Distributed certificates in ad hoc networks

Asp, Filip, Krispinsson, Tobias

January 2015

In this report an ad hoc system is defined with the capabilities to validate the integrity ofevery node in the network without a third party, as long as every node has possession of acertificate. The system is developed to function in an ad hoc network with many externalthreats. The main target group would be the military and first responders. There are manydifferent problems with such a network, and many parts have been researched, but few fullsystems have been developed. This report defines a hierarchical system where nodes cancommunicate in an encrypted way, with the help of certificates. In a military situation therisk for compromised nodes must be considered. Therefore, the system can both detectand handle compromised nodes by revocation certificates. The proposed system is alsodetecting and handling partitions. The system has been put together by first making aliterature study to find existing solutions to different problems, then making a synthesisof those solutions. We also came up with new solutions where the three cornerstones ofsecurity: availability, confidentiality and integrity were in focus. To make the solutionmore trustworthy a risk analysis on the resulting system was made, which defined theweak points of the system.

distributed certificates

certificates

certificate authorities

certificate

no third party

certificates in ad hoc

ad hoc

Computer and Information Sciences

Data- och informationsvetenskap

Nástroj pro ověřování elektronických podpisů na PDF dokumentech / A tool for validating electronic signatures on PDF documents

Selement, Pavel

January 2013

The subject of this graduation thesis is to study internal electronic signatures in PDF documents. The thesis introduces general principles of electronic signatures, deals with the internal structure of PDF documents including the connection of electronic signatures and describes the process of verifying an electronic signature. An integral part of this thesis is an implementation of an application, which performs verification of electronic signatures in a PDF document. The aim of this application is to verify the digital signature embedded in a PDF document according to the current legislation of the Czech Republic, while allowing users to change extensively the rules for evaluating the validity of the signature. Powered by TCPDF (www.tcpdf.org)

Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs / Stafettlöpning med X.509-dagsländor : En Analys av Certifikatutbyten och Giltighetsperioder i HTTPS-certifikatloggar

Bruhner, Carl Magnus, Linnarsson, Oscar

January 2020

Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this limits the certificate lifetime and gives less flexibility in the timing of certificate replacements. In this thesis, we use publicly available network logs from Rapid7's Project Sonar to provide an overview of the current state of certificate usage behavior. Specifically, we look at the Let's Encrypt mass revocation event in March 2020, where millions of certificates were revoked with just five days notice. In general, we show how this kind of datasets can be used, and as a deeper exploration we analyze certificate validity, lifetime and use of certificates with overlapping validity periods, as well as discuss how our findings relate to industry standard and current security trends. Specifically, we isolate automated certificate services such as Let's Encrypt and cPanel to see how their certificates differ in characteristics from other certificates in general. Based on our findings, we propose a set of rules to help improve the trust in certificate usage and strengthen security online, introducing an Always secure policy aligning certificate validity with revocation time limits in order to replace revocation requirements and overcoming the fact that mobile devices today ignore this very important security feature. To round things off, we provide some ideas for further research based on our findings and what we see possible with datasets such as the one researched in this thesis.

certificate authorities

certificate lifetime

certificate overlap

certificate replacement

certificate validity

certificates

HTTPS

network security

PKI

Project Sonar

SSL

TLS

X.509

Computer Sciences

Datavetenskap (datalogi)

Longitudinal analysis of the certificate chains of big tech company domains / Longitudinell analys av certifikatkedjor till domäner tillhörande stora teknikföretag

Klasson, Sebastian, Lindström, Nina

January 2021

The internet is one of the most widely used mediums for communication in modern society and it has become an everyday necessity for many. It is therefore of utmost importance that it remains as secure as possible. SSL and TLS are the backbones of internet security and an integral part of these technologies are the certificates used. Certificate authorities (CAs) can issue certificates that validate that domains are who they claim to be. If a user trusts a CA they can in turn also trust domains that have been validated by them. CAs can in turn trust other CAs and this, in turn, creates a chain of trust called a certificate chain. In this thesis, the structure of these certificate chains is analysed and a longitudinal dataset is created. The analysis looks at how the certificate chains have changed over time and puts extra focus on the domains of big tech companies. The dataset created can also be used for further analysis in the future and will be a useful tool in the examination of historical certificate chains. Our findings show that the certificate chains of the domains studied do change over time; both their structure and the lengths of them vary noticeably. Most of the observed domains show a decrease in average chain length between the years of 2013 and 2020 and the structure of the chains vary significantly over the years.

certificate authorities

CA

certificate chains

certificates

certificate validation

HTTPS

network security

internet security

PKI

Project Sonar

SSL

TLS

X.509

Computer Sciences

Datavetenskap (datalogi)