Home // SECURWARE 2019, The Thirteenth International Conference on Emerging Security Information, Systems and Technologies // View article

Aggregation-Based Certificate Transparency Gossip

Authors:
Rasmus Dahlberg
Tobias Pulls
Jonathan Vestin
Toke Høiland-Jørgensen
Andreas Kassler

Keywords: Certificate Transparency, Gossip, P4, XDP

Abstract:
Certificate Transparency (CT) requires that every certificate which is issued by a certificate authority must be publicly logged. While a CT log can be untrusted in theory, it relies on the assumption that every client observes and cryptographically verifies the same log. As such, some form of gossip mechanism is needed in practice. Despite CT being adopted by several major browser vendors, no gossip mechanism is widely deployed. We suggest an aggregation-based gossip mechanism that passively observes cryptographic material that CT logs emit in plaintext, aggregating at packet processors (such as routers and switches) to periodically verify log consistency off-path. In other words, gossip is provided as-a-service by the network. Our proposal can be implemented for a variety of programmable packet processors at line-speed without aggregation distinguishers (throughput), and based on 20 days of RIPE Atlas measurements that represent clients from 3500 autonomous systems we show that significant protection against split-viewing CT logs can be achieved with a realistic threat model and an incremental deployment scenario.

Pages: 120 to 127

Copyright: Copyright (c) IARIA, 2019

Publication date: October 27, 2019

Published in: conference

ISSN: 2162-2116

ISBN: 978-1-61208-746-7

Location: Nice, France

Dates: from October 27, 2019 to October 31, 2019