A Zero Trust Data-Driven Perspective on PKI Root Stores
spammaurofarina99
22 views
26 slides
Jun 26, 2024
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
Presentazione per la prelaurea del Corso di Laurea Magistrale in Ingegneria Elettronica e Informatica dell'Università degli Studi di Trieste
Slide Content
A Zero Trust Data-Driven
Perspective on PKI Root Stores
Supervisor
Prof. Alberto Bartoli
Co-supervisor
Prof. Martino Trevisan
Candidate
Mauro Farina
Perspective on PKI Root Stores
Supervisor
Prof. Alberto Bartoli
Co-supervisor
Prof. Martino Trevisan
Candidate
Mauro Farina
Introduction
PKI | Public Key Infrastructure
Cryptographic system supporting most private and secure
communications on the Internet
Allows clients to authenticate servers using digital certificates
The organizations that issue server certificates are known as
certification authorities (CAs)
Subject
Public Key
Issuer (CA)
Signature
Cryptographic system supporting most private and secure
communications on the Internet
Allows clients to authenticate servers using digital certificates
The organizations that issue server certificates are known as
certification authorities (CAs)
Subject
Public Key
Issuer (CA)
Signature
Root Stores
Set of self-signed CA certificates (root certificates)
A device only accepts server certificates signed by a root certificate
Operating systems are shipped with predefined root stores
Most browsers use their own root stores
Set of self-signed CA certificates (root certificates)
A device only accepts server certificates signed by a root certificate
Operating systems are shipped with predefined root stores
Most browsers use their own root stores
Zero Trust
Cybersecurity paradigm for driving authentication and authorization in
environments viewed as compromised
Inherent network-based trust is removed
Trust is never granted implicitly but must be continually evaluated
Increasing adoption by industry and regulators
Cybersecurity paradigm for driving authentication and authorization in
environments viewed as compromised
Inherent network-based trust is removed
Trust is never granted implicitly but must be continually evaluated
Increasing adoption by industry and regulators
Motivation
PKI principles collide with Zero Trust paradigm
●Tens of CAs fully trusted a priori for authentication decisions
Proposed changes to EU regulations (eIDAS 2.0)
●Force browsers to add any CA selected by EU governments to their root
store
PKI principles collide with Zero Trust paradigm
●Tens of CAs fully trusted a priori for authentication decisions
Proposed changes to EU regulations (eIDAS 2.0)
●Force browsers to add any CA selected by EU governments to their root
store
Current Root Store Landscape
Trust Perimeter Parameters
Trust perimeter of five popular root stores in terms of:
●Included root certificates
●Organizations that manage root certificates
○Government-affiliated organizations
●Countries of origin of such organizations
Trust perimeter of five popular root stores in terms of:
●Included root certificates
●Organizations that manage root certificates
○Government-affiliated organizations
●Countries of origin of such organizations
Current Root Stores Landscape
Main root store characteristics.
Main root store characteristics.
Dataset
HTTP Traffic
Data-driven research relies on a dataset of:
●≈292 million HTTP transactions
●232 users over 4 months
Previous works relied on:
●Browser chronologies (only 22 users)
●IP scans → complementary to real-traffic, but lack intrinsic order among
addresses
Data-driven research relies on a dataset of:
●≈292 million HTTP transactions
●232 users over 4 months
Previous works relied on:
●Browser chronologies (only 22 users)
●IP scans → complementary to real-traffic, but lack intrinsic order among
addresses
Observed Portion of Mozilla’s Store
Distribution of the number of observed root
certificates and organizations across users.
Mozilla root store:
●147 root certificates
●52 organizations
Median observed values:
●26 root certificates
●11 organizations
Distribution of the number of observed root
certificates and organizations across users.
Mozilla root store:
●147 root certificates
●52 organizations
Median observed values:
●26 root certificates
●11 organizations
Root Store Construction Policies
Proposed Framework
IT staff manages employees’ root stores from a zero trust perspective
We define and analyze several Root Store Construction Policies based on users
traffic
We assess the discrepancy between the users’ actual needs and the perimeter
of trust established by the Mozilla root store
IT staff manages employees’ root stores from a zero trust perspective
We define and analyze several Root Store Construction Policies based on users
traffic
We assess the discrepancy between the users’ actual needs and the perimeter
of trust established by the Mozilla root store
Policy Design
Specificity (how the root store differs among users)
●Uniform → All users share the same root store
Composition (which root certificates to include)
●All → All the observed root certificates
●Most(k) → The k root certificates useful to most websites
Specificity (how the root store differs among users)
●Uniform → All users share the same root store
Composition (which root certificates to include)
●All → All the observed root certificates
●Most(k) → The k root certificates useful to most websites
All Policy
Observed by our users:
●59 root certificates
●30 organizations
○2 governments
●18 countries
Mozilla root store:
●147 root certificates
●52 organizations
○5 governments
●23 countries
Includes only the root certificates observed by the users
Observed by our users:
●59 root certificates
●30 organizations
○2 governments
●18 countries
Mozilla root store:
●147 root certificates
●52 organizations
○5 governments
●23 countries
Includes only the root certificates observed by the users
Most(k) Policy
The k root certificates that are issuers for the most websites
Analysis of coverage vs. trust perimeter trade-off across users
●Coverage → Percentage of visited domains whose certificate is valid
The k root certificates that are issuers for the most websites
Analysis of coverage vs. trust perimeter trade-off across users
●Coverage → Percentage of visited domains whose certificate is valid
Most(k) Policy
Distribution over users of the coverage.
Distribution over users of the coverage.
Most(k) | Organizations and countries
Root certificates belonging to the same organization will likely follow similar
operational practices
Organizations are tied to the legislature of the country they operate from
Two variants based on organization- and country-wise trust:
●Most
ORG
(k)
●Most
COUNTRY
(k)
Root certificates belonging to the same organization will likely follow similar
operational practices
Organizations are tied to the legislature of the country they operate from
Two variants based on organization- and country-wise trust:
●Most
ORG
(k)
●Most
COUNTRY
(k)
Most(k) | Organizations and countries
Distribution over users of the
coverage granted by Most
ORG
(k)
Distribution over users of the
coverage granted by Most
COUNTRY
(k)
Distribution over users of the
coverage granted by Most
ORG
(k)
Distribution over users of the
coverage granted by Most
COUNTRY
(k)
Zero Trust Root Store Management
Simulated scenario where the IT department of a company manages a root
store with a zero trust perspective
1.All users start with an empty root store
2.IT staff takes trust decisions upon users observing a new root certificate
Simulated scenario where the IT department of a company manages a root
store with a zero trust perspective
1.All users start with an empty root store
2.IT staff takes trust decisions upon users observing a new root certificate
Zero Trust Root Store Management
Root store size and number of trust decisions with the
UniformAll policy.
Root store size and number of trust decisions with the
UniformAll policy.
Conclusions
Trust Perimeters Comparison
Comparison of commercial root stores (black dots) with proposed policies
Comparison of commercial root stores (black dots) with proposed policies
Conclusions
Currently employed root stores are widely oversized
Real user-generated traffic demonstrates that the trust perimeter of root
stores can be reduced by ≈65%
A zero trust approach to root store management is feasible with little effort
Currently employed root stores are widely oversized
Real user-generated traffic demonstrates that the trust perimeter of root
stores can be reduced by ≈65%
A zero trust approach to root store management is feasible with little effort
Thank you for the attention!
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 22
- Slides 26
- Age 523 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views