Survivable key compromise in software update systems
- 4 October 2010
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.Keywords
This publication has 5 references indexed in Scilit:
- A look in the mirrorPublished by Association for Computing Machinery (ACM) ,2008
- Multi-signatures in the plain public-Key model and a general forking lemmaPublished by Association for Computing Machinery (ACM) ,2006
- Beware of BGP attacksACM SIGCOMM Computer Communication Review, 2004
- An analysis of the proxy problem in distributed systemsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Practical Threshold SignaturesLecture Notes in Computer Science, 2000