certificate authorities to more readily evolve to new demands for certificate delegation and automated issuance. The third thrust applies ACCs and trusted execution environments to enable web-hosting services like content delivery networks to securely manage their customers' cryptographic keys.Correct operation of the PKI is paramount to ensuring a secure, authenticated Internet. Recent efforts have proven that progress towards a more secure PKI is possible, but a more fundamental focus is needed to address the underlying challenges. This project will do just that by developing a new, extensible approach to constraining when identities on the Internet should be trusted. This project will make it straightforward and safe to extend the basic abstractions offered by the PKI, thereby enabling it to evolve to meet changing trends.The project's code and data will be made publicly available and maintained at https://securepki.orgThis award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

传输层安全 (TLS) 公钥基础设施 (PKI) 对互联网成功的重要性怎么强调都不为过。 从社交网络到银行业，从移动设备到云计算，PKI 使通信各方能够确定他们正在与谁通信、他们的通信是保密的、并且他们的通信没有被篡改。 尽管 PKI 极其重要，但众所周知，它很难发展以满足新的安全问题和互联网需求。 该项目为 PKI 的关键部分引入了新的、可部署的替代方案，使其更具演进性、可管理性和安全性。该项目有三个主要目标。 第一个引入了后续推动力背后的关键支持技术，称为断言携带证书（ACC）。 ACC 扩展了当今的证书，能够包含少量代码（以断言的形式），作为证书验证过程的一部分进行评估。 第二个重点是应用 ACC 使证书颁发机构能够更轻松地满足证书授权和自动颁发的新需求。 第三个重点是应用 ACC 和可信执行环境，使内容交付网络等 Web 托管服务能够安全地管理客户的加密密钥。PKI 的正确操作对于确保安全、经过身份验证的互联网至关重要。 最近的努力已经证明，朝着更安全的 PKI 方向取得进展是可能的，但需要更加根本性的关注来应对潜在的挑战。 该项目将通过开发一种新的、可扩展的方法来限制互联网上的身份何时值得信任来实现这一目标。 该项目将使 PKI 提供的基本抽象变得简单、安全，从而使其能够不断发展以满足不断变化的趋势。该项目的代码和数据将在 https://securepki.org 上公开并维护。该奖项反映了通过使用基金会的智力价值和更广泛的影响审查标准进行评估，NSF 的法定使命被认为值得支持。

项目成果

A Deeper Look at Web Content Availability and Consistency over HTTP/S

深入了解 HTTP/S 上的 Web 内容可用性和一致性

• 发表时间: 2020-01
• 期刊: 2020 Network Traffic Measurement and Analysis Conference (TMA'20
• 作者: Paracha, Muhammad Talha;Chandrasekara, Balakrishnan;Choffnes, David;Levin, Dave
• 通讯作者: Levin, Dave

A comparative analysis of certificate pinning in Android & iOS

Android中证书固定的比较分析

• DOI: 10.1145/3517745.3561439
• 发表时间: 2022-10
• 期刊: ACM Internet Measurement Conference (IMC ’22
• 作者: Pradeep, Amogh;Paracha, Muhammad Talha;Bhowmick, Protick;Davanian, Ali;Razaghpanah, Abbas;Chung, Taejoong;Lindorfer, Martina;Vallina;Levin, Dave;Choffnes, David
• 通讯作者: Choffnes, David

Blue Is the New Black (Market): Privacy Leaks and Re-Victimization from Police-Auctioned Cellphones

蓝色是新的黑色（市场）：警方拍卖手机带来的隐私泄露和再次受害

• 发表时间: 2023-01
• 期刊: Proceedings of the IEEE Symposium on Security and Privacy
• 作者: Richard Roberts; Julio Poveda
• 通讯作者: Julio Poveda

Bento: Safely Bringing Network Function Virtualization to Tor

Bento：将网络功能虚拟化安全地引入 Tor

• DOI: 10.1145/3452296.3472919
• 发表时间: 2021-08
• 期刊: ACM SIGCOMM
• 作者: Reininger, Michael;Arora, Arushi;Herwig, Stephen;Francino, Nicholas;Hurst, Jayson;Garman, Christina;Levin, Dave
• 通讯作者: Levin, Dave

Assertion-Carrying Certificates

携带断言的证书

• 发表时间: 2020-01
• 期刊: 2020 Workshop on Foundations of Computer Security (FCS'20
• 作者: Aqeel, Waqar;Hanif, Zachary;Larisch, James;Omolola, Olamide;Chung, Taejoong;Levin, Dave;Maggs, Bruce;Mislove, Alan;Parno, Bryan;Wilson, Christo
• 通讯作者: Wilson, Christo