Survivable key compromise in software update systems

Justin Samuel, Nick Mathewson, Justin Cappos, Roger Dingledine

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.

    Original languageEnglish (US)
    Title of host publicationCCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
    Pages61-72
    Number of pages12
    DOIs
    StatePublished - 2010
    Event17th ACM Conference on Computer and Communications Security, CCS'10 - Chicago, IL, United States
    Duration: Oct 4 2010Oct 8 2010

    Other

    Other17th ACM Conference on Computer and Communications Security, CCS'10
    CountryUnited States
    CityChicago, IL
    Period10/4/1010/8/10

    Keywords

    • Authentication
    • Delegation
    • Key compromise
    • Key management
    • Revocation
    • Software updates
    • Threshold signatures

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Cite this

    Samuel, J., Mathewson, N., Cappos, J., & Dingledine, R. (2010). Survivable key compromise in software update systems. In CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security (pp. 61-72) https://doi.org/10.1145/1866307.1866315

    Survivable key compromise in software update systems. / Samuel, Justin; Mathewson, Nick; Cappos, Justin; Dingledine, Roger.

    CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. p. 61-72.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Samuel, J, Mathewson, N, Cappos, J & Dingledine, R 2010, Survivable key compromise in software update systems. in CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. pp. 61-72, 17th ACM Conference on Computer and Communications Security, CCS'10, Chicago, IL, United States, 10/4/10. https://doi.org/10.1145/1866307.1866315
    Samuel J, Mathewson N, Cappos J, Dingledine R. Survivable key compromise in software update systems. In CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. p. 61-72 https://doi.org/10.1145/1866307.1866315
    Samuel, Justin ; Mathewson, Nick ; Cappos, Justin ; Dingledine, Roger. / Survivable key compromise in software update systems. CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. pp. 61-72
    @inproceedings{2e4c6df8b60848c9b3d601e126ea5e54,
    title = "Survivable key compromise in software update systems",
    abstract = "Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.",
    keywords = "Authentication, Delegation, Key compromise, Key management, Revocation, Software updates, Threshold signatures",
    author = "Justin Samuel and Nick Mathewson and Justin Cappos and Roger Dingledine",
    year = "2010",
    doi = "10.1145/1866307.1866315",
    language = "English (US)",
    isbn = "9781450302449",
    pages = "61--72",
    booktitle = "CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security",

    }

    TY - GEN

    T1 - Survivable key compromise in software update systems

    AU - Samuel, Justin

    AU - Mathewson, Nick

    AU - Cappos, Justin

    AU - Dingledine, Roger

    PY - 2010

    Y1 - 2010

    N2 - Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.

    AB - Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.

    KW - Authentication

    KW - Delegation

    KW - Key compromise

    KW - Key management

    KW - Revocation

    KW - Software updates

    KW - Threshold signatures

    UR - http://www.scopus.com/inward/record.url?scp=78650002260&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=78650002260&partnerID=8YFLogxK

    U2 - 10.1145/1866307.1866315

    DO - 10.1145/1866307.1866315

    M3 - Conference contribution

    AN - SCOPUS:78650002260

    SN - 9781450302449

    SP - 61

    EP - 72

    BT - CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security

    ER -