Data-Driven Analysis of Key and Certificate Management for Networked Systems

 

Abstract: 

Transport Layer Security (TLS) is the de facto encryption protocol for securing communications over the Internet, relying on the secure delivery and authentication of public keys. Prior work has studied the Public Key Infrastructure (PKI) by focusing on digital certificates issued by trusted Certificate Authorities (CAs) that are commonly used for web servers. However, this is just the tip of the iceberg. This dissertation takes a data-driven approach to uncover security and privacy risks in the use of digital certificates for emerging applications such as the Internet of Things (IoT) and to investigate practical challenges in a new approach to managing public keys through the Domain Name System (DNS).

First, we examine the interactions between the IoT ecosystem and TLS, revealing significant heterogeneity in IoT TLS implementations and highlighting security risks posed by IoT vendor-issued and -managed certificates. Second, we explore the often-overlooked practices of mutual TLS, uncovering alarming security and privacy risks associated with client certificates, such as misconfigurations, certificate sharing between servers and clients, long-expired certificates, and sensitive information embedded within client certificates that raises privacy concerns. Finally, we investigate a new DNS resource record type, DNS HTTPS, which enables the delivery of public keys to encrypt the TLS ClientHello message. We conduct a longitudinal study on the server-side deployment of DNS HTTPS resource records and identify practical management and deployment challenges. We also examine client-side support for these new DNS HTTPS records to uncover issues that may lead to connection failures. In summary, this dissertation aims to lay the foundation for building more secure, privacy-preserving, and trustworthy networks by addressing these findings and advancing best practices in certificate and key management.

 

Committee:  

  • Jack W. Davidson, Committee Chair, CS/SEAS/UVA
  • Yixin Sun, Advisor, CS, ECE/SEAS/UVA 
  • Hyojoon Kim, CS/SEAS/UVA
  • Brad Campbell, CS, ECE/SEAS/UVA 
  • Cong Shen, ECE/SEAS/UVA