SecureGuard: A Certificate Validation System in Public Key Infrastructure

Abstract

Certificate validation in public key infrastructure (PKI) is a vital phase of establishing secure connections on any network. There has been a great deal of speculation on how to efficiently validate digital certificates in PKI on which the security of network communications rests. Developing such a system is challenging because digital certificates need to be quickly and securely validated for a large number of clients in a short period of time at a low cost. On the other hand, our analysis on the TLS handshakes of the Alexa Top 1 Million domains dataset indicates that the current popular certificate validation systems cannot deliver certificate validation information to the clients in a timely fashion and suffer from high overhead at the client side, making them susceptible to a number of attacks. Motivated by these observations, we present SecureGuard, a certificate validation system that can effectively handle certificate validation during TLS handshakes. Our system utilizes Internet service providers (ISPs) as the primary entity for certificate validation exploiting the fact that any Internet access request must pass through the ISP proxy-cache servers. We provide an extensive evaluation on SecureGuard and illustrate its efficiency. Moreover, we introduce a quantitative analysis method that can investigate the costs incurred by our system and other certificate validation approaches under the same evaluation scenarios. Our implementation results demonstrate that SecureGuard is able to validate the digital certificates within a short period of time, in a secure manner, with less network overhead.