TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication
This addresses security vulnerabilities in certificate validation for system administrators, offering a novel solution to harden TLS traffic across all applications.
The authors tackled the problem of securing certificate-based authentication by introducing TrustBase, an OS-level architecture that enforces best practices and strengthens applications against CA system failures, achieving negligible overhead and universal compatibility.
We describe TrustBase, an architecture that provides certificate-based authentication as an operating system service. TrustBase enforces best practices for certificate validation for all applications and transparently enables existing applications to be strengthened against failures of the CA system. The TrustBase system allows simple deployment of authentication systems that harden the CA system. This enables system administrators, for example, to require certificate revocation checks on all TLS connections, or require STARTTLS for email servers that support it. TrustBase is the first system that is able to secure all TLS traffic, using an approach compatible with all operating systems. We design and evaluate a prototype implementation of TrustBase on Linux, evaluate its security, and demonstrate that it has negligible overhead and universal compatibility with applications. To demonstrate the utility of TrustBase, we have developed six authentication services that strengthen certificate validation for all applications.