CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure

CNS 核心：大型：协作研究：迈向可进化的公钥基础设施

• 批准号: 1901325
• 负责人: David Levin
• 金额: $ 61.76万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2024-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1901325&HistoricalAwards=false
• 关键词: CNS; Core; Large; Collaborative; Research

The importance of the Transport Layer Security (TLS) public key infrastructure (PKI) to the success of the Internet cannot be overstated. From social networking to banking, from mobile devices to cloud computing, the PKI allows communicating parties to be sure of whom they are communicating with, that their communication is confidential, and that their communication has not been tampered with. Despite its incredible importance, the PKI has been notoriously difficult to evolve to meet new security concerns and Internet demands. This project introduces new, deployable alternatives to key parts of the PKI to make it more evolvable, manageable, and secure.The project has three primary thrusts. The first introduces a key enabling technology behind the subsequent thrusts, called assertion-carrying certificates (ACCs). ACCs expand today's certificates with the capability of including a small amount of code (in the form of assertions) to be evaluated as part of the certificate validation process. The second thrust applies ACCs to enable certificate authorities to more readily evolve to new demands for certificate delegation and automated issuance. The third thrust applies ACCs and trusted execution environments to enable web-hosting services like content delivery networks to securely manage their customers' cryptographic keys.Correct operation of the PKI is paramount to ensuring a secure, authenticated Internet. Recent efforts have proven that progress towards a more secure PKI is possible, but a more fundamental focus is needed to address the underlying challenges. This project will do just that by developing a new, extensible approach to constraining when identities on the Internet should be trusted. This project will make it straightforward and safe to extend the basic abstractions offered by the PKI, thereby enabling it to evolve to meet changing trends.The project's code and data will be made publicly available and maintained at https://securepki.orgThis award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

传输层安全（TLS）公钥基础设施（PKI）对互联网的成功的重要性怎么强调都不过分。 从社交网络到银行，从移动的设备到云计算，PKI允许通信方确定他们正在与谁通信，他们的通信是保密的，并且他们的通信没有被篡改。 尽管PKI的重要性令人难以置信，但它一直难以发展以满足新的安全问题和互联网需求。 该项目为PKI的关键部分引入了新的、可部署的替代方案，以使其更具可发展性、可管理性和安全性。 第一个介绍了后续推进背后的关键支持技术，称为断言承载证书（ACC）。 ACC扩展了当今的证书，能够包含少量代码（以断言的形式），以作为证书验证过程的一部分进行评估。 第二个重点是应用ACCs，使证书机构能够更容易地适应证书授权和自动签发的新要求。 第三个重点是应用ACCs和可信执行环境，使网络托管服务（如内容交付网络）能够安全地管理其客户的加密密钥。PKI的正确操作对于确保安全、经过认证的互联网至关重要。 最近的努力证明，在建立更安全的公用钥匙基础结构方面取得进展是可能的，但需要有一个更根本的重点，以应对根本性的挑战。 这个项目将通过开发一种新的、可扩展的方法来约束互联网上的身份何时应该被信任。 该项目将使其直接和安全地扩展由PKI提供的基本抽象，从而使其能够发展，以满足不断变化的趋势。该项目的代码和数据将在www.example.com上公开提供和维护https://securepki.orgThis奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。

项目成果

Assertion-Carrying Certificates

携带断言的证书

• 发表时间: 2020
• 期刊: Foundations of Computer Security
• 作者: Aqeel, Waqar;Hanif, Zachary;Larisch, James;Omolola, Olamide;Chung, Taejoong;Levin, Dave;Maggs, Bruce;Mislove, Alan;Parno, Bryan;Wilson, Christo
• 通讯作者: Wilson, Christo

A comparative analysis of certificate pinning in Android & iOS

• DOI: 10.1145/3517745.3561439
• 发表时间: 2022-10
• 期刊: Proceedings of the 22nd ACM Internet Measurement Conference
• 作者: Amogh Pradeep;Muhammad Talha Paracha;Protick Bhowmick;Ali Davanian;Abbas Razaghpanah;Taejoong Chung;Martina Lindorfer;Narseo Vallina-Rodriguez;Dave Levin;D. Choffnes

Bento: Safely Bringing Network Function Virtualization to Tor

Bento：将网络功能虚拟化安全地引入 Tor

• DOI: 10.1145/3452296.3472919
• 发表时间: 2021
• 期刊: ACM SIGCOMM
• 作者: Reininger, Michael;Arora, Arushi;Herwig, Stephen;Francino, Nicholas;Hurst, Jayson;Garman, Christina;Levin, Dave
• 通讯作者: Levin, Dave

Selfish & opaque transaction ordering in the Bitcoin blockchain: the case for chain neutrality

• DOI: 10.1145/3487552.3487823
• 发表时间: 2021-10
• 期刊: Proceedings of the 21st ACM Internet Measurement Conference
• 作者: Johnnatan Messias;Mohamed Alzayat;B. Chandrasekaran;K. Gummadi;P. Loiseau;A. Mislove

The ties that un-bind: decoupling IP from web services and sockets for robust addressing agility at CDN-scale

解除绑定的纽带：将 IP 与 Web 服务和套接字解耦，以实现 CDN 规模的强大寻址敏捷性

• DOI: 10.1145/3452296.3472922
• 发表时间: 2021
• 期刊: ACM SIGCOMM
• 作者: Fayed, Marwan;Bauer, Lorenz;Giotsas, Vasileios;Kerola, Sami;Majkowski, Marek;Odintsov, Pavel;Sitnicki, Jakub;Chung, Taejoong;Levin, Dave;Mislove, Alan
• 通讯作者: Mislove, Alan