刘端阳,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2004.01.006

2004-01-01

Abstract:With the development of collaboration among enterprises, it is very desirable to securely exchange information between PDMs through Internet. The original user/password mechanism is very weak, unsecure and inflexible. And also,authorization based on PKC(public key certificate) cannot satisfy the temporary relations between enterprises. In order to satisfy the demand of secure information exchanges between enterprises, according with the genernal security management model of PDM system, This paper designed an AC(attribute certificate) model based on PKC. The model was based on TTP architecture to achieve trust between enterprises and automation of enterprises' collaboration, and reduced the startup cost. And it provides not only reliable authentication and data protection, but also flexible access control and secure audit, and effectively implements information exchanges between enterprises. The new model can be well used in the fields of automobile manufacture,electronics,mechanics and so on.

Oleksandr Dulia,Dmytro Minochkin

DOI: https://doi.org/10.20535/2411-1031.2023.11.2.293496

2023-12-28

Abstract:This article delves into the vital role of Public Key Infrastructure (PKI) in securing and authenticating communications across a multitude of fields. PKI has evolved from a mere technical concept into a cornerstone of secure digital communications, playing a central role in various domains such as web security, healthcare, finance, the Internet of Things (IoT), and government services. PKI employs cryptographic techniques and digital certificates to establish trust, ensure data integrity, and enable secure communications, thus acting as the backbone of digital security. In the wake of the digital revolution, the demand for reliable and robust security solutions has skyrocketed. The diversity and scale of modern digital platforms necessitate adaptable security solutions, a challenge which PKI tackles through its flexible implementation. Despite sharing core principles, the implementation of PKI demonstrates divergences influenced by factors such as scale, complexity, resource constraints, regulatory environments, and trust models. This article offers an extensive comparison of PKI's utilization across various domains, highlighting the commonalities and divergences. It explores how PKI is tailored to meet the unique requirements and challenges of each sector and discusses the certificate lifecycle management in varying contexts. Moreover, it provides an analysis of the current state of PKI applications and challenges, offering insights into the evolving landscape of threats and technologies. Not only does the article address the current state of PKI, but it also presents a forward-looking perspective on its potential future developments. As the digital landscape continues to evolve and expand, it is crucial to anticipate the emerging challenges and devise strategies for proactive adaptation. This article thus serves as a comprehensive resource for understanding the role and impact of PKI in the contemporary digital infrastructure. Ultimately, the article seeks to underline the importance of PKI and highlight the need for continued research and development in this area. As our reliance on digital communications and transactions continues to grow, the role of PKI in safeguarding these interactions becomes increasingly significant. This comprehensive review serves as a valuable resource for researchers, practitioners, and policymakers in understanding the diverse applications of PKI and its critical role in securing the digital world.

Abba Garba,Qinwen Hu,Zhong Chen,Muhammad Rizwan Asghar

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00108

2020-01-01

Abstract:Recently, real-world attacks against the web Public Key Infrastructure (PKI) have arisen more frequently. The current PKI that use Registration Authorities/Certificate Authorities (RAs/CAs) model suffer from notorious security vulnerabilities. Most of these vulnerabilities are due to compromises of RAs, which lead to impersonation attacks resulting in CAs misbehaving to issue bogus certificates. To counter this problem, many approaches, such as Certificate Transparency (CT), ARPKI, and PoliCert, have been proposed. Nonetheless, no solution has yet gained widespread acceptance as a result of complexity and deployability issues. Moreover, existing approaches still require to satisfy complicated interactions and synchronisation among the entities that are involved during certificate issuance, updates, and revocations. In this paper, we propose a new Blockchain-Based PKI (BB-PKI) to address these vulnerabilities of CA misbehaviour caused by impersonation attacks against RAs. Certificate Issuance Request (CIR) should be vouched by manifold RAs. Multiple CAs shall sign and issue the certificate using an out-of-band secure communication channel. Any RA that contributes to the verification process of a user's request can publish the certificate in the blockchain by creating a smart contract certificate transaction. BB-PKI offers strong security guarantees, compromising $n - 1$ of the RAs or CAs is not enough to launch impersonation attacks, meaning that attackers cannot compromise more than the threshold of the latter signatures to launch an attack.

Jason Chia,Swee-Huay Heng,Ji-Jian Chin,Syh-Yuan Tan,Wei-Chuen Yau

DOI: https://doi.org/10.3390/sym13081535

2021-08-20

Symmetry

Abstract:Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).

KY Lam,SL Chung,M Gu,JG Sun

DOI: https://doi.org/10.1016/s0167-4048(03)00615-1

IF: 5.105

2003-01-01

Computers & Security

Abstract:This paper describes a security middleware for enhancing the interoperability of public key infrastructure (PKI). Security is a key concern in e-commerce and is especially critical in cross-enterprise transactions. Public key cryptography is widely accepted as an important mechanism for addressing the security needs of e-commerce transactions because of its ability to implement non-repudiation. The deployment of public key cryptography is facilitated by the provision of PKI which assures the integrity of cryptographic keys. Nevertheless, industry experiences have shown that the task of implementing PKI-based e-commerce applications is challenging. Prior studies have identified interoperability as a major issue that hinders the adoption of PKI in spite of its effectiveness in implementing strong security mechanisms and protocols. In this paper, we discuss the interoperability issue of PKI applications. This research is part of our effort in designing security infrastructure for e-commerce systems. A middleware architecture was designed to enhance interoperability of PKI applications. The security middleware aims to promote cross-enterprise cross-border e-commerce transactions. The proposed mechanism is proven to be practical in real deployment environment.

Yannan Li,Yong Yu,Chunwei Lou,Nadra Guizani,Lianhai Wang

DOI: https://doi.org/10.1109/mnet.011.2000085

IF: 10.294

2020-01-01

IEEE Network

Abstract:The public key infrastructure (PKi) has been widely adopted to create, manage, distribute, store and revoke digital certificates, which plays an important role in bootstrapping secure communications. A PKi system authenticates entities with the corresponding public keys and it lays the security foundation for public-key cryptosystems in public-key encryption and digital signatures. However, traditional PKi systems suffer from security breaches, such as single-point-of-failure and man-in-the-middle attacks due to the existence of a centralized certificate authority. in this article, we review the traditional centralized PKi system as well as the subjected security concerns, and then we propose possible solutions to address these issues with the emerging blockchain technology. Two frameworks are presented where blockchain is utilized as a public bulletin board or trusted majority. We implement the functions to evaluate the off-chain time costs and on-chain gas costs of the proposal, which demonstrate the feasibility and practicality of the proposal.

Bao Li

2004-01-01

Abstract:In Public Key Infrastructure, Certificate Authorities use certificate management protocol to communicate with other entities, in order to implement the function of certificate management.In this paper,the draft of certificate management protocol brought by PKIX is analyzed,then a improvement for it is designed and formally analyzed using BAN logic,to achieve interoperability and security.

Julian Springer,Philipp Haindl

2024-07-05

Abstract:This research investigates the potential use of a blockchain-based Public Key Infrastructure (PKI) within an organization and compares it to conventional PKI systems. The goal is to assess the advantages and disadvantages of both approaches in order to determine the feasibility of employing blockchain technology for a decentralized PKI. The study will also evaluate the impact of current legal frameworks, such as the Cyber Resilience Act (CRA) and NIS-2 Directive. The study will examine various implementations of blockchain PKIs based on factors such as security, performance, and platform. The results indicate that blockchain-based PKIs can overcome the limitations of conventional PKIs by decentralizing the trust anchor, providing greater security. Blockchain technology allows for the immutable and transparent management of certificates, making tampering significantly more challenging. Additionally, blockchain-based PKIs offer enhanced mechanisms for identifying and addressing certificate misconduct.

Cryptography and Security,Software Engineering

Dea Saka Kurnia Putra,Edit Prima

DOI: https://doi.org/10.48550/arXiv.1809.05235

2018-09-14

Cryptography and Security

Abstract:OSD PSE is the Indonesian Government Certification Authority (CA) for National e-Procurement System and later named OSD PSE G2. It has a unique hierarchical structure under the OSD Lemsaneg. As an Issuing CA, the OSD PSE G2 publishes and guarantee the quality of the Certificate Policy and Certification Practice Statement (CP-CPS) in order to gain the PKI user trustworthy. In this article, we analyze the CP-CPS version 1.0 that published by OSD PSE G2. For this purpose, we apply the methodology of PKI Assessment Guidelines (PAG). The quality assessment of this CP-CPS, including its compliance to the related reference/standard, namely: CP OSD Lemsaneg v.1.1; RFC 3647; and CA Business Practice Disclosure Principle on Trust Service Principles and Criteria for Certification Authorities (BPDP-TSPCCA) version 2.0. We finally found that the CP-CPS version 1.0 does not comply with related standard and reference. Hence, the CP-CPS need to be updated following the current condition of OSD PSE G2.

Jie Zhang,Nan Hu,M. K. Raja

DOI: https://doi.org/10.1016/j.dss.2012.12.043

IF: 6.969

2014-01-01

Decision Support Systems

Abstract:The fast growth of e-commerce and online activities places increasing needs for authentication and secure communication to enable information exchange and online transactions. The public key infrastructure (PKI) provides a promising foundation for meeting such demand, in which certificate authorities (CAs) provide digital certificates. In practice, it is critical to understand consumer purchasing and revocation behaviors so that CAs can better manage the digital certificates and its CRL releasing process. To address this problem, we analytically model a CA's pricing and revocation releasing strategies taking into consideration the users' rational decisions. The model provides solutions two main research questions: (1) How should the CA price the digital certificates? The the price of the digital certificate should be determined by the expected losses of the user's IT system, and the number of certificate revocations per period is expected to decrease over time during the lifecycle of the certificate. This result is supported by the empirical data from VeriSign. (2) How should the CA we further propose a dynamic CRL releasing policy that suggests that the optimal releasing intervals within the lifecycle of a certificate should increase over time.

Christos Patsonakis,Katerina Samari,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1109/DAPPCON.2019.00022

2019-02-03

Abstract:Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, constitutes a powerful tool for the decentralization of PKIs. To verify the validity of identity records, blockchain-based identity systems store on chain either all identity records, or, a small (or even constant) sized amount of data to verify identity records stored off chain. However, as most of these systems have never been implemented, there is little information regarding the practical implications of each design's tradeoffs. In this work, we first implement and evaluate the only provably secure, smart contract based PKI of [1] on top of Ethereum. This construction incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction which, eliminates the need for trusted setup, preserves the security properties of [1] and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum. Furthermore, we compare these two systems with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract's state, to illustrate several shortcomings of Ethereum and its cost model. We propose several modifications for fine tuning the model, which would be useful to be considered for any smart contract platform like Ethereum so that it reaches its full potential to support arbitrary distributed applications.

Distributed, Parallel, and Cluster Computing

Georgios Mantas,Dimitrios Lymberopoulos,Nikos Komninos

DOI: https://doi.org/10.1007/s10916-010-9573-1

Abstract:During the past few years a lot of PKI (Public Key Infrastructures) infrastructures have been proposed for healthcare networks in order to ensure secure communication services and exchange of data among healthcare professionals. However, there is a plethora of challenges in these healthcare PKI infrastructures. Especially, there are a lot of challenges for PKI infrastructures deployed over large-scale healthcare networks. In this paper, we propose a PKI infrastructure to ensure security in a large-scale Internet-based healthcare network connecting a wide spectrum of healthcare units geographically distributed within a wide region. Furthermore, the proposed PKI infrastructure facilitates the trust issues that arise in a large-scale healthcare network including multi-domain PKI infrastructures.

Rashad Elhabob,Mazin Taha,Hu Xiong,Muhammad Khurram Khan,Saru Kumari,Pradeep Chaudhary

DOI: https://doi.org/10.1016/j.compeleceng.2024.109140

IF: 4.152

2024-01-01

Computers & Electrical Engineering

Abstract:In the domain of the Internet of Vehicles (IoV), the integration of intelligent devices for traffic data collection is pivotal, with data storage occurring in cloud-assisted IoV systems. Despite its importance, this raises trust concerns regarding cloud servers, necessitating the use of encryption. However, encrypted data search remains a complex challenge. To address this, alongside issues of certificate management, key escrow, and pairing computation, we propose a novel solution: free-pairing certificateless public key encryption with equality test (CL-PKE-ET). This protocol empowers cloud systems to compare encrypted data and establish equality, retrieving results without accessing the sensitive information within the encrypted data. Grounded in the computational Diffie–Hellman assumption within the random oracle model, our CL-PKE-ET protocol is a significant advancement in secure data handling for IoV. Comparative analysis with leading-edge schemes demonstrates our method’s superior performance. This positions our CL-PKE-ET protocol as an ideal fit for the evolving IoV landscape, offering a robust solution to contemporary IoV security challenges.

Aqsa Rashid,Asif Masood,Haider Abbas,Yin Zhang

DOI: https://doi.org/10.1109/mnet.101.2000532

IF: 10.294

2021-01-01

IEEE Network

Abstract:Public Key Infrastructure (PKI) has been considered to be an enabler of secure communication, while, due to its complex and centralized design, there have been instances in the past for Certification Authority's (CA) misbehaving and publishing rogue certificates for targeted attacks. This research aims to present a blockchain-based mechanism that lays down a concrete foundation for creating a transparent and secure block-chain-based mechanism for the issuance and management of digital certificates that enables prevention against CA misbehaving. A prototype is deployed and tested on the Ethereum test network, and the results are made publicly available for verification and validation. As a result, the proposed Ethereum blockchain-based PKI mechanism enables secure, transparent, and auditable issuance and management of digital certificates together with the solution of Sybil, Spoofing, and Man-in-the-Middle (MITM) attacks.

Rashad Elhabob,Yanan Zhao,Iva Sella,Hu Xiong

DOI: https://doi.org/10.1007/s12652-019-01365-4

2019-01-01

Abstract:Current time organizations have moved from the conventional industries to smart industries by embracing the approach of Industrial Internet of Things (IIoT), which has provided an avenue for the integration of smart devices and communication technologies. IIoT offers reduction of costs on services and technologies since it counts on the flexibility, availability and real-time data processing capabilities of the cloud server. And even with the untrusted nature of the cloud, the privacy and confidentiality of the data outsourced to the cloud has been able to be guaranteed. This has been achieved through encryption techniques apply to the data before outsourcing. This has made it feasible to have the data in the cloud secured. However, the limitation of data recovery due to it having the innate “all-or-nothing” decryption characteristic, results in a challenge in the search functionality for the encrypted data. In order to deal with this challenge, this paper nominates a Certificateless Public Key Cryptography with Authorized Equivalent Test (CL-PKC-AET). Whereby, a cloud server is given authority to actuate if two encryptions consist of the equivalent messages. Furthermore, the extra providence of a fine-grained testing capability to the cloud server makes the CL-PKC-AET scheme adaptable. We define our scheme basing on bilinear pairing and further advocate within the random oracle model its security, based on the Bilinear Diffie-Hellman assumption. Basing on comparison with existing work, our scheme proves to be more effective.

Shi Yijuan,Li Jianhua

DOI: https://doi.org/10.1007/s11859-006-0194-y

2007-01-01

Wuhan University Journal of Natural Sciences

Abstract:Certificateless public key cryptography was introduced to overcome the key escrow limitation of the identity-based cryptography. It combines the advantages of the identity-based cryptography and the traditional PKI. Many certificateless public key encryption and signature schemes have been proposed. However, the key agreement in CL-PKE is seldom discussed. In this paper, we present a new certificateless two party authentication key agreement protocol and prove its security attributes. Compared with the existing protocol, our protocol is more efficient.

Hengchuan Tan,Maode Ma,Houda Labiod,Aymen Boudguiga,Jun Zhang,Peter Han Joo Chong

DOI: https://doi.org/10.1109/TVT.2016.2621354

2017-12-28

Abstract:Public key infrastructure (PKI) is the most widely used security mechanism for securing communications over the network. However, there are known performance issues, making it unsuitable for use in vehicular networks. In this paper, we propose a secure and authenticated key management protocol (SA-KMP) to overcome the shortcomings of the PKI. The SA-KMP scheme distributes repository containing the bindings of the en-tity's identity and its corresponding public key to each vehicle and road side unit. By doing so, certificate exchanges and certificate revocation lists are eliminated. Furthermore, the SA-KMP scheme uses symmetric keys derived based on a 3-D-matrix-based key agreement scheme to reduce the high computational costs of using asymmetric cryptography. We demonstrate the efficiency of the SA-KMP through performance evaluations in terms of transmission and storage overhead, network latency, and key generation time. Analytical results show that the SA-KMP is more scalable and outperforms the certificate-based PKI. Simulation results indicate that the key generation time of the SA-KMP scheme is less than that of the existing Elliptic Curve Diffie--Hellman and Diffie--Hellman protocols. In addition, we use Proverif to prove that the SA-KMP scheme is secure against an active attacker under the Dolev and Yao model and further show that the SA-KMP scheme is secure against denial of service, collusion attacks, and a wide range of other malicious attacks.

Cryptography and Security

李彪,张申生

DOI: https://doi.org/10.3321/j.issn:1006-2467.2002.09.019

2002-01-01

Abstract:PKI (Public Key Infrastructure) is the basis of secure applications in World Wide Web. The lack of dynamic property in traditional conformation of PKI can not fulfill the security requirements in virtual enterprises. A new conformation of PKI, based on a secret sharing scheme, was proposed to establish the security framework across enterprises and the trust among them.

Adrian-Tudor Dumitrescu,Johan Pouwelse

2024-01-11

Abstract:The Public Key Infrastructure existed in critical infrastructure systems since the expansion of the World Wide Web, but to this day its limitations have not been completely solved. With the rise of government-driven digital identity in Europe, it is more important than ever to understand how PKI can be an efficient frame for eID and to learn from mistakes encountered by other countries in such critical systems. This survey aims to analyze the literature on the problems and risks that PKI exhibits, establish a brief timeline of its evolution in the last decades and study how it was implemented in digital identity projects.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

P. Gutmann

DOI: https://doi.org/10.1109/MC.2002.1023787

2002-08-01

Computer

Abstract:Like other flexible objects, the public key infrastructure sacrifices some utility in trying to be all things to all people. Mainly, PKI's generic, all-purpose identity certificates fall short of what the marketplace demands, forcing vendors to develop more economically efficient, useful, and imaginative business models. Thus, we must adapt the PKI design to the real world rather than trying to constrain the real world to match the PKI. A variety of alternative approaches, ranging from simple workarounds to designing the application to sidestep PKI's shortcomings entirely, can help solve the problems inherent in the standard X.509 model. Despite an original design that failed to address the marketplace's needs, the use of innovative public key infrastructure models can make the technology meet today's requirements.

Computer Science,Philosophy