The importance of the Transport Layer Security (TLS) public key infrastructure (PKI) to the success of the Internet cannot be overstated. From social networking to banking, from mobile devices to cloud computing, the PKI allows communicating parties to be sure of whom they are communicating with, that their communication is confidential, and that their communication has not been tampered with. Despite its incredible importance, the PKI has been notoriously difficult to evolve to meet new security concerns and Internet demands. This project introduces new, deployable alternatives to key parts of the PKI to make it more evolvable, manageable, and secure.

The project has three primary thrusts. The first introduces a key enabling technology behind the subsequent thrusts, called assertion-carrying certificates (ACCs). ACCs expand today's certificates with the capability of including a small amount of code (in the form of assertions) to be evaluated as part of the certificate validation process. The second thrust applies ACCs to enable certificate authorities to more readily evolve to new demands for certificate delegation and automated issuance. The third thrust applies ACCs and trusted execution environments to enable web-hosting services like content delivery networks to securely manage their customers' cryptographic keys.

Correct operation of the PKI is paramount to ensuring a secure, authenticated Internet. Recent efforts have proven that progress towards a more secure PKI is possible, but a more fundamental focus is needed to address the underlying challenges. This project will do just that by developing a new, extensible approach to constraining when identities on the Internet should be trusted. This project will make it straightforward and safe to extend the basic abstractions offered by the PKI, thereby enabling it to evolve to meet changing trends.

The project's code and data will be made publicly available and maintained at https://securepki.org

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Application #
1901325
Program Officer
Erik Brunvand
Project Start
Project End
Budget Start
2019-06-01
Budget End
2023-05-31
Support Year
Fiscal Year
2019
Total Cost
$447,093
Indirect Cost
Name
University of Maryland College Park
Department
Type
DUNS #
City
College Park
State
MD
Country
United States
Zip Code
20742