Public Key Infrastructure,

Digital Certificates, Certificate

Revocation and Transparency
29 May 2025
Lecture 9

Some slide Credits: Steve Zdancewic (UPenn)

29 May 2025 SE 448: Information and Cyber Security 1
 Topics for Today
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 2

 Trusted Third Parties
• KDC and KTC are Trusted Third Parties (TTP)

• Generalizing, TTPs can have different kinds of roles in

key management and secure communication

In-line On-Line Off-Line

29 May 2025 SE 448: Information and Cyber Security 3

 In-line, On-Line, Off-Line

In-Line:

On-Line:

Off-Line:

29 May 2025 SE 448: Information and Cyber Security 4

 TTP Examples
In-Line: On-Line:
• Instant Messaging, • Needham-Schroeder
SMS • KDC
• KTC
• Kerberos

Offline:
• Public Key Certificate
Authorities (CA)

29 May 2025 SE 448: Information and Cyber Security 5

 TTPs in Public-Key Certificates
Name Server Registration
• Resolving and authority
managing names of • Authorizing entities,
entities associating keys with
names

Key generator Certificate

• May generate the Directory
public/private key pair • Store lists of certificates
• May be part of the for names
user’s job • Readable by anybody

• All this rolls into what’s called a Certification Authority

29 May 2025 SE 448: Information and Cyber Security 6
 Source: https://www.techradar.com/news/best-ssl-certificate-provider

Some players

29 May 2025 SE 448: Information and Cyber Security 7

 A free one with big backers

Source: https://letsencrypt.org/

29 May 2025 SE 448: Information and Cyber Security 8

 Top CAs 2025 (by # issued)

ISRG is the organization behind Let’s Encrypt

29 May 2025 SE 448: Information and Cyber Security 9
 Basic Idea

I made a public
key, sign it for me

Ok, here’s your certificate

I’m Alice and this is my public

key. Tom signed this certificate

29 May 2025 SE 448: Information and Cyber Security 10

 Public Key Infrastructure (PKI)
Public key infrastructure Certification Authorities
(PKI) (CAs)
• PKI is the set of services needed to • A trusted third party that issues
create, manage, store, distribute certificates and (often) certificate
and revoke digital certificates based revocation lists.
on public-key cryptography. • Example: GoDaddy

A certificate is (roughly) of the form 𝑀, 𝑘𝐶𝐴 {𝐻(𝑀)} where

• 𝑀 = 𝑁𝑎𝑚𝑒, 𝐾𝑃𝑢𝑏𝑁𝑎𝑚𝑒 , 𝐿
• 𝑁𝑎𝑚𝑒 = identifier of a principal (e.g. a URL)
• 𝐾𝑃𝑢𝑏𝑁𝑎𝑚𝑒 = the public key of the principal
• 𝐿 = lifetime of the certificate

29 May 2025 SE 448: Information and Cyber Security 11

 X.509 Certificate Standard
• Issued in 1988 by the PKIX working group of the IETF
• Message format that specifies how certificates should be
shared:

Certificate
Version, Serial Number, Algorithm ID
Issuer, Validity (Not Before, Not After)
Subject, Subject Public Key Info (Algorithm, Key)
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)
Certificate Signature Algorithm
Certificate Signature

29 May 2025 SE 448: Information and Cyber Security 12

 Example X.509 certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 03:1b:1f:06:12:df:b5:a0:53:a7:e6:f5:1c:63:52:38:8e:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jun 5 01:08:38 2025 GMT
Not After : Sep 3 01:08:37 2025 GMT
Subject: CN = kinneret.ac.il
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus: 00:b5:22:1e:77:90:53:65:40:b2:29:3a:82:44:c1: [...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment […]
X509v3 Basic Constraints: critical
CA:FALSE
[...]
Signature Algorithm: sha256WithRSAEncryption
Signature Value: 72:cf:e8:37:e4:0a:a3:10:93:4d:27:d0:ce:22:fa:f5:6c:9b: [...]

29 May 2025 SE 448: Information and Cyber Security 13

 Different Levels of trust
• Chrome (Google) and Edge (MS) show different levels:
• Domain validated (the email in the certificate works):

29 May 2025 SE 448: Information and Cyber Security 14

 Different Levels of trust
• Premium, High Assurance, Organization Validated (the
CA checked out the organization):

29 May 2025 SE 448: Information and Cyber Security 15

 Different Levels of trust
• Extended Validation (in depth investigation):
– https://cabforum.org/extended-validation/

29 May 2025 SE 448: Information and Cyber Security 16

 To Dig a Bit Deeper

29 May 2025 SE 448: Information and Cyber Security 17

 Certificate Tour
Bank Hapoalim Summary Some fields

29 May 2025 SE 448: Information and Cyber Security 18

 Certificate Tour
More fields Certificate Revocation List

29 May 2025 SE 448: Information and Cyber Security 19

 Certificate Tour
Hierarchy/Chain Parent Certificate

29 May 2025 SE 448: Information and Cyber Security 20

 Certificate Tour
Hierarchy/Chain Grandparent Certificate

29 May 2025 SE 448: Information and Cyber Security 21

 Top-level Certificates
To check an X.509
Such certificates
certificate, one
can be “self-signed”
needs to have the
by top-level, trusted
public key of the
CAs
issuer.

In practice, companies like

DigiCert pay web browser
developers to include such
certificates in browser releases.

29 May 2025 SE 448: Information and Cyber Security 22

 Certificate Chains
• Notation: 𝑋 〈 𝑌 〉 means the certificate of principal 𝑌
issued by authority 𝑋.

• One can create certificate chains to delegate 𝑋

authentication duties among principals:

• Example: 𝑋〈 𝑌 〉, 𝑌〈 𝑍 〉 𝑌
– These two certificates together allow a principal who trusts 𝑋 to
verify the authenticity of the identity of 𝑍.

𝑍
• Chains can be arbitrarily long.
– CAs can attest to each other’s identities via peering agreements

29 May 2025 SE 448: Information and Cyber Security 23

 Firefox Roots (75 total)

29 May 2025 SE 448: Information and Cyber Security 24

 Windows 11 Roots (74 total)

29 May 2025 SE 448: Information and Cyber Security 25

 So Far
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 26

 Cancel by Nick Youngson CC BY-SA 3.0 Pix4free
Certificate Revocation
• What if the CA needs to revoke a certificate?
– Key compromise
– Name expired
– Happens all the time (can get a new certificate in a few
minutes)
• Some options:
Manual Revocation Certificate
Wait for Notification • Like regular Certificate, with
expiration • works in small a “Revoke” note inside
systems

Public file of revoked keys

• Certificate Revocation List (CRL)

29 May 2025 SE 448: Information and Cyber Security 27

 Certificate Revocation Lists
• CRLs are a common • When the CRL gets
mechanism large, segment it
• Must be signed by the – Put up only new
CA revocations (delta-
CRL)
– Why?
– Divide up the CRL by
• Include timestamp and reason for revocation
refreshed regularly – Pre-assign each
– Why? certificate to a given
CRL “bucket” in case of
revocation

29 May 2025 SE 448: Information and Cyber Security 28

 CRLs Cost Money
• After Heartbleed
Heartbleed (2014), CloudFare
revoked and reissued
all certificates → CRL
for GlobalSign grew
from 22KB to 4.7MB

• 40Gpbs of new traffic

– Costs $400,000
– Using Amazon’s AWS:
Source: isc.sans.edu $952,992.40 per month

29 May 2025 SE 448: Information and Cyber Security 29

 CRLs Up and Downs

Source: isc.sans.edu
29 May 2025 SE 448: Information and Cyber Security 30
 So Far
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 32

 OCSP
• Revocation is hard:
– Certificate Revocation Lists (CRLs)
• Most certificates are revoked for non-security reasons
– ...so CRLs are often huge (problem especially on mobile)
• Download MBs of CRL for each SSL connection?

• Online Certificate Status Protocol (OCSP):

– Online means now (TLS handshake opens side channel to OCSP
responder)
– … so what do you do if the online responder is not responding?
• Could an attacker just block the side channel?
• Typical response time: 430ms
– OCSP implemented by IE, Firefox, turned off by Chrome (privacy)

• OCSP stapling: not widely deployed

– The CA issues a time-stamped OCSP validity claim which is sent
along with the SSL handshake

29 May 2025 SE 448: Information and Cyber Security 33

 OCSP Basics
www.example.com
Hello! Show me your certificate!

Here it is! It’s #1234 and valid

Is certificate #1234

until 1/1/2026 12:00:00AM

Issued by DigiCert CA.
still valid?

Yes

DigiCert CA OCSP Responder

29 May 2025 SE 448: Information and Cyber Security 34

 OCSP Stapling Basics
www.example.com
Hello! Show me your certificate!

validity response for #1234

Here it is! It’s #1234 and valid
until 1/1/2026 12:00:00AM
Issued by DigiCert CA.

Give me an OCSP
Here’s an OCSP valid response
from one hour ago too!

Here it is!
DigiCert CA OCSP Responder

29 May 2025 SE 448: Information and Cyber Security 35

 So Far
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 36

 Certificate Pinning
• Called HTTP Public Key Pinning (no longer in use)
• Basic idea

www.example.com
Hello! Show me your certificate!

Here it is! It’s #1234 and valid until 1/1/2026

12:00:00AM. Issued by DigiCert CA.
By the way, in future visits to this site, only accept
certificate chains with digests ABCD1234 or
EDF5678 until 1/1/2027. If you see anything else,
contact this URL

29 May 2025 SE 448: Information and Cyber Security 37

 So Far
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 38

 Certificate Transparency
What it does: Explicit anti-goal:
1. Make all public end- Certificate Transparency
entity TLS certificates will not introduce another
public knowledge trusted third party.

2. Hold CAs publicly There already are too many

accountable for all “trusted parties” out there
certificates they issue.

29 May 2025 SE 448: Information and Cyber Security 39

 Big problem with certificates
Browsers trust Any CA can issue
several hundred on behalf of any
root CA certificates domain.

Any CA can issue

intermediate CA
100s of equally
certificates that can
trusted third parties!
issue on behalf of
every domain.

Corollary: Website owners must trust every single CA, even

the ones they don't do business with.
29 May 2025 SE 448: Information and Cyber Security 40
 Cautionary tale 1
• July 19th, 2011: DigiNotar CA finds evidence of
compromise through routine daily check.

• Evidence of large-scale Man in the Middle attack in July

– By the end of July, thought everything was under control.

• Rogue certificates hit OCSP responders *.google.com

pinning failure externally reported August 28th.
– Certificate pinning: The browser knows what certificate authority
or certificate should be provided in SSL handshake (may be
installed or stored the first time)
• Rogue *.google.com cert revoked and Chrome
updated August 29th.

29 May 2025 SE 448: Information and Cyber Security 41

 Cautionary Tale 2
• August 2011: TURKTRUST CA mistakenly issues two
intermediate CA certificates
– CA = true is just one bit in a regular certificate.

• *.google.com certificate issued by the intermediate

detected December 24, 2012.

• Certificate revoked and Chrome updated December 25,

2012.

29 May 2025 SE 448: Information and Cyber Security 42

 SSL Man In The Middle

Source: Huang, et al. 2014

29 May 2025 SE 448: Information and Cyber Security 43

 Yes, it happened

https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate

29 May 2025 SE 448: Information and Cyber Security 44

 What went wrong?
Huge delay between No incident detection
incident and (public) mechanism
response. • First signs of DigiNotar
• Long window of opportunity Man in the Middle in the
for the attacker. wild were for non-Google
domains without pinning.

No automated incident reporting mechanism.

• Pinning failure reported manually (user sent it)
• Pinning reporting has improved since; but only the pinned
domain can get reports for it (ex. Google can only get pinning
reports for Google domains)
• Not all domains collect pinning data or reports
29 May 2025 SE 448: Information and Cyber Security 45
 Goal: Reduce the Window
Minimize window between
incident and response.
• May cost millions $ to get a Only domain owners know
forged certificate which certificates are
• Can't prevent attacks, but we
can make them more legitimate, so give them
expensive by giving the power
attacker only one, short-lived
shot.

Make the computers gossip.

• Vaccination effect: not everyone has to participate for everyone
to benefit.

29 May 2025 SE 448: Information and Cyber Security 46

 Another Layer

Source: xkcd.com
29 May 2025 SE 448: Information and Cyber Security 47
 How does it work?
Central Feature: An append-only log of certificates
The log server:

Verify Append Sign Publish

• Verifies • Periodically • Signs the log • Publishes all

certificate append new updates of
chain. certs to signed list of
• CA attribution append-only certs (“the
for certificate log log”) to the
mis-issuance • Merkle Trees world.
• Spam control to prove
• i.e. ignore nothing
self signed removed
ones

29 May 2025 SE 448: Information and Cyber Security 48

 Try it yourself
• https://no-sct.badssl.com/

29 May 2025 SE 448: Information and Cyber Security 49

 When it fails (Chrome)

Some browsers ignore this error.

29 May 2025 SE 448: Information and Cyber Security 50
 So the log is a TTP?
A CT log is designed to not be “super CA”:

Does not testify to the

Public: everyone can inspect all
“goodness” of certificates; it just
the certificates.
notes they were seen.

Log is not trusted: since the log

is signed, the fact that everyone
sees the same list of certificates
is cryptographically verifiable.

Sample log https://crt.sh/

29 May 2025 SE 448: Information and Cyber Security 51

 CT Today
Mozilla Blog May 2025

https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency https://educatedguesswork.org/posts/transparency-part-2/

TLDR:
• Google requires it TLDR:
• Edge requires it • CT is useful, but it’s over
• Firefox requires it engineered.
• But not Android • Gossiping didn’t work

29 May 2025 SE 448: Information and Cyber Security 52

 Conclusion
• Certificates and PKI
• Certificate Types
• Certificate Validation
– OCSP
– Certificate Pinning
– Certificate Transparency

29 May 2025 SE 448: Information and Cyber Security 53