posted on 2004-04-01, 00:00authored byDan Wendlandt, David G. Andersen, Adrian Perrig
The popularity of “Trust-on-first-use” (Tofu) authentication,
used by SSH and HTTPS with self-signed certificates,
demonstrates significant demand for host authentication
that is low-cost and simple to deploy. While Tofu-based
applications are a clear improvement over completely insecure
protocols, they can leave users vulnerable to even
simple network attacks. Our system, PERSPECTIVES,
thwarts many of these attacks by using a collection of “notary”
hosts that observes a server’s public key via multiple
network vantage points (detecting localized attacks) and
keeps a record of the server’s key over time (recognizing
short-lived attacks). Clients can download these records
on-demand and compare them against an unauthenticated
key, detecting many common attacks. PERSPECTIVES explores
a promising part of the host authentication design
space: Trust-on-first-use applications gain significant attack
robustness without sacrificing their ease-of-use. We
also analyze the security provided by PERSPECTIVES and
describe our experience building and deploying a publicly
available implementation.