Push away your privacy: Precise user tracking based on TLS client certificate authentication

机译：消除隐私：基于TLS客户端证书身份验证的精确用户跟踪

获取原文

获取原文并翻译 | 示例

页面导航

摘要
著录项
相似文献
相关主题

摘要

The design and implementation of cryptographic systems offer many subtle pitfalls. One such pitfall is that cryptography may create unique identifiers potentially usable to repeatedly and precisely re-identify and hence track users. This work investigates TLS Client Certificate Authentication (CCA), which currently transmits certificates in plain text. We demonstrate CCA's impact on client traceability using Apple's Apple Push Notification service (APNs) as an example. APNs is used by all Apple products, employs plain-text CCA, and aims to be constantly connected to its backend. Its novel combination of large device count, constant connections, device proximity to users and unique client certificates provides for precise client traceability. We show that passive eavesdropping allows to precisely re-identify and track users and that only ten interception points are required to track more than 80 percent of APNs users due to global routing characteristics. We conduct our work under strong ethical guidelines, responsibly disclose our findings, and can confirm a working patch by Apple for the highlighted issue. We aim for this work to provide the necessary factual and quantified evidence about negative implications of plain-text CCA to boost deployment of encrypted CCA as in TLS 1.3.

机译：密码系统的设计和实现提供了许多细微的陷阱。这样的陷阱之一是，加密技术可能会创建唯一的标识符，这些标识符可能可用于重复，精确地重新标识并跟踪用户。这项工作研究TLS客户端证书认证（CCA），该客户端当前以纯文本格式传输证书。我们以Apple的Apple Push Notification Service（APN）为例，说明CCA对客户端可追溯性的影响。苹果公司的所有产品都使用APN，并采用纯文本CCA，并致力于与后端不断连接。它将大量设备，恒定连接，靠近用户的设备以及独特的客户端证书的新颖组合提供了精确的客户端可追溯性。我们显示，被动窃听可以精确地重新识别和跟踪用户，并且由于具有全局路由特性，只需要十个拦截点即可跟踪80％以上的APNs用户。我们在严格的道德准则下进行工作，负责任地披露我们的发现，并可以确认Apple针对突出显示的问题进行了有效的修补。我们的目标是为这项工作提供必要的事实和量化证据，以证明纯文本CCA的负面影响，以促进TLS 1.3中加密CCA的部署。

著录项

来源
《Proceedings of the 1st Network Traffic Measurement and Analysis Conference》|2017年|1-9|共9页
会议地点 Dublin(IE)
作者
Matthias Wachs; Quirin Scheitle; Georg Carle;
展开▼
作者单位

Chair of Network Architectures and Services, Technical University of Munich (TUM);

Chair of Network Architectures and Services, Technical University of Munich (TUM);

Chair of Network Architectures and Services, Technical University of Munich (TUM);

展开▼
会议组织
原文格式 PDF
正文语种 eng
中图分类
关键词
Authentication; Servers; Cryptography; Ports (Computers); Privacy; Mobile communication;

机译：身份验证;服务器;密码学;端口（计算机）;隐私;移动通信;

相似文献

外文文献
中文文献
专利

1. A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards [J] . Yuh-Min TSENG, Tsu-Yang WU, Jui-Di WU Informatica . 2008,第2期

机译：具有智能卡的无线客户端的基于配对的用户身份验证方案
2. Authentication User's Privacy: An Integrating Location Privacy Protection Algorithm for Secure Moving Objects in Location Based Services [J] . Memon Imran Wireless personal communications: An Internaional Journal . 2015,第3期

机译：身份验证用户的隐私：基于位置的服务中安全移动对象的集成位置隐私保护算法
3. PTAS: Privacy-preserving Thin-client Authentication Scheme in blockchain-based PKI [J] . Jiang Wenbo, Li Hongwei, Xu Guowen, Future generation computer systems . 2019,第JULa期

机译：PTAS：基于区块链的PKI中的保护隐私的瘦客户端身份验证方案
4. Push away your privacy: Precise user tracking based on TLS client certificate authentication [C] . Matthias Wachs, Quirin Scheitle, Georg Carle Network Traffic Measurement and Analysis Conference . 2017

机译：推开您的隐私：基于TLS客户端证书身份验证的精确用户跟踪
5. Online privacy and security of Internet digital certificates: A study of the awareness, perceptions, and understanding of Internet users. [D] . King, Carolyn V. 2008

机译：Internet数字证书的在线隐私和安全性：对Internet用户的意识，感知和理解的研究。
6. Privacy-Preserving Sensor-Based Continuous Authentication and User Profiling: A Review [O] . Luis Hernández-Álvarez, José María de Fuentes, Lorena González-Manzano, 2021

机译：保留隐私式传感器的连续身份验证和用户分析：审查
7. Exploiting TLS Client Authentication for Widespread User Tracking [O] . Lucas Foppe, Jeremy Martin, Travis Mayberry, 2018

机译：利用TLS客户端身份验证以获取广泛的用户跟踪

Push away your privacy: Precise user tracking based on TLS client certificate authentication

摘要

著录项

相似文献

相关主题

期刊订阅