28C3 - Version 2.3.5

28th Chaos Communication Congress
Behind Enemy Lines

Peter Eckersley
Day Day 3 - 2011-12-29
Room Saal 3
Start time 23:00
Duration 01:00
ID 4798
Event type Lecture
Track Hacking
Language used for presentation English

Sovereign Keys

A proposal for fixing attacks on CAs and DNSSEC

This talk will describe the Sovereign Key system, an EFF proposal for improving the security of SSL/TLS connections against attacks that involve Certificate Authorities (CAs) or portions of the DNSSEC hierarchy.

The design stores persistent name-to-key mappings in a semi-centralised, append-only data structure. It allows domain owners to deploy operational TLS keys without trusting any third parties whatsoever, and gives clients a reliable way to verify those keys. The design can also be used to automatically circumvent a large portion of server impersonation and man-in-the-middle attacks, avoiding the need for confusing certificate warnings, which users will often click through even when they are under attack.

The Sovereign Key design bootstraps from and reinforces either CA-signed certificates or DANE/DNSSEC as a method of publishing and verifying TLS servers' public keys. Conceptually, it provides functionality similar to what could be obtained if HTTPS servers could publish special headers saying "in the future, all new public keys for this domain will be cross-signed by this key: XXX", but the design includes a number of necessary additional features, including a secure revocation mechanism, protection against false headers that an attacker could publish after compromising an HTTPS server, and support for protocols other than HTTPS (SMTPS, POP3S, IMAPS, XMPPS, etc).

Sovereign Keys allow clients to detect server impersonation and man-in-the-middle attacks even if the attack involves compromise or malice by a CA or DNSSEC registry. But Sovereign Keys also allow for automatic circumvention of these attacks via proxies, VPNs, or Tor hidden services.