Liu Duan-yang,Pan Xue-zeng,Ping Ling-di

DOI: https://doi.org/10.1631/jzus.2003.0555

2003-01-01

Abstract:Distributed certification via threshold cryptography is much more secure than other ways to protect certification authority (CA)'s private key, and can tolerate some intrusions. As the original system such as ITTC, etc., is unsafe, inefficient and impracitcal in actual network environment, this paper brings up a new distributed certification scheme, which although it generates key shares concentratively, it updates key shares distributedly, and so, avoids single-point failure like ITTC. It not only enhances robustness with Feldman verification and SSL protocol, but can also change the threshold (t, k) flexibly and robustly, and so, is much more practical. In this work, the authors implement the prototype system of the new scheme and test and analyze its performance.

Zhi-Yu Peng,Shan-Ping Li

DOI: https://doi.org/10.1109/icmlc.2008.4620616

2008-01-01

Abstract:As pervasive computing leading to an increased collection of information in the computational world as well as the real world, privacy leaking becomes a serious issue. Although privacy protection has drawn great attention in recent years, the privacy-preserving trust management has not been brought forward. Credential chain discovery problem is the key issue in trust management, and traditionally credentials are full open in the whole system. This could expose users' access control policies as well as other private information, and leads to a great risk of being cheated by malicious users. This paper advocates a privacy-preserving credential chain discovery mechanism, in which credentials are no longer available to everyone. By merely learning credentials of one's logic neighbors, this mechanism still achieves good results. The simulations show that this mechanism is practical.

PAN Shao-ming,YU Zhan-wu,LI Rui,WANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.06.044

2009-01-01

Abstract:The dynamic of peers in P2P overlay and their interactions had offered a challenge on security certificate authority.This paper proposed a new security certificate mode,namely P2P-PKI.P2P-PKI effectively broke a certificate into size-equal segments,and transmited and updated the segments among the dynamic peers.Theoretically analyzed the load of certificate authority and the time to certificate transmission and update.Simulation experiments are performed and the results show the out performance of P2P-PKI over the traditional PKI.

LIN Huai-qing,LI Zhi-tang,HUANG Qing-feng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.18.007

2007-01-01

Abstract:Managing trust relationships are important part of trust model.An important challenge in managing such trust relationships is to design a protocol to secure the placement and access of these trust ratings.In this protocol,a verifiable threshold cryptosystem without a trusted center is applied to generate system public/private keys.K managers can generate certification for peer.The protocol provides an anonymous server for peer.The security analysis shows that the protocol has desirable features of anonymity,reliability,accountability and is secure in the presence of a variety of possible attacks.

Fagen Li,Xiangjun Xin,Yupu Hu

DOI: https://doi.org/10.1504/ijmc.2007.011491

2006-01-01

International Journal of Mobile Communications

Abstract:As various applications of ad hoc network have been proposed, security issues have become a central concern and are increasingly important. In this paper, we propose a distributed key management approach by using the self-certified public key system and threshold secret sharing schemes. Without any assumption of prefixed trust relationship between nodes, the ad hoc network works in a self-organising way to provide the key generation and key management services using threshold secret sharing schemes, which effectively solves the problem of single point of failure. The using of self-certified public key system has the following advantages: (1) the storage space and the communication overheads can be reduced in that the certificate is unnecessary; (2) the computational costs can be decreased since it requires no public key verification; (3) there is no key escrow problem since the Certificate Authority (CA) does not know the users' private keys. As compared with the previous works, which were implemented with the certificate-based public key system and identity-based (ID-based) public key system, the proposed approach is more secure and efficient.

Fagen Li,Masaaki Shirase,Tsuyoshi Takagi

DOI: https://doi.org/10.1007/978-3-540-88140-7_11

2008-01-01

Abstract:As various applications of wireless ad hoc network have been proposed, security has become one of the big research challenges and is receiving increasing attention. In this paper, we propose a distributed key management approach by using the recently developed concepts of certificateless public key cryptography and threshold secret sharing schemes. Without any assumption of prefixed trust relationship between nodes, the ad hoc network works in a self-organizing way to provide the key generation and key management services using threshold secret sharing schemes, which effectively solves the problem of single point of failure. Certificateless public key cryptography is applied here not only to eliminate the need for certificates, but also to retain the desirable properties of identity-based key management approaches without the inherent key escrow problem.

LIU Fu-li,WU Bin,YANG Shou-bao,JI Wen

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.09.046

2009-01-01

Abstract:Public key certificate is an important carrier for public key. With the development of self-organized networks and distributed networks, such as Ad Hoc Networks, a secure self-organized certificate management scheme is required urgently. In this paper, a new one-way hash chain based self-organized certificate management scheme is proposed. In this scheme, nodes themselves can create, disseminate, renew, certify and revoke the certificate without the supports by third trusted party online. As its security relies on the security of private key and the one-way hash chain, this scheme is more secure than previous ones.

Aqsa Rashid,Asif Masood,Haider Abbas,Yin Zhang

DOI: https://doi.org/10.1109/mnet.101.2000532

IF: 10.294

2021-01-01

IEEE Network

Abstract:Public Key Infrastructure (PKI) has been considered to be an enabler of secure communication, while, due to its complex and centralized design, there have been instances in the past for Certification Authority's (CA) misbehaving and publishing rogue certificates for targeted attacks. This research aims to present a blockchain-based mechanism that lays down a concrete foundation for creating a transparent and secure block-chain-based mechanism for the issuance and management of digital certificates that enables prevention against CA misbehaving. A prototype is deployed and tested on the Ethereum test network, and the results are made publicly available for verification and validation. As a result, the proposed Ethereum blockchain-based PKI mechanism enables secure, transparent, and auditable issuance and management of digital certificates together with the solution of Sybil, Spoofing, and Man-in-the-Middle (MITM) attacks.

Hoang Nam Nguyen,Hiroaki Morino

DOI: https://doi.org/10.1007/11596042_93

2005-01-01

Abstract:Providing secure communications is a crucial task for the success of future ubiquitous mobile communication systems. Using public key infrastructure (PKI) is considered as a good solution to fulfill the task. However, as mobile ad hoc networks (MANET) inherit unique characteristics such as dynamic topology, non-infrastructure architecture, centralized PKI architectures are not suitable for dynamic MANET. The use of distributed PKI models is more appropriate but requires additional modifications to adapt with network changes. In this paper, we introduce a novel key management scheme for MANET, which exploits advantages of threshold cryptography. The major innovative aspect of this scheme is the use of temporal substitute certificate authorities (SCA), which form a PKI model of multi SCA groups. Performance results obtained by computer simulation show that the proposed key management scheme can reduce the latency of authentication, certificate update delay and the signaling load.

Shouhuai Xu,Xiaohu Li,T. Paul Parker

DOI: https://doi.org/10.1145/1368310.1368358

2008-01-01

Abstract:ABSTRACTDigital signatures are an important security mechanism, especially when non-repudiation is desired. However, non-repudiation is meaningful only when the private signing keys and functions are adequately protected --- an assumption that is very difficult to accommodate in the real world because computers (and thus cryptographic keys and functions) could be relatively easily compromised. One approach to resolving, or at least alleviating, this problem is to use threshold cryptography. But how should such techniques be employed in the real world? In this paper we propose exploiting social networks whereby average users take advantage of their trusted ones to help secure their cryptographic keys. While the idea is simple from an individual user's perspective, we aim to understand the resulting systems from a whole-system perspective. Specifically, we propose and investigate two measures of the resulting systems: attack-resilience, which captures the security consequences due to the compromise of some computers and thus the compromise of the cryptographic key shares stored on them; availability, which captures the effect when computers are not always responsive (due to the peer-to-peer nature of social networks).

Yunhao Liu,Jinsong Han

DOI: https://doi.org/10.14711/thesis-b987542

2007-01-01

Abstract:Peer-to-Peer (P2P) model has become the mainstream of the applications in current and future Internet. Being effective in utilizing and managing globally distributed information over Internet, however, most current P2P systems do not provide protection to their users against the increasing threat from selfish peers or malicious adversaries. Anonymous and trustworthy computing hereby has continuously gained importance because it meets the users’ demands of privacy, fairness, trust, and reliability. In order to construct anonymous and trustworthy P2P systems, we must address several crucial challenges including (1) reliably and efficiently anonymizing the P2P network; (2) authenticating users’ identities; (3) enabling trust management in anonymous environments. Most existing approaches achieve anonymity via fixed paths, which are unreliable and inefficient in dynamic P2P systems. We propose two non-path based protocols to anonymize P2P systems. The results of trace driven simulations show that our proposed protocols are reliable, scalable and effective, and significantly reduce cryptographic overhead. The second issue is that the current authentication approaches face a dilemma in anonymous environments: authenticating other users needs their real identities; while the anonymity requires those users to hide their real identities. We propose a Zero-knowledge based protocol to allow users authenticate with each other without exposing their real identities. We show the effectiveness of our proposed protocol by simulation studies and prototype implementation. We solve the third issue by constructing a reputation based trust management architecture. We particularly focus on the feedback quality problem. In shorting of trusted authority centers in P2P systems, the feedback quality are easily wrecked by the dishonest feedback from malicious peers, which further degrades the computation accuracy of users’ reputation. Our proposed architecture effectively alleviates the damage on computing reputation caused by the feedback cheating. We believe that widely employing above proposed approaches will make P2P systems more secure and reliable. We also extend our study to other distributed systems and propose a privacy-preserving authentication protocol for RFID systems. Keywords: Peer-to-Peer, Anonymity, Privacy-Preserving, Authentication, Key Updating, Secret Sharing, Random Walk, Selected Flooding, Trustworthy Computing, Feedback Quality, Trust Management, Trace Driven Simulation, Zero-Knowledge Proof, Man-in-middle-attack

Yannan Li,Yong Yu,Chunwei Lou,Nadra Guizani,Lianhai Wang

DOI: https://doi.org/10.1109/mnet.011.2000085

IF: 10.294

2020-01-01

IEEE Network

Abstract:The public key infrastructure (PKi) has been widely adopted to create, manage, distribute, store and revoke digital certificates, which plays an important role in bootstrapping secure communications. A PKi system authenticates entities with the corresponding public keys and it lays the security foundation for public-key cryptosystems in public-key encryption and digital signatures. However, traditional PKi systems suffer from security breaches, such as single-point-of-failure and man-in-the-middle attacks due to the existence of a centralized certificate authority. in this article, we review the traditional centralized PKi system as well as the subjected security concerns, and then we propose possible solutions to address these issues with the emerging blockchain technology. Two frameworks are presented where blockchain is utilized as a public bulletin board or trusted majority. We implement the functions to evaluate the off-chain time costs and on-chain gas costs of the proposal, which demonstrate the feasibility and practicality of the proposal.

Cong Tang,Ruichuan Chen,Zhuhua Cai,Anmin Xie,Jian-bin Hu,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1145/1529282.1529298

2009-01-01

Abstract:Compared with the public key infrastructure (PKI) technique, identity based cryptography (IBC) can simplify the key management process in peer-to-peer (P2P) networks significantly. The identity of a peer (e.g., peer identifier or peer geometric coordinate) in P2P overlay networks is used to create its public key, thus avoiding the use of any certificates. These IBC-based systems are scalable, simple to administer, and each user can carry out anytime/anywhere encryption, establish secure communication channels, prove its identity to other nodes, verify protected messages and produce a form of signature with non-repudiation properties.

Xinyi Luo,Zhuo Xu,Kaiping Xue,Qiantong Jiang,Ruidong Li,David Wei

DOI: https://doi.org/10.1109/icdcs54860.2022.00121

2022-01-01

Abstract:As the voucher for identity, digital certificates and the public key infrastructure (PKI) system have always played a vital role to provide the authentication services. In recent years, with the increase in attacks on traditional centralized PKIs and the extensive deployment of blockchains, researchers have tried to establish blockchain-based secure decentralized PKIs and have made significant progress. Although blockchain enhances security, it brings new problems in scalability due to the inherent limitations of blockchain’s data structure and consensus mechanism, which become much severe for the massive access in the era of 5G and B5G. In this paper, we propose ScalaCert to mitigate the scalability problems of blockchain-based PKIs by utilizing redactable blockchain for "on-cert" revocation. Specifically, we utilize the redactable blockchain to record revocation information directly on the original certificate ("on-cert") and remove additional data structures such as CRL, significantly reducing storage overhead. Moreover, the combination of redactable and consortium blockchains brings a new kind of attack called deception of versions (DoV) attack. To defend against it, we design a random-block-node-check (RBNC) based freshness check mechanism. Security and performance analyses show that ScalaCert has sufficient security and effectively solves the scalability problem of the blockchain-based PKI system.

Qi Liu,Xiangyu Bai

DOI: https://doi.org/10.1109/iceiec.2017.8076576

2017-01-01

Abstract:In order to ensure the security of mobile ad hoc networks (MANETs), the research on certificateless key management scheme is attracting more and more attention. The certificateless key management scheme can well resist the key escrow problem and it is very suitable for MANET, which is source-constrained and has no public key infrastructure. In this paper, we give an overview of some recent certificateless key management schemes and analyse their advantages and disadvantages. Then we make a comparison of their main methods, key distribution, private key generation and their calculation cost. Finally we put forward a suggestion to solve the problems existing in the certificateless key management scheme.

Bargav Jayaraman,Hannah Li,David Evans

DOI: https://doi.org/10.48550/arXiv.1706.03370

2017-10-10

Abstract:The security of TLS depends on trust in certificate authorities, and that trust stems from their ability to protect and control the use of a private signing key. The signing key is the key asset of a certificate authority (CA), and its value is based on trust in the corresponding public key which is primarily distributed by browser vendors. Compromise of a CA private key represents a single point-of-failure that could have disastrous consequences, so CAs go to great lengths to attempt to protect and control the use of their private keys. Nevertheless, keys are sometimes compromised and may be misused accidentally or intentionally by insiders. We propose splitting a CA's private key among multiple parties, and producing signatures using a generic secure multi-party computation protocol that never exposes the actual signing key. This could be used by a single CA to reduce the risk that its signing key would be compromised or misused. It could also enable new models for certificate generation, where multiple CAs would need to agree and cooperate before a new certificate can be generated, or even where certificate generation would require cooperation between a CA and the certificate recipient (subject). Although more efficient solutions are possible with custom protocols, we demonstrate the feasibility of implementing a decentralized CA using a generic two-party secure computation protocol with an evaluation of a prototype implementation that uses secure two-party computation to generate certificates signed using ECDSA on curve secp192k1.

Cryptography and Security

FY Miao,Y Xiong,SB Yang,XF Wang

IF: 1.019

2005-01-01

Chinese Journal of Electronics

Abstract:The distribution and autonomy of Mobile ad hoc network (Manet) exclude the deployment of the Public key infrastructure (PKI) with an online Trusted third party (TTP). Allowing for the characteristics of Manet such as transience, distribution and autonomy, the paper proposes a one-way hash chain based Public key infrastructure for manet (PKIM). In the scheme, a node, before coming into a Manet, first acquires a certificate offline from its manufacturer, and then the certificate can be initialized at any time to use, refreshed and revoked by the node itself based on time synchronization and one-way hash chain. Discussions show that the PKIM can exempt any support of TTP and manufacturer, and remove the limitation of life period on certificate if parameters are properly selected. Thus, the scheme is secure, TTP-free, flexible and suitable for Manet.

Abba Garba,Qinwen Hu,Zhong Chen,Muhammad Rizwan Asghar

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00108

2020-01-01

Abstract:Recently, real-world attacks against the web Public Key Infrastructure (PKI) have arisen more frequently. The current PKI that use Registration Authorities/Certificate Authorities (RAs/CAs) model suffer from notorious security vulnerabilities. Most of these vulnerabilities are due to compromises of RAs, which lead to impersonation attacks resulting in CAs misbehaving to issue bogus certificates. To counter this problem, many approaches, such as Certificate Transparency (CT), ARPKI, and PoliCert, have been proposed. Nonetheless, no solution has yet gained widespread acceptance as a result of complexity and deployability issues. Moreover, existing approaches still require to satisfy complicated interactions and synchronisation among the entities that are involved during certificate issuance, updates, and revocations. In this paper, we propose a new Blockchain-Based PKI (BB-PKI) to address these vulnerabilities of CA misbehaviour caused by impersonation attacks against RAs. Certificate Issuance Request (CIR) should be vouched by manifold RAs. Multiple CAs shall sign and issue the certificate using an out-of-band secure communication channel. Any RA that contributes to the verification process of a user's request can publish the certificate in the blockchain by creating a smart contract certificate transaction. BB-PKI offers strong security guarantees, compromising $n - 1$ of the RAs or CAs is not enough to launch impersonation attacks, meaning that attackers cannot compromise more than the threshold of the latter signatures to launch an attack.

Ratna Halder,Dipanjan Das Roy,Dongwan Shin

DOI: https://doi.org/10.3390/jcp4020010

2024-03-31

Journal of Cybersecurity and Privacy

Abstract:Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs.

computer science, information systems, interdisciplinary applications, software engineering

Meng Luo,Bo Feng,Long Lu,Engin Kirda,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3255869

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Digital certificates are frequently used to secure communications between users and web servers. Critical to the Web’s PKI is the secure validation of digital certificates. Nonetheless, certificate validation itself is complex and error-prone. Moreover, it is also undermined by particular constraints of mobile browsers. However, these issues have long been overlooked. In this article, we undertook the first systematic and large-scale study of the certificate validation mechanism within popular mobile browsers to highlight the necessity of reassessing it among all released browsers. To this end, we first compile a comprehensive test suite to identify security flaws in certificate validation from various aspects. By designing and implementing a generic, automated testing pipeline, we effectively evaluate 30 popular browsers on two mobile OS versions and compare them with five representative desktop browsers. We found the latest mobile browsers Accept as many as 33.2% invalid certificates and Reject merely 5.4% invalid ones on average, leaving the majority of them to be decided by users who usually have little expertise. Our findings shed light on the severity and inconsistency of certificate validation flaws across mobile browsers, which are likely to expose users to MITM attacks, spoofing attacks, and so forth.