DPP: Dual Path PKI for Secure Aircraft Data Communication

Buchholz, Alexander Karl

02 May 2013

Through application of modern technology, aviation systems are becoming more automated and are relying less on antiquated air traffic control (ATC) voice systems. Aircraft are now able to wirelessly broadcast and receive identity and location information using transponder technology. This helps reduce controller workload and allows the aircraft to take more responsibility for maintaining safe separation. However, these systems lack source authentication methods or the ability to check the integrity of message content. This opens the door for hackers to potentially create fraudulent messages or manipulate message content. This thesis presents a solution to handling many of the potential security issues in aircraft data communication. This is accomplished through the implementation of a Dual Path PKI (DPP) design which includes a novel approach to handling certificate revocation through session certificates. DPP defines two authentication protocols, one between aircraft and another between aircraft and ATC, to achieve source authentication. Digital signature technology is utilized to achieve message content and source integrity as well as enable bootstrapping DPP into current ATC systems. DPP employs cutting-edge elliptic curve cryptography (ECC) algorithms to increase performance and reduce overhead. T is found that the DPP design successfully mitigates several of the cyber security concerns in aircraft and ATC data communications. An implementation of the design shows that anticipated ATC systems can accommodate the additional processing power and bandwidth required by DPP to successfully achieve system integrity and security. / Master of Science

Air Traffic Control

ADS-B

PKI

ECC

Certificate Revocation

Certificate Revocation Table: Leveraging Locality of Reference in Web Requests to Improve TLS Certificate Revocation

Dickinson, Luke Austin

01 October 2018

X.509 certificate revocation defends against man-in-the-middle attacks involving a compromised certificate. Certificate revocation strategies face scalability, effectiveness, and deployment challenges as HTTPS adoption rates have soared. We propose Certificate Revocation Table (CRT), a new revocation strategy that is competitive with or exceeds alternative state-of-the-art solutions in effectiveness, efficiency, certificate growth scalability, mass revocation event scalability, revocation timeliness, privacy, and deployment requirements. The CRT periodically checks the revocation status of X.509 certificates recently used by an organization, such as clients on a university's private network. By prechecking the revocation status of each certificate the client is likely to use, the client can avoid the security problems of on-demand certificate revocation checking. To validate both the effectiveness and efficiency of using a CRT, we used 60 days of TLS traffic logs from Brigham Young University to measure the effects of actively refreshing certificates for various certificate working set window lengths. Using a certificate working set window size of 45 days, an average of 99.86% of the TLS handshakes from BYU would have revocation information cached in advance using our approach. Revocation status information can be initially downloaded by clients with a 6.7 MB file and then subsequently updated using only 205.1 KB of bandwidth daily. Updates to this CRT that only include revoked certificates require just 215 bytes of bandwidth per day.

certificate revocation

X.509 certificate

caching

working sets

locality of reference

Computer Sciences

Towards Efficient Certificate Revocation Status Validation in Vehicular Ad Hoc Networks with Data Mining

Zhang, Qingwei

26 November 2012

Vehicular Ad hoc Networks (VANETs) are emerging as a promising approach to improving traffic safety and providing a wide range of wireless applications for drivers and passengers. To perform reliable and trusted vehicular communications, one prerequisite is to ensure a peer vehicle’s credibility by means of digital certificates validation from messages that are sent out by other vehicles. However, in vehicular communication systems, certificates validation is more time consuming than in traditional networks, due to the fact that each vehicle receives a large number of messages in a short period of time. Another issue that needs to be addressed is the unsuccessful delivery of information between vehicles and other entities on the road as a result of their high mobility rate. For these reasons, we need new solutions to accelerate the process of certificates validation. In this thesis, we propose a certificate revocation status validation scheme using the concept of clustering; based on data mining practices, which can meet the aforementioned requirements. We employ the technique of k -means clustering to boost the efficiency of certificates validation, thereby enhancing the security of a vehicular ad hoc network. Additionally, a comprehensive analysis of the security of the proposed scheme is presented. The analytical results demonstrate that this scheme can effectively improve the validation of certificates and thus secure the vehicular communication in vehicular networks.

VANETs

digital certificates

Certificate Revocation List

k-Means

authentication

certificate validation

Towards Efficient Certificate Revocation Status Validation in Vehicular Ad Hoc Networks with Data Mining

Zhang, Qingwei

January 2012

Vehicular Ad hoc Networks (VANETs) are emerging as a promising approach to improving traffic safety and providing a wide range of wireless applications for drivers and passengers. To perform reliable and trusted vehicular communications, one prerequisite is to ensure a peer vehicle’s credibility by means of digital certificates validation from messages that are sent out by other vehicles. However, in vehicular communication systems, certificates validation is more time consuming than in traditional networks, due to the fact that each vehicle receives a large number of messages in a short period of time. Another issue that needs to be addressed is the unsuccessful delivery of information between vehicles and other entities on the road as a result of their high mobility rate. For these reasons, we need new solutions to accelerate the process of certificates validation. In this thesis, we propose a certificate revocation status validation scheme using the concept of clustering; based on data mining practices, which can meet the aforementioned requirements. We employ the technique of k -means clustering to boost the efficiency of certificates validation, thereby enhancing the security of a vehicular ad hoc network. Additionally, a comprehensive analysis of the security of the proposed scheme is presented. The analytical results demonstrate that this scheme can effectively improve the validation of certificates and thus secure the vehicular communication in vehicular networks.

VANETs

digital certificates

Certificate Revocation List

k-Means

authentication

certificate validation

Digital Certificate Revocation for the Internet of Things

Tanner Lindemer, Samuel

January 2019

Digital certificates have long been used for traditional Internet applications, and have now entered into widespread use for the Internet of Things. However, constrained devices currently have no means to verify the revocation status of certificates. Without the ability to revoke certificates, network administrators have no recourse in the event of a private key compromise. This thesis explores three alternatives to solve this problem: (1) implement the Online Certificate Status Protocol (OCSP) as is on a CoAP network stack, (2) compress certificate revocation lists (CRLs) using Bloom filters, and (3) design an optimized version of OCSP (referred to here as TinyOCSP). This work concludes that TinyOCSP reduces the message overhead of online validation by at least 73%. This reduced the energy consumption of certificate validation by 50% relative to OCSP in the experiments on constrained hardware, which shows that it may be a feasible solution for the IoT / Digitala certifikat har länge tillämpats inom traditionella internetappliceringar och har numera även omfattande användningsområden inom IoT. Begränsade apparater har i nuläget dock inga metoder för att verifiera återkallningsstatusar av certifikat. Utan förmågan att återkalla certifikat har nätverksadministratörer inga alternativ att återfalla till när en hemlig nyckel har blivit stulen. Denna uppsats undersöker tre alternativ för att lösa detta problem: (1) tillämpning av Online Certificate Status Protocol (OCSP) med CoAP, (2) komprimering av certificate revocation lists (CRLs) som använder Bloom filters, och (3) skapa en optimerad version av OCSP (TinyOCSP). Arbetet drar slutsatsen att TinyOCSP minskar message overhead av onlinevalidering med åtminstone 73%. Detta minskade energikonsumtion av certifikatsvalidering med 50% jämfört med OCSP i experimentet med begränsade apparater, vilket visar att detta är en tänkar lösning för IoT.

Computer and Information Sciences

Data- och informationsvetenskap

Developing a concept for handling IT security with secured and trusted electronic connections

Hockmann, Volker

January 2014

In this day and age, the Internet provides the biggest linkage of information, personal data and information, social contact facilities, entertainment and electronic repository for all things including software downloads and tools, online books and technical descriptions, music and movies - both legal and illegal [Clarke, 1994]. With the increasing bandwidth in the last few years worldwide, it is possible to access the so-called "Triple-Play-Solutions" - Voice over lP, High-Speed-Internet and Video on Demand. More than 100 million subscribers have signed on across Asia, Europe, and the Americas in 2007, and growth is likely to continue steadily in all three. As broadband moves into the mainstream, it is reshaping the telecommunications, cable and Internet access industrie [Beardsley, Scott and Doman, Andrew, and EdinMC Kinsey, Par, 2003]. Cisco [Cisco, 2012], one of the biggest network companies, will expect more than 966 exabytes (nearly 1 zettabyte) per year or 80.5 exabytes per month in 2015 and the "Global IP traffic has increased eightfold over the past 5 years, and will increase fourfold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 32 percent from 2010 to 2015" . More and more types of sensible data flow between different recipients. News from around the world are transferred within seconds from the one end to the other end of the world, and affect the financial market, stock exchange [Reuters, 2012] and also bring down whole governments. For instance, worldwide humoil might ensue if a hacker broke into the web-server of an international newspaper or news channel like N-TV in Germany or BBC in England and displayed messages of a political revolution in Dubai or the death of the CEO from Microsoft or IBM.

005.8

Certificate revocation list distribution in vehicular ad hoc networks

Nowatkowski, Michael E.

05 April 2010

The objective of this research is to investigate improved methods for distributing certificate revocation lists (CRLs) in vehicular ad hoc networks (VANETs). VANETs are a subset of mobile ad hoc networks composed of network-equipped vehicles and infrastructure points, which will allow vehicles to communicate with other vehicles and with roadside infrastructure points. While sharing some of the same limitations of mobile ad hoc networks, such as lack of infrastructure and limited communications range, VANETs have several dissimilarities that make them a much different research area. The main differences include the size of the network, the speed of the vehicles, and the network security concerns. Confidentiality, authenticity, integrity, and availability are some of the standard goals of network security. While confidentiality and authenticity at times seem in opposition to each other, VANET researchers have developed many methods for enhancing confidentiality while at the same time providing authenticity. The method agreed upon for confidentiality and authenticity by most researchers and the IEEE 1609 working group is a public key infrastructure (PKI) system. An important part of any PKI system is the revocation of certificates. The revocation process, as well as the distribution of revocation information, is an open research problem for VANETs. This research develops new methods of CRL distribution and compares them to existing methods proposed by other researchers. The new methods show improved performance in various vehicle traffic densities.

Network security

Vehicular ad hoc network

Simulation

IEEE 1609

Certificate revocation list

ns-3

Computer networks Security measures