Altarawneh, Amani; Brooks, R. R. (Richard R.); Kandah, Farah; Reising, Donald R.
College of Engineering and Computer Science
University of Tennessee at Chattanooga
Place of Publication
TLS communication over the internet has risen rapidly in the last seven years (2015--2022), and there were over 156M active SSL certificates in 2022. The state-of-the-art Public Key Infrastructure (PKI), encompassing protocols, computational resources, and digital certificates, has evolved for 24 years to become the de-facto choice for encrypted communication over the Internet even on newer platforms such as mobile devices and Internet-of-Things (IoT) (despite being low powered with computational constraints). However, certificate revocation is one sub-protocol in TLS communication that fails to meet the rising scalability demands and remains open to exploitation. In this dissertation, the standard for X.509 revocation is systematically reviewed and critically evaluated to identify its limitations and assess their impact on internet security. Because of fragmented revocation information and limited scalability, even the latest version of the X.509 revocation standard is susceptible to Man-in-the-Middle (MiTM) attacks. Blockchain technology can provide a decentralized and peer-to-peer distributed ledger to enable a unified, tamper-proof platform for X.509 certificate authorities to collaborate securely in a trustless environment. To understand blockchain technology's capabilities and limitations in distributing X.509 revocation information, different blockchain platforms are explored and compared in terms of scalability, degree of decentralization, and cost of operation. Moreover, the unification of the revocation lists leads to a massive expansion in the number of revoked certificates to query by a verifying client thus increasing the latency during revocation lookup. And, to minimize revocation-status lookup times, cryptographic constructions and approximate set-membership data structures are prototyped and analyzed. The key contributions of this dissertation are twofold: 1) the novel design of a secure and robust system for distributing X.509 certificate revocation information; and, 2) the prototype, experimentation, and optimization of cascading XOR filter, fuse filter, and cuckoo filter for quick lookup with zero false positives (and zero false negatives). The Secure Certificate Revocation as a Peer Service (SCRaaPS) is designed using the Lightweight Mining consensus algorithm-based Scrybe blockchain protocol to store and distribute certificate revocation lists. And, the cascading fuse filter (demonstrating the highest space efficiency and fastest build time) is applied to minimize the revocation lookup time with zero false positives.
Research reported in this publication was supported in part by the National Science Foundation under grants nos. 1821926, 1925603, and 1918987. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Ph. D.; A dissertation submitted to the faculty of the University of Tennessee at Chattanooga in partial fulfillment of the requirements of the degree of Doctor of Philosophy.
Blockchains (Databases); Public key infrastructure (Computer security); Computer networks--Security measuers
xix, 82 leaves
Medury, Sai, "Design, modeling, and simulation of secure X.509 certificate revocation" (2023). Masters Theses and Doctoral Dissertations.