Descriptor: "X.509" / Publication Type: Electronic Resources - Searchworks@Jio Institute Digital Library Search Results

Your search keyword '"X.509"' showing total 92 results

Start Over Descriptor "X.509" Publication Type Electronic Resources

92 results on '"X.509"'

1. Lightweight certificate revocation for low-power IoT with end-to-end security

Author: Höglund, Joel, Furuhed, Martin, Raza, Shahid, Höglund, Joel, Furuhed, Martin, and Raza, Shahid
Abstract: Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter pa
Published: 2023
Full Text: View/download PDF

2. Revisiting the Feasibility of Public Key Cryptography in Light of IIoT Communications

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, Jacob Taquet, Eduardo Juan, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, and Jacob Taquet, Eduardo Juan
Abstract: Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today. They are used by most popular security protocols, including Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The lifecycle management of digital certificates relies on centralized Certification Authority (CA)-based Public Key Infrastructures (PKIs). However, the implementation of PKIs and certificate lifecycle management procedures in Industrial Internet of Things (IIoT) environments presents some challenges, mainly due to the high resource consumption that they imply and the lack of trust in the centralized CAs. This paper identifies and describes the main challenges to implement certificate-based public key cryptography in IIoT environments and it surveys the alternative approaches proposed so far in the literature to address these challenges. Most proposals rely on the introduction of a Trusted Third Party to aid the IIoT devices in tasks that exceed their capacity. The proposed alternatives are complementary and their application depends on the specific challenge to solve, the application scenario, and the capacities of the involved IIoT devices. This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.
Published: 2022

3. Revisiting the Feasibility of Public Key Cryptography in Light of IIoT Communications

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Barceló, Marc, Urbieta, Aitor, Astorga Burgo, Jasone, Jacob, Eduardo, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Barceló, Marc, Urbieta, Aitor, Astorga Burgo, Jasone, and Jacob, Eduardo
Abstract: Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today. They are used by most popular security protocols, including Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The lifecycle management of digital certificates relies on centralized Certification Authority (CA)-based Public Key Infrastructures (PKIs). However, the implementation of PKIs and certificate lifecycle management procedures in Industrial Internet of Things (IIoT) environments presents some challenges, mainly due to the high resource consumption that they imply and the lack of trust in the centralized CAs. This paper identifies and describes the main challenges to implement certificate-based public key cryptography in IIoT environments and it surveys the alternative approaches proposed so far in the literature to address these challenges. Most proposals rely on the introduction of a Trusted Third Party to aid the IIoT devices in tasks that exceed their capacity. The proposed alternatives are complementary and their application depends on the specific challenge to solve, the application scenario, and the capacities of the involved IIoT devices. This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.
Published: 2022

4. Towards Trustworthy and Secure Internet of Things Devices : Using hardware-assisted Trusted Execution and Automated Certification

Author: Khurshid, Anum and Khurshid, Anum
Abstract: The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software. Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant
Published: 2022

5. Towards Trustworthy and Secure Internet of Things Devices : Using hardware-assisted Trusted Execution and Automated Certification

Author: Khurshid, Anum and Khurshid, Anum
Abstract: The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software. Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant
Published: 2022

6. Towards Trustworthy and Secure Internet of Things Devices : Using hardware-assisted Trusted Execution and Automated Certification

Author: Khurshid, Anum and Khurshid, Anum
Abstract: The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software. Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant
Published: 2022

7. Towards Trustworthy and Secure Internet of Things Devices : Using hardware-assisted Trusted Execution and Automated Certification

Author: Khurshid, Anum and Khurshid, Anum
Abstract: The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software. Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant
Published: 2022

8. Revisiting the Feasibility of Public Key Cryptography in Light of IIoT Communications

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Barceló, Marc, Urbieta, Aitor, Astorga Burgo, Jasone, Jacob, Eduardo, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Barceló, Marc, Urbieta, Aitor, Astorga Burgo, Jasone, and Jacob, Eduardo
Abstract: Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today. They are used by most popular security protocols, including Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The lifecycle management of digital certificates relies on centralized Certification Authority (CA)-based Public Key Infrastructures (PKIs). However, the implementation of PKIs and certificate lifecycle management procedures in Industrial Internet of Things (IIoT) environments presents some challenges, mainly due to the high resource consumption that they imply and the lack of trust in the centralized CAs. This paper identifies and describes the main challenges to implement certificate-based public key cryptography in IIoT environments and it surveys the alternative approaches proposed so far in the literature to address these challenges. Most proposals rely on the introduction of a Trusted Third Party to aid the IIoT devices in tasks that exceed their capacity. The proposed alternatives are complementary and their application depends on the specific challenge to solve, the application scenario, and the capacities of the involved IIoT devices. This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.
Published: 2022

9. Towards Trustworthy and Secure Internet of Things Devices : Using hardware-assisted Trusted Execution and Automated Certification

Author: Khurshid, Anum and Khurshid, Anum
Abstract: The advent of Trusted Execution Environments (TEEs) for IoT aligns with the reinforcement of IoT security through recent laws and regulations. A major part of IoT systems comprises of resource-constrained devices, with less margin in memory and computation capabilities to embed sophisticated security solutions. Hence, hardware-based TEEs provide resource-efficient remedies to known attack vectors with reduced software attack surface. In this dissertation, we identified challenges cropping up from the heterogeneity of the IoT infrastructure, that hindered the adoption of TEEs in resource-constrained IoT. We ultimately approach the security of IoT devices through automated certification with hardware-rooted assurance guarantees. The contributions of this dissertation are made through six research papers addressing these challenges. TEEs provide hardware-supported mechanisms to create secure areas to store sensitive data and execute critical software. However, the secure areas lack a secure way to communicate with the rest of the system. Moreover, once a software is placed in the secure areas, it becomes extremely difficult to detect and trace misbehaviour. To this end, we contribute frameworks that strengthen the functionality of TrustZone-M, which is ARM’s TEE designed for resource-constrained IoT. The addition of a secure communication channel in TrustZone-M enabled IoT devices guarantees confidentiality and integrity of shared data between the system applications and the secure areas even in case of a compromised OS. In addition, our contribution to the TrustZone-M secure areas to enable monitoring and blocking of malicious behaviour by applications, adds protection in the presence of untrusted third-party critical software. Secondly, we propose an automated digital certification of IoT devices by combining the Public Key Infrastructure standard authentication mechanisms with attributes of software assurance. The resultant process and the certificate is compliant
Published: 2022

10. How to Survive Identity Management in the Industry 4.0 Era

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, Jacob Taquet, Eduardo Juan, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, and Jacob Taquet, Eduardo Juan
Abstract: Industry 4.0 heavily builds on massive deployment of Industrial Internet of Things (IIoT) devices to monitor every aspect of the manufacturing processes. Since the data gathered by these devices impact the output of critical processes, identity management and communications security are critical aspects, which commonly rely on the deployment of X.509 certificates. Nevertheless, the provisioning and management of individual certificates for a high number of IIoT devices involves important challenges. In this paper, we present a solution to improve the management of digital certificates in IIoT environments, which relies on partially delegating the certificate enrolment process to an edge server. However, in order to preserve end-to-end security, private keys are never delegated. Additionally, for the protection of the communications between the edge server and the IIoT devices, an approach based on Identity Based Cryptography is deployed. The proposed solution considers also the issuance of very short-lived certificates, which reduces the risk of using expired or compromised certificates, and avoids the necessity of implementing performance expensive protocols such as Online Certificate Status Protocol (OCSP). The proposed solution has been successfully tested as an efficient identity management solution for IIoT environments in a real industrial environment.
Published: 2021

11. How to Survive Identity Management in the Industry 4.0 Era

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, Jacob, Eduardo, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, and Jacob, Eduardo
Abstract: Industry 4.0 heavily builds on massive deployment of Industrial Internet of Things (IIoT) devices to monitor every aspect of the manufacturing processes. Since the data gathered by these devices impact the output of critical processes, identity management and communications security are critical aspects, which commonly rely on the deployment of X.509 certificates. Nevertheless, the provisioning and management of individual certificates for a high number of IIoT devices involves important challenges. In this paper, we present a solution to improve the management of digital certificates in IIoT environments, which relies on partially delegating the certificate enrolment process to an edge server. However, in order to preserve end-to-end security, private keys are never delegated. Additionally, for the protection of the communications between the edge server and the IIoT devices, an approach based on Identity Based Cryptography is deployed. The proposed solution considers also the issuance of very short-lived certificates, which reduces the risk of using expired or compromised certificates, and avoids the necessity of implementing performance expensive protocols such as Online Certificate Status Protocol (OCSP). The proposed solution has been successfully tested as an efficient identity management solution for IIoT environments in a real industrial environment.
Published: 2021

12. Longitudinal analysis of the certificate chains of big tech company domains

Author: Klasson, Sebastian, Lindström, Nina, Klasson, Sebastian, and Lindström, Nina
Abstract: The internet is one of the most widely used mediums for communication in modern society and it has become an everyday necessity for many. It is therefore of utmost importance that it remains as secure as possible. SSL and TLS are the backbones of internet security and an integral part of these technologies are the certificates used. Certificate authorities (CAs) can issue certificates that validate that domains are who they claim to be. If a user trusts a CA they can in turn also trust domains that have been validated by them. CAs can in turn trust other CAs and this, in turn, creates a chain of trust called a certificate chain. In this thesis, the structure of these certificate chains is analysed and a longitudinal dataset is created. The analysis looks at how the certificate chains have changed over time and puts extra focus on the domains of big tech companies. The dataset created can also be used for further analysis in the future and will be a useful tool in the examination of historical certificate chains. Our findings show that the certificate chains of the domains studied do change over time; both their structure and the lengths of them vary noticeably. Most of the observed domains show a decrease in average chain length between the years of 2013 and 2020 and the structure of the chains vary significantly over the years.
Published: 2021

13. Longitudinal characterization of X.509 revocation statuses : A framework for monitoring newly issued certificates from the most popular Certificate Transparency logs

Author: Halim, Adam, Danielsson, Max, Halim, Adam, and Danielsson, Max
Abstract: The X.509 landscape is one of the cornerstones of the internet today. It is used to establish trust between entities online. Revocations of X.509 certificates are a vital part of the infrastructure to ensure that communicating parties can, in fact, be trusted. Today, these revocations are handled by Certificate Authorities who provide either an OCSP response or a CRL with the revocation status for their certificates. A framework was developed, written in Go, to enable longitudinal characterization of X.509 revocation statuses. We show that using the framework, it is possible to conduct a large scale analysis of X.509 certificates during an extended time. Using the data collected, we present preliminary analysis results and discuss the implications of the findings. We conclude that CAs, in general, behave similarly, with a few exceptions. Furthermore, we believe that large scale longitudinal analysis of revocation statuses provides a basis to hold CAs accountable and increase transparency in the X.509 landscape.
Published: 2021

14. Longitudinal characterization of X.509 revocation statuses : A framework for monitoring newly issued certificates from the most popular Certificate Transparency logs

Author: Halim, Adam, Danielsson, Max, Halim, Adam, and Danielsson, Max
Abstract: The X.509 landscape is one of the cornerstones of the internet today. It is used to establish trust between entities online. Revocations of X.509 certificates are a vital part of the infrastructure to ensure that communicating parties can, in fact, be trusted. Today, these revocations are handled by Certificate Authorities who provide either an OCSP response or a CRL with the revocation status for their certificates. A framework was developed, written in Go, to enable longitudinal characterization of X.509 revocation statuses. We show that using the framework, it is possible to conduct a large scale analysis of X.509 certificates during an extended time. Using the data collected, we present preliminary analysis results and discuss the implications of the findings. We conclude that CAs, in general, behave similarly, with a few exceptions. Furthermore, we believe that large scale longitudinal analysis of revocation statuses provides a basis to hold CAs accountable and increase transparency in the X.509 landscape.
Published: 2021

15. How to Survive Identity Management in the Industry 4.0 Era

Author: Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, Jacob, Eduardo, Ingeniería de comunicaciones, Komunikazioen ingeniaritza, Astorga Burgo, Jasone, Barceló, Marc, Urbieta Aizpurua, Aitor, and Jacob, Eduardo
Abstract: Industry 4.0 heavily builds on massive deployment of Industrial Internet of Things (IIoT) devices to monitor every aspect of the manufacturing processes. Since the data gathered by these devices impact the output of critical processes, identity management and communications security are critical aspects, which commonly rely on the deployment of X.509 certificates. Nevertheless, the provisioning and management of individual certificates for a high number of IIoT devices involves important challenges. In this paper, we present a solution to improve the management of digital certificates in IIoT environments, which relies on partially delegating the certificate enrolment process to an edge server. However, in order to preserve end-to-end security, private keys are never delegated. Additionally, for the protection of the communications between the edge server and the IIoT devices, an approach based on Identity Based Cryptography is deployed. The proposed solution considers also the issuance of very short-lived certificates, which reduces the risk of using expired or compromised certificates, and avoids the necessity of implementing performance expensive protocols such as Online Certificate Status Protocol (OCSP). The proposed solution has been successfully tested as an efficient identity management solution for IIoT environments in a real industrial environment.
Published: 2021

16. Longitudinal analysis of the certificate chains of big tech company domains

Author: Klasson, Sebastian, Lindström, Nina, Klasson, Sebastian, and Lindström, Nina
Abstract: The internet is one of the most widely used mediums for communication in modern society and it has become an everyday necessity for many. It is therefore of utmost importance that it remains as secure as possible. SSL and TLS are the backbones of internet security and an integral part of these technologies are the certificates used. Certificate authorities (CAs) can issue certificates that validate that domains are who they claim to be. If a user trusts a CA they can in turn also trust domains that have been validated by them. CAs can in turn trust other CAs and this, in turn, creates a chain of trust called a certificate chain. In this thesis, the structure of these certificate chains is analysed and a longitudinal dataset is created. The analysis looks at how the certificate chains have changed over time and puts extra focus on the domains of big tech companies. The dataset created can also be used for further analysis in the future and will be a useful tool in the examination of historical certificate chains. Our findings show that the certificate chains of the domains studied do change over time; both their structure and the lengths of them vary noticeably. Most of the observed domains show a decrease in average chain length between the years of 2013 and 2020 and the structure of the chains vary significantly over the years.
Published: 2021

17. Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs

Author: Bruhner, Carl Magnus, Linnarsson, Oscar, Bruhner, Carl Magnus, and Linnarsson, Oscar
Abstract: Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this limits the certificate lifetime and gives less flexibility in the timing of certificate replacements. In this thesis, we use publicly available network logs from Rapid7's Project Sonar to provide an overview of the current state of certificate usage behavior. Specifically, we look at the Let's Encrypt mass revocation event in March 2020, where millions of certificates were revoked with just five days notice. In general, we show how this kind of datasets can be used, and as a deeper exploration we analyze certificate validity, lifetime and use of certificates with overlapping validity periods, as well as discuss how our findings relate to industry standard and current security trends. Specifically, we isolate automated certificate services such as Let's Encrypt and cPanel to see how their certificates differ in characteristics from other certificates in general. Based on our findings, we propose a set of rules to help improve the trust in certificate usage and strengthen security online, introducing an Always secure policy aligning certificate validity with revocation time limits in order to replace revocation requirements and overcoming the fact that mobile devices today ignore this very important security feature. To round things off, we provide some ideas for further research based on our findings and what we see possible with datasets such as the one researched in this thesis.
Published: 2020

18. Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs

Author: Bruhner, Carl Magnus, Linnarsson, Oscar, Bruhner, Carl Magnus, and Linnarsson, Oscar
Abstract: Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this limits the certificate lifetime and gives less flexibility in the timing of certificate replacements. In this thesis, we use publicly available network logs from Rapid7's Project Sonar to provide an overview of the current state of certificate usage behavior. Specifically, we look at the Let's Encrypt mass revocation event in March 2020, where millions of certificates were revoked with just five days notice. In general, we show how this kind of datasets can be used, and as a deeper exploration we analyze certificate validity, lifetime and use of certificates with overlapping validity periods, as well as discuss how our findings relate to industry standard and current security trends. Specifically, we isolate automated certificate services such as Let's Encrypt and cPanel to see how their certificates differ in characteristics from other certificates in general. Based on our findings, we propose a set of rules to help improve the trust in certificate usage and strengthen security online, introducing an Always secure policy aligning certificate validity with revocation time limits in order to replace revocation requirements and overcoming the fact that mobile devices today ignore this very important security feature. To round things off, we provide some ideas for further research based on our findings and what we see possible with datasets such as the one researched in this thesis.
Published: 2020

19. Migration of Signing Algorithms : An investigation in migration of signing algorithms used in certificate authorities.

Author: Hassan, Yusuf and Hassan, Yusuf
Abstract: The migration of signing algorithms is a process which can be used to move from signing algorithms which are regarded as less safe to algorithms which are regarded as safer. The safety of cryptographic algorithms has been compromised before, algorithms such as SHA-1 has been proven to be broken. The goal of this study was to find criteria that could define a successful migration as well as evaluating a method to perform a migration. The criteria were found by evaluating related works found in an RFC document as well as in a Springer conference paper. The criteria that was found was the following: backwards compatibility, no downtime, no need for mass revocation, no need for strict scheduling and no extra overhead. The evaluated method utilized a construct called a multiple key certificate; it was chosen because it conformed to most of the found criteria. The multiple key certificate utilized two different key pairs, one generated from a conventional algorithm and the other using an alternative algorithm, it also conformed to the x.509 standard. The alternative algorithm could be chosen to be a post quantum algorithm. The prototype was tested for time overhead, memory overhead and backward compatibility. The results of testing to sign and verify 10 000 certificates as well as examining the file size of the certificate showed that the choice of alternative algorithm heavily affects the time overhead of the prototype certificate. The multiple key certificate also proved to be backwards compatible with widely used applications. This solution has proven itself to act in accordance to all the newly established criterion except for the criterion regarding overhead however, alternative algorithms could be strategically chosen to minimize overhead. The multiple key certificate seems to be a successful way to migrate signing algorithms., Migration av signeringsalgoritmer som används i certifikat är en process som kan behövas när en signeringsalgoritm som är mindre säker ska ersättas med en som är mer säker. Säkerheten som återfinns hos kryptografiska algoritmer har brutits förut, algoritmer såsom SHA-1 har bevisats vara osäkra. Målet med denna studie var att ta fram kriterier som kan definiera en lyckad migration samt evaluera en metod som kan användas för att utföra en migration. Kriterierna togs fram genom att studera tidigare arbeten inom migration av signeringsalgoritmer, dessa arbeten återfinns hos RFC dokument samt konferensrapporter från Springer. Kriterierna som togs fram var följande: kompatibilitet med äldre system, ingen nertid, inget behov av massrevokering, inget behov av strikta tidsscheman samt ingen extra omkostnad. Metoden som utvärderades kallas för flernyckels certifikat. Den valdes för att den följde flest av de nyfunna kriterierna. Lösningen utnyttjar två olika nyckelpar, nämligen ett nyckelpar som har genererats med en konventionell algoritm samt ett nyckelpar som har genererats med en alternativ algoritm. Lösningen följer även x.509 standarden. Den alternativa algoritmen kan väljas så att den är postkvantum. Prototypen testades för omkostnad i tid samt minne genom att signera och verifiera 10 000 certifikat samt att titta på certifikatens filstorlek. Prototypen testades även för kompatibilitet med kända applikationer. Resultaten visade att valet av alternativa algoritmer hade stor påverkan på omkostnaderna. Tester visade att prototypen var kompatibel med applikationer som används i stor utsträckning. Lösningen verkade följa alla nyfunna kriterier förutom kriteriet angående omkostnad men den alternativa algoritmen kan strategiskt väljas för att minimera omkostnaden. Prototypen verkar vara ett lyckat sätt att migrera signeringsalgoritmer.
Published: 2019

20. Migration of Signing Algorithms : An investigation in migration of signing algorithms used in certificate authorities.

Author: Hassan, Yusuf and Hassan, Yusuf
Abstract: The migration of signing algorithms is a process which can be used to move from signing algorithms which are regarded as less safe to algorithms which are regarded as safer. The safety of cryptographic algorithms has been compromised before, algorithms such as SHA-1 has been proven to be broken. The goal of this study was to find criteria that could define a successful migration as well as evaluating a method to perform a migration. The criteria were found by evaluating related works found in an RFC document as well as in a Springer conference paper. The criteria that was found was the following: backwards compatibility, no downtime, no need for mass revocation, no need for strict scheduling and no extra overhead. The evaluated method utilized a construct called a multiple key certificate; it was chosen because it conformed to most of the found criteria. The multiple key certificate utilized two different key pairs, one generated from a conventional algorithm and the other using an alternative algorithm, it also conformed to the x.509 standard. The alternative algorithm could be chosen to be a post quantum algorithm. The prototype was tested for time overhead, memory overhead and backward compatibility. The results of testing to sign and verify 10 000 certificates as well as examining the file size of the certificate showed that the choice of alternative algorithm heavily affects the time overhead of the prototype certificate. The multiple key certificate also proved to be backwards compatible with widely used applications. This solution has proven itself to act in accordance to all the newly established criterion except for the criterion regarding overhead however, alternative algorithms could be strategically chosen to minimize overhead. The multiple key certificate seems to be a successful way to migrate signing algorithms., Migration av signeringsalgoritmer som används i certifikat är en process som kan behövas när en signeringsalgoritm som är mindre säker ska ersättas med en som är mer säker. Säkerheten som återfinns hos kryptografiska algoritmer har brutits förut, algoritmer såsom SHA-1 har bevisats vara osäkra. Målet med denna studie var att ta fram kriterier som kan definiera en lyckad migration samt evaluera en metod som kan användas för att utföra en migration. Kriterierna togs fram genom att studera tidigare arbeten inom migration av signeringsalgoritmer, dessa arbeten återfinns hos RFC dokument samt konferensrapporter från Springer. Kriterierna som togs fram var följande: kompatibilitet med äldre system, ingen nertid, inget behov av massrevokering, inget behov av strikta tidsscheman samt ingen extra omkostnad. Metoden som utvärderades kallas för flernyckels certifikat. Den valdes för att den följde flest av de nyfunna kriterierna. Lösningen utnyttjar två olika nyckelpar, nämligen ett nyckelpar som har genererats med en konventionell algoritm samt ett nyckelpar som har genererats med en alternativ algoritm. Lösningen följer även x.509 standarden. Den alternativa algoritmen kan väljas så att den är postkvantum. Prototypen testades för omkostnad i tid samt minne genom att signera och verifiera 10 000 certifikat samt att titta på certifikatens filstorlek. Prototypen testades även för kompatibilitet med kända applikationer. Resultaten visade att valet av alternativa algoritmer hade stor påverkan på omkostnaderna. Tester visade att prototypen var kompatibel med applikationer som används i stor utsträckning. Lösningen verkade följa alla nyfunna kriterier förutom kriteriet angående omkostnad men den alternativa algoritmen kan strategiskt väljas för att minimera omkostnaden. Prototypen verkar vara ett lyckat sätt att migrera signeringsalgoritmer.
Published: 2019

21. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

22. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

23. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

24. How Certificate Transparency Impact the Performance

Author: Sjöström, Linus, Nykvist, Carl, Sjöström, Linus, and Nykvist, Carl
Abstract: Security on the Internet is essential to ensure the privacy of an individual. Today, Trans- port Layer Security (TLS) and certificates are used to ensure this. But certificates are not enough in order to maintain confidentiality and therefore a new concept, Certificate Trans- parency (CT), has been introduced. CT improves security by allowing the analysis of sus- picious certificates. Validation by CT uses public logs that can return Signed Certificate Timestamp (SCT), which is a promise returned by the log indicating that the certificate will be added to the log. A server may then deliver the SCT to a client in three different ways: X.509v3 extension, Online Certificate Status Protocol (OSCP) stapling and TLS extension. For further analysis, we have created a tool to collect data during TLS handshakes and data transfer, including byte information, the certificates themselves, SCT delivery method and especially timing information. From our dataset we see that most websites do not use CT and the ones that use CT almost only use X.509 extension to send their SCTs.
Published: 2017

25. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

26. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

27. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

28. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

29. Analysis of free SSL/TLS Certificates and their implementation as Security Mechanism in Application Servers.

Author: Cueva Hurtado, Mario E., Alvarado Sarango, Diego Javier, Cueva Hurtado, Mario E., and Alvarado Sarango, Diego Javier
Abstract: Security in the application layer (SSL), provides the confidentiality, integrity, and authenticity of the data, between two applications that communicate with each other. This article is the result of having implemented Free SSL / TLS Certificates in application servers, determining the relevant characteristics that must have a SSL/TLS certificate, the Certifying Authority generate it. A vulnerability analysis is developed in application servers and encrypted communications channel is established to protect against attacks such as man in the middle, phishing and maintaining the integrity of information that is transmitted between the client and server., La seguridad en la capa de aplicación (SSL), proporciona la confidencialidad, integridad y autenticidad de los datos, entre dos aplicaciones que se comunican entre sí. El presente artículo es el resultado de haber implementado certificados SSL / TLS gratuitos en servidores de aplicación, determinando las características relevantes que debe tener un certificado SSL/TLS, la Autoridad certificadora que lo emita. Se realiza un análisis de las vulnerabilidades en los servidores web y se establece un canal cifrado de comunicaciones con el fin de proteger de ataques como hombre en el medio, phising y mantener la integridad de la información que es trasmitida entre el cliente y servidor.
Published: 2017

30. How Certificate Transparency Impact the Performance

Author: Sjöström, Linus, Nykvist, Carl, Sjöström, Linus, and Nykvist, Carl
Abstract: Security on the Internet is essential to ensure the privacy of an individual. Today, Trans- port Layer Security (TLS) and certificates are used to ensure this. But certificates are not enough in order to maintain confidentiality and therefore a new concept, Certificate Trans- parency (CT), has been introduced. CT improves security by allowing the analysis of sus- picious certificates. Validation by CT uses public logs that can return Signed Certificate Timestamp (SCT), which is a promise returned by the log indicating that the certificate will be added to the log. A server may then deliver the SCT to a client in three different ways: X.509v3 extension, Online Certificate Status Protocol (OSCP) stapling and TLS extension. For further analysis, we have created a tool to collect data during TLS handshakes and data transfer, including byte information, the certificates themselves, SCT delivery method and especially timing information. From our dataset we see that most websites do not use CT and the ones that use CT almost only use X.509 extension to send their SCTs.
Published: 2017

31. Modernizing forms at KTH : Using Digital Signatures

Author: Engström, Pontus and Engström, Pontus
Abstract: Today both government agencies and companies struggle to keep up with the pace of the continuous change of technology. With all new technology there are benefits, but new problems might also occur. Implementing new technology for certain tasks may increase both efficiency and security, resulting in a more sustainable work environment. One technology that is increasingly adopted is digital signatures. Instead of using classical handwritten signatures on documents, a digital signature can be more time efficient and have higher security. In order to implement a digital signature technology some security aspects must be addressed and certain properties ensured. In the document signature process, each time an individual verifies a signature attached onto a document a log entry is created. This log contains information about who verified which document, does it have multiple parts that have been signed, does it need multiple signatures in order to be valid, and at what time and date was the document signed. Logs help to ensure the validity of the document and thereby increase the security provided by the digital signatures. At KTH, a student must sign an application form with a regular ink-written signature to start a thesis project. This process can in most cases delay the start up to two weeks. This study aims to implement digital signatures for one specific form, an application form for a thesis project. The hypothesis at the start of the project was that the use of digital signature would decrease the time of waiting significantly. Personnel at KTH using digital signature would facilitate their work efficiency, due to less printing and archiving of papers as well fewer meetings. This study will provide the reader with the necessary fundamental knowledge of cryptography and how digital signatures use this underlying technology. The methodology used in this study was to identify and modify certain software settings, as well collect data from students and personnel at KT, Dagens myndigheter och företag har det svårt att ständigt följa den tekniska utvecklingen. Ny teknik skapar oftast nya fördelar och andra förmåner men kan ibland också orsaka problem. Att implementera ny teknik för specifika ändamål kan öka både effektivitet och säkerhet, vilket resulterar i en mer effektiv arbetsplats. En teknik som introduceras allt mer på sistone är digitala signaturer. Istället för att signera dokument med en handskriven signatur kan en digital signatur vara mer tidseffektiv och ha en högre säkerhet. För att implementera tekniken bakom digitala signaturer måste särskilda säkerhetsaspekter adresseras och specifika inställningar säkerställas. I signaturprocessen måste varje individ verifiera signaturen som är bifogad på dokumentet, denna verifiering skapar även en logg. En logg innehåller bland annat information om vem som verifierade dokumentet, om dokumentet har fler än en bifogad signatur, behöver dokumentet fler signaturer för att vara giltigt och vilken tid och datum var dokumentet signerat. En logg säkerställer validiteten av dokumentet och ökar därmed säkerheten för digitala signaturer. På KTH krävs en skriftlig ansökan för att påbörja ett examensarbete. Med nuvarande process kan det i vissa fall leda till en försenad projektstart med upp till två veckor. Den här studien syftar till att implementera digitala signaturer för ett specifikt formulär, en ansökningsblankett för att påbörja ett examensarbete. Hypotesen vid projektstart var att användning av digitala signaturer skulle kunna förminska väntetiden signifikant. Anställda på KTH som utnyttjar digitala signaturer skulle kunna förbättra deras arbetseffektivitet på grund av färre pappersutskrifter, mindre pappersarkivering och färre möten. Den här studien kommer att förse läsaren med de mest nödvändiga kunskaperna av kryptografi och hur digitala signaturer använder krypteringsfenomenet. Metodiken som användes syftade till att identifiera och modifiera specifika mjukvaruinställningar samt s
Published: 2016

32. Certificate Transparency in Theory and Practice

Author: Gustafsson, Josef and Gustafsson, Josef
Abstract: Certificate Transparency provides auditability to the widely used X.509 Public Key Infrastructure (PKIX) authentication in Transport Layer Security (TLS) protocol. Transparency logs issue signed promises of inclusions to be used together with certificates for authentication of TLS servers. Google Chrome enforces the use of Certificate Transparency for validation of Extended Validation (EV) certificates. This thesis proposes a methodology for asserting correct operation and presents a survey of active Logs. An experimental Monitor has been implemented as part of the thesis. Varying Log usage patterns and metadata about Log operation are presented, and Logs are categorized based on characteristics and usage. A case of mis-issuance by Symantec is presented to show the effectiveness of Certificate Transparency.
Published: 2016

33. Certificate Transparency in Theory and Practice

Author: Gustafsson, Josef and Gustafsson, Josef
Abstract: Certificate Transparency provides auditability to the widely used X.509 Public Key Infrastructure (PKIX) authentication in Transport Layer Security (TLS) protocol. Transparency logs issue signed promises of inclusions to be used together with certificates for authentication of TLS servers. Google Chrome enforces the use of Certificate Transparency for validation of Extended Validation (EV) certificates. This thesis proposes a methodology for asserting correct operation and presents a survey of active Logs. An experimental Monitor has been implemented as part of the thesis. Varying Log usage patterns and metadata about Log operation are presented, and Logs are categorized based on characteristics and usage. A case of mis-issuance by Symantec is presented to show the effectiveness of Certificate Transparency.
Published: 2016

34. Modernizing forms at KTH : Using Digital Signatures

Author: Engström, Pontus and Engström, Pontus
Abstract: Today both government agencies and companies struggle to keep up with the pace of the continuous change of technology. With all new technology there are benefits, but new problems might also occur. Implementing new technology for certain tasks may increase both efficiency and security, resulting in a more sustainable work environment. One technology that is increasingly adopted is digital signatures. Instead of using classical handwritten signatures on documents, a digital signature can be more time efficient and have higher security. In order to implement a digital signature technology some security aspects must be addressed and certain properties ensured. In the document signature process, each time an individual verifies a signature attached onto a document a log entry is created. This log contains information about who verified which document, does it have multiple parts that have been signed, does it need multiple signatures in order to be valid, and at what time and date was the document signed. Logs help to ensure the validity of the document and thereby increase the security provided by the digital signatures. At KTH, a student must sign an application form with a regular ink-written signature to start a thesis project. This process can in most cases delay the start up to two weeks. This study aims to implement digital signatures for one specific form, an application form for a thesis project. The hypothesis at the start of the project was that the use of digital signature would decrease the time of waiting significantly. Personnel at KTH using digital signature would facilitate their work efficiency, due to less printing and archiving of papers as well fewer meetings. This study will provide the reader with the necessary fundamental knowledge of cryptography and how digital signatures use this underlying technology. The methodology used in this study was to identify and modify certain software settings, as well collect data from students and personnel at KT, Dagens myndigheter och företag har det svårt att ständigt följa den tekniska utvecklingen. Ny teknik skapar oftast nya fördelar och andra förmåner men kan ibland också orsaka problem. Att implementera ny teknik för specifika ändamål kan öka både effektivitet och säkerhet, vilket resulterar i en mer effektiv arbetsplats. En teknik som introduceras allt mer på sistone är digitala signaturer. Istället för att signera dokument med en handskriven signatur kan en digital signatur vara mer tidseffektiv och ha en högre säkerhet. För att implementera tekniken bakom digitala signaturer måste särskilda säkerhetsaspekter adresseras och specifika inställningar säkerställas. I signaturprocessen måste varje individ verifiera signaturen som är bifogad på dokumentet, denna verifiering skapar även en logg. En logg innehåller bland annat information om vem som verifierade dokumentet, om dokumentet har fler än en bifogad signatur, behöver dokumentet fler signaturer för att vara giltigt och vilken tid och datum var dokumentet signerat. En logg säkerställer validiteten av dokumentet och ökar därmed säkerheten för digitala signaturer. På KTH krävs en skriftlig ansökan för att påbörja ett examensarbete. Med nuvarande process kan det i vissa fall leda till en försenad projektstart med upp till två veckor. Den här studien syftar till att implementera digitala signaturer för ett specifikt formulär, en ansökningsblankett för att påbörja ett examensarbete. Hypotesen vid projektstart var att användning av digitala signaturer skulle kunna förminska väntetiden signifikant. Anställda på KTH som utnyttjar digitala signaturer skulle kunna förbättra deras arbetseffektivitet på grund av färre pappersutskrifter, mindre pappersarkivering och färre möten. Den här studien kommer att förse läsaren med de mest nödvändiga kunskaperna av kryptografi och hur digitala signaturer använder krypteringsfenomenet. Metodiken som användes syftade till att identifiera och modifiera specifika mjukvaruinställningar samt s
Published: 2016

35. Confusa : A cross federated personal certificate portal

Author: Austad, H., Zangerl, Thomas, Austad, H., and Zangerl, Thomas
Abstract: We are steadily progressing towards a world where a digital identity is required to gain entrance to a wide variety of services. From access to supercomputers and computational grids to web-services or asserting the authorship of an email, the need for secure digital identities is only growing. The process for obtaining these digital tokens must be simple yet secure for all parties involved, and it must extend to virtually all types of applications. One well tested technology, X.509 certificates, can work with most of these platforms, and the existing Identity Federations can be used to initially assert a user's identity. By using these two together, we have been built a service where a user can use the local authentication credentials combination to gain world-wide recognized X.509 credentials in a matter of minutes., QC 20140815
Published: 2010

36. SAMSON : Secure Access for Medical Smart cards Over Networks

Author: Hembroff, G. C., Muftic, Sead, Hembroff, G. C., and Muftic, Sead
Abstract: This paper presents several smart card security extensions to the FIPS 201 PIV standard of security and authentication of mobile health. Our contributions are designed to better protect the patient's data and to increase the functionality and interoperability of smart cards in health care. Our solution, called SAMSON, consists of two types of smart cards. The first, a security card, is issued to all personnel within any medical organization, while the second, the medical card, is issued to patients and used to securely store and retrieve health care information. These smart cards are being tested within a 14 hospital federated consortium in Michigan's Upper Peninsula., QC 20140825
Published: 2010
Full Text: View/download PDF

37. Zabezpečení v IP sítích s technologií VoIP

Author: Vozňák, Miroslav, Lenoch, Petr, Vozňák, Miroslav, and Lenoch, Petr
Abstract: Tato diplomová práce se zabývá využitím zabezpečovacích mechanismů u VoIP. Technologie VoIP umožňuje přenos hlasu prostřednictvím počítačové sítě v těle paketů. V úvodní kapitole jsou popsány a vysvětleny pojmy autentizace, autorizace, integrita a mechanismy souvisejícími s těmito pojmy. Podstatnou část tvoří problematika zabezpečení hlasu, signalizace a analýza útoků na infrastrukturu VoIP. Jsou zde popsány typy útoků DoS, SPIT, Vishing a MITM. Poslední kapitola se věnuje implementaci zabezpečovacích mechanismů v praxi. Aplikace zabezpečení je zaměřena na komunikaci klienta se serverem a samotnou komunikaci mezi servery. Zabezpečení je prováděno na open-source řešení Asterisk a OpenSIPS., This diploma thesis is dealing with the usage of security mechanism in VoIP technology. The VoIP technology makes possible to transfer voice via computer network in the body of packets. There are described and explained concepts of the authentication, authorization, integrity and relating mechanisms in the preliminary chapter. The essential part of this thesis forms voice security, signaling and analysis of attacks on the VoIP infrastructure. There are described the types of attacks like a DoS, SPIT, Vishing and MITM. The last chapter takes focus on implementation security mechanisms in the practice. Application of security is oriented on the communication client with the server and communication itself between servers. For the security itself is used the open-source solution Asterisk and OpenSIPS.
Published: 2009

38. Reducing e-commerce risks using digital certificates

Author: Piščević, Miloš, Simić, Dejan, Piščević, Miloš, and Simić, Dejan
Abstract: E-commerce means buying and selling goods and services across the Internet. Secured communication in e-commerce, across unsecured medium, such as the Internet, represents one of the major components in a domain of providing necessary security- critical demands, so the flow of information could go in a secure way. The Internet, as a global computer network must provide five major security services: confidentiality, data integrity, authentication, availability, and non-repudiation of information. Without guaranteeing aformentioned security goals, risks may be very high in e-commerce systems. A possible way to reduce these risks is to use digital certificates. Digital certificates provide a means of proving identity in electronic transactions, and from the point of view of computer communication they are irreplacable, but nevertheless they provide a good mechanism for implementing the major part of this security goal, and therefore, their usage in e-commerce is the major topic of this paper.
Published: 2009

39. Extending UNICORE 5 authentication model by supporting proxy certificate profile extensions

Author: Stamou, Katerina, Hedman, Fredrik, Iliopoulos, Anthony, Stamou, Katerina, Hedman, Fredrik, and Iliopoulos, Anthony
Abstract: Authentication interoperability between the UNICORE grid middleware system and other Grid middleware systems is addressed. An approach to extending the UNICORE authentication model to support a proxy certificate (RFC3280) profile is presented. This optional feature can then be enabled based on site policy. Furthermore, the addition capacitates further advances related to authorization. With interoperability becoming a key issue in many production environments, extending the generality of UNICORE in this way opens up the possibility of direct and general interoperability scenarios.
Published: 2008
Full Text: View/download PDF

40. Refined Access Control in a Distributed Environment

Author: Boström, Erik and Boström, Erik
Abstract: In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.
Published: 2002

41. Refined Access Control in a Distributed Environment

Author: Boström, Erik and Boström, Erik
Abstract: In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.
Published: 2002

42. Elektronický podpis v praxi

Author: Člupek, Vlastimil, Burda, Karel, Miška, Matěj, Člupek, Vlastimil, Burda, Karel, and Miška, Matěj
Abstract: Bakalářská práce se zabývá tvorbou systému pro správu a zabezpečení elektronických certifikátů určených k podpisu dokumentů. Aplikace vytvořená v této práci je koncipována jako konzolová aplikace volána z příkazové řádky systému. Toto řešení je odůvodněno možností pokračování této práce v podobě nástavby uživatelského rozhraní nebo využití jinou aplikací. Pomocí tohoto programu je možné vytvářet uživatele, kteří mohou nahrávat své certifikáty s hesly do aplikace a následně je využít při podpisu souborů PDF a PNG. V aplikace jsou implementovány algoritmy zajišťující bezpečnost uložených dat. Teoretická část práce podrobně rozebírá tvorbu a práci s certifikáty a podpisovými klíči v reálném světě včetně tvorby vlastního self-signed certifikátu. Závěrem teoretické části je testování využitelnosti certifikátů., This bachelor's thesis deals with the creation and development of a system for management and security of digital certificates used for signing documents. The application created in this thesis is conceptualised as a console application used from command line of a system. This solution is justified by the possibility of being continued as a graphic user interface extension or adopted by another application. The application allows for the creation of a user account, through which a person can import their certificates with passwords into the application and subsequently use the certificates in signing PDF documents or PNG files. Algorithms ensuring the security of saved data are implemented by the application. The theoretical part of this thesis analyzes the creation and work with certificates and signature keys in real life, including the creation of own self-signed certificate. The theoretical part concludes with the testing of usage of the certificates.

43. Bezpečnost webových služeb z pohledu spotřebitele služby

Author: Rychlý, Marek, Weiss, Petr, Novotný, Petr, Rychlý, Marek, Weiss, Petr, and Novotný, Petr
Abstract: Úkolem této práce bylo seznámení čtenáře s různými možnosti webového zabezpečení a její autentizace. Další část práce bylo vytvoření klientské aplikace komunikující se zadanou webovou službou. Klientská část by měla zároveň sloužit pro vývojáře webových služeb kontrolující zvolené webové zabezpečení., The objective of this project was to introduce to a reader different possibilities of a web security and its authentication. Another part of this project was to create a client application communicates with the web service. The client part should at the some time serve the web services developer for checking chosen web securities.

44. Detekce a analýza přenosů využívajících protokoly SSL/TLS

Author: Smékal, David, Dvořák, Jan, Hutar, Jan, Smékal, David, Dvořák, Jan, and Hutar, Jan
Abstract: Diplomová práce se zabývá detekcí a analýzou zabezpečených spojení elektronické ko- munikace prostřednictvím protokolů SSL/TLS. V práci je prostudována problematika SSL/TLS protokolů. Následně byla provedena analýza zpráv používaných při navazo- vání zabezpečeného spojení a zpráv poštovních služeb SMTP, POP3 a IMAP při použití STARTTLS. Detekce a extrakce metadat zabezpečených simplexních a duplexních spo- jení probíhá za použití prostředků hluboké inspekce paketů. Výchozím nástrojem byla použita knihovna funkcí nDPI z projektu Ntop. Knihovna byla rozšířena o detekci zmí- něných spojení a extrakci metadat na základě studia a analýzy přenášených zpráv. V závěru práce je provedeno testování na cvičné množině dat a základní analýza získaných metadat., This diploma thesis deals with a detection and analysis of secure connections of electro- nic communication through SSL/TLS protocols. The thesis begins with introduction to SSL/TLS protocols. Thereafter, an analysis of messages used to establish secure con- nections using STARTTLS and postal protocols SMTP, POP3, and IMAP was made. Metadata detection and extraction of secured simplex and duplex connections take place using deep packet inspection tools. The tool of choice is the nDPI library from the Ntop project. The library was extended to detect the connections and extract the metadata based on studies and analysis of transmitted messages. Finally, testing is performed on a training data set and a basic analysis of acquired metadata is made.

45. Elektronické zabezpečení zdravotnické dokumentace v prostředí zdravotnického IS

Author: Barabas, Maroš, Malinka, Kamil, Hauserová, Markéta, Barabas, Maroš, Malinka, Kamil, and Hauserová, Markéta
Abstract: Práce rozebírá české zákony týkající se zdravotnické dokumentace. Popisuje, jaké body musí splňovat IS, aby zdravotnická dokumentace mohla být vedena jen v elektronické podobě. Shrnuje různé algoritmy pro implementaci zaručeného elektronického podpisu a pro identifikaci osoby. Věnuje se asymetrické kryptografii a to RSA, DSA a ECDSA. Popisuje hashovaní funkce a jejich vlastnosti. Popisuje princip certifikátu, jak je možné je získat, zneplatnit a v jaké formátu jsou tyto certifikáty vedeny. Analyzuje zdravotnický IS a navrhuje možnosti jak vytvořit program pro podepisování zdravotnické dokumentace. Následně na základě uvedené analýzy je program přímo implementován. Na závěr práce je rozebráno, jestli vytvořený program splňuje daná kritéria a jakým způsobem., Thesis is analyzing czech laws which are related to medical documentation. Describes the points which are mandatory for information system, so the medical documentation can be stored electronically. Includes various algorithms for implementation of certain electronic signature and for identification of person. This thesis deals with asymmetric cryptography, specifically RSA, DSA, and ECDSA. Describes the hash functions and their functions and their characteristics. Describes the principle of the certificate, ways of its obtaining, invalidation and their formats. Analyzes medical information system and suggests ways to create a program for signing medical records. Then based on that analysis, the program is implemented. At the conclusion of the work is discussed, if created program meets the criteria.

46. Bezpečnost webových služeb z pohledu poskytovatele služby

Author: Rychlý, Marek, Jaša, Petr, Liška, Stanislav, Rychlý, Marek, Jaša, Petr, and Liška, Stanislav
Abstract: Tato práce si dává za úkol poskytnou čtenářům pohled na možnosti zabezpečení webových služeb a jejich autentizaci. Druhá kapitola obecně vysvětluje webové služby a třetí kapitola bezpečností protokoly spolu s autentizací. Ve čtvrté kapitole jsou popisovány možnosti zabezpečení webových služeb v prostředí Java Enterprise Edition. Pátá kapitola je věnována návrhu webové služby z pohledu poskytovatele služby. Šestá kapitola popisuje implementaci zabezpečené služby a sedmá testování služby s možností dalšího rozšíření., This work makes the task of providing readers with insight into the possibilities of Web services security and authentication. The second chapter explains the general Web services and the third charter deals with security protocols along with authentication. The charter possibility of securing Web services in Java Enterprise Edition are described in the fourth chapter. The fifth chapter is devoted to Web services from the perspective of the service provider. The sixth chapter describes the implementation of secure services and seventh charter deals with testing services with the possibility of further extension.

47. Webová aplikace pro správu certifikátů

Author: Burget, Radek, Rychlý, Marek, Kobyda, Simon, Burget, Radek, Rychlý, Marek, and Kobyda, Simon
Abstract: Cieľom tejto práce je vytvorenie softvéru na získanie a správu X.509 certifikátov. Hlavný dôraz je na poskytnutie múdreho a intuitívneho uživateľského rozhrania, ktoré by dovolilo spravovať certifikáty aj administrátorom, ktorí nemajú o nich veľa znalostí. Práca je implementovaná s technológiou React ako plugin pre Cockpit, vďaka čomu si nájde svoje miesto aj vo väčšom obraze Red Hat portfólia., The aim of this work is to create software to request and manage X.509 certificates. Its main emphasis is to provide a smart and intuitive user interface, which would enable administrators, who do not have much knowledge about certificate, to request and manage them. The work is implemented using React as a plugin for Cockpit, which by extension will fit it into a bigger picture of Red Hat's portfolio.

48. Technologické a právní limity elektronického podpisu v souvislosti s identifikací podepisující osoby

Author: Loutocký, Pavel, Harašta, Jakub, Klimková, Natálie, Loutocký, Pavel, Harašta, Jakub, and Klimková, Natálie
Abstract: Bakalářská práce se věnuje problematice elektronických podpisů, zejména zaručeného elektronického podpisu, v souvislosti s nařízením EIDAS. V první části je rozebrána právní stránka, vymezeny právní limity podpisů a analyzována rozhodovací praxe v ČR. Druhá část se věnuje podpisům, opět hlavně zaručenému, a jejich limitům z technického pohledu. V závěru je představena aplikace vytvářející a následně i využívající zaručený elektronický podpis., The bachelor thesis is devoted to the issue of digital signatures, in particular advanced digital signatures, in the context of the EIDAS regulation. The first part discusses the legal aspect, defines the legal limits of signatures and analyses the decision-making practice in the Czech Republic. The second part deals with signatures, again mainly advanced, and their limits from a technical point of view. Finally, an application creating and subsequently using an advanced digital signature is presented.

49. Anonymní pohyb v síti internet

Author: Rosenberg, Martin, Babnič, Patrik, Hořejš, Jan, Rosenberg, Martin, Babnič, Patrik, and Hořejš, Jan
Abstract: Cílem diplomové práce bylo popsat současné možnosti anonymního pohybu po Internetu. Teoretická část se zaměřuje na tři hlavní způsoby anonymizace se zaměřením na síť Tor. V práci jsou popsány výhody a nevýhody jednotlivých řešení a možné útoky na ně. V další části je demonstrována síť Tor, implementace Skryté služby, zabezpečeného anonymního přístupu uživatelů k serveru a možných útoků vůči tomuto návrhu. Práce zároveň obsahuje výsledky měření všech tří způsobu anonymizace a vlivů na jejich rychlost., The objective of this master’s thesis was to describe current capabilities of anonymous browsing over the Internet. The theoretical part focuses on three main methods of anonymization with main focus on Tor network. The master‘s thesis describes advantages and disadvantages of different solutions and possible attacks on them. In the next part is demonstrated Tor network, implementation of Hidden service and secured access to the server for clients and possible attacks against this proposal. The work also includes the results of measurements of all three anonymizers and the effects on their speed.

50. Bezpečnost webových služeb z pohledu poskytovatele služby

Author: Rychlý, Marek, Jaša, Petr, Liška, Stanislav, Rychlý, Marek, Jaša, Petr, and Liška, Stanislav
Abstract: Tato práce si dává za úkol poskytnou čtenářům pohled na možnosti zabezpečení webových služeb a jejich autentizaci. Druhá kapitola obecně vysvětluje webové služby a třetí kapitola bezpečností protokoly spolu s autentizací. Ve čtvrté kapitole jsou popisovány možnosti zabezpečení webových služeb v prostředí Java Enterprise Edition. Pátá kapitola je věnována návrhu webové služby z pohledu poskytovatele služby. Šestá kapitola popisuje implementaci zabezpečené služby a sedmá testování služby s možností dalšího rozšíření., This work makes the task of providing readers with insight into the possibilities of Web services security and authentication. The second chapter explains the general Web services and the third charter deals with security protocols along with authentication. The charter possibility of securing Web services in Java Enterprise Edition are described in the fourth chapter. The fifth chapter is devoted to Web services from the perspective of the service provider. The sixth chapter describes the implementation of secure services and seventh charter deals with testing services with the possibility of further extension.

Catalog

Books, media, physical & digital resources

See catalog results

Searchworks

Select search scope, currently: Articles Catalog books, media & more in Jio Institute collections Articles journal articles & other e-resources

Search

Search Constraints

Refine your results

Search Limiters

Publication Year Range

Publication Type

Journal

Database

Publisher

92 results on '"X.509"'

Search Results

Catalog

Select search scope, currently: Articles

Catalog

books, media & more in Jio Institute collections

Articles

journal articles & other e-resources