Digital certificates are one of the key components to ensure secure network communications. The complexity of the certificate standard, ITU-R-X.509, has led to a number of breaches in the TLS protocol security due to certificate misinterpretation by TLS libraries. We argue that the root cause of such an issue is the complexity of the certificate structure, which can be gauged with the framework of formal language theory: the language describing digital certificates is context sensitive. Such a complexity led to handcrafted X.509 parsers, resulting in implementations which are not guaranteed to perform correct language recognition. We highlight the issues in X.509, and propose a new format for digital certificates, designed to be parsed effectively and efficiently, while retaining the same semantic expressiveness. The certificate format can be deployed gradually, is fully specified as a regular language, and is specified as a formal grammar from which a provably correct parser can be automatically derived. We validate the effectiveness of our proposal, and the linear running time provided by the approach, generating an instance of the parser with a production grade lexer/parser generation framework.

A Novel Regular Format for X.509 Digital Certificates

BARENGHI, ALESSANDRO;MAINARDI, NICHOLAS;PELOSI, GERARDO
2018-01-01

Abstract

Digital certificates are one of the key components to ensure secure network communications. The complexity of the certificate standard, ITU-R-X.509, has led to a number of breaches in the TLS protocol security due to certificate misinterpretation by TLS libraries. We argue that the root cause of such an issue is the complexity of the certificate structure, which can be gauged with the framework of formal language theory: the language describing digital certificates is context sensitive. Such a complexity led to handcrafted X.509 parsers, resulting in implementations which are not guaranteed to perform correct language recognition. We highlight the issues in X.509, and propose a new format for digital certificates, designed to be parsed effectively and efficiently, while retaining the same semantic expressiveness. The certificate format can be deployed gradually, is fully specified as a regular language, and is specified as a formal grammar from which a provably correct parser can be automatically derived. We validate the effectiveness of our proposal, and the linear running time provided by the approach, generating an instance of the parser with a production grade lexer/parser generation framework.
2018
14th International Conference on Information Technology - New Generations, ITNG 2017; Las Vegas; United States; 10 April 2017 through 12 April 2017
978-3-319-54977-4
978-3-319-54978-1
Digital certificates, Language based security, Parsing, Transport layer security, X.509
File in questo prodotto:
File Dimensione Formato  
paper42_bmpITNG2017.pdf

Accesso riservato

Descrizione: main article
: Post-Print (DRAFT o Author’s Accepted Manuscript-AAM)
Dimensione 199.54 kB
Formato Adobe PDF
199.54 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11311/1046102
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? ND
social impact