CTng: Secure Certificate and Revocation Transparency

We present CTng, an evolutionary and practical PKI design that efficiently addresses multiple key challenges faced by deployed PKI systems. CTng ensures strong security properties, including guaranteed transparency of certificates and guaranteed, unequivocal revocation, achieved under NTTP-security, i.e., without requiring trust in any single CA, logger, or relying party. These guarantees hold even in the presence of arbitrary corruptions of these entities, assuming only a known bound (f ) of corrupt monitors (e.g., f = 8), with minimal performance impact. CTng also enables efficient certificate validation and preserves relying-party privacy, while providing scalable and efficient distribution of revocation updates. These properties significantly improve upon current PKI designs. In particular, while Certificate Transparency (CT) [35] , [36], [37] aims to eliminate single points of trust, the existing specification [36] still assumes benign loggers. Addressing this through log redundancy is possible, but rather inefficient, limiting deployed configurations to f ≤ 2. We present a security analysis and an evaluation of our opensource CTng prototype, showing that it is efficient and scalable under realistic deployment conditions. I. INTRODUCTION The Public Key Infrastructure (PKI) facilitates the secure use of public keys. PKI is critical for the security of open, distributed systems such as the Internet. Typically, a relying party obtains a public key and validates it using a certificate signed by a trusted Certificate Authority (CA). The PKI defines how certificates are issued and revoked (by the CAs) and validated (by relying parties). Most deployed PKIs follow the X.509 standard [8], [24]. X.509 certificates are used in protocols such as TLS, SSH, S/MIME, IPsec, and others. The most common application of PKI is to secure web and other forms of communication § The work was partially completed during the author's PhD studies at the