Aqsa Rashid,Asif Masood,Haider Abbas,Yin Zhang

DOI: https://doi.org/10.1109/mnet.101.2000532

IF: 10.294

2021-01-01

IEEE Network

Abstract:Public Key Infrastructure (PKI) has been considered to be an enabler of secure communication, while, due to its complex and centralized design, there have been instances in the past for Certification Authority's (CA) misbehaving and publishing rogue certificates for targeted attacks. This research aims to present a blockchain-based mechanism that lays down a concrete foundation for creating a transparent and secure block-chain-based mechanism for the issuance and management of digital certificates that enables prevention against CA misbehaving. A prototype is deployed and tested on the Ethereum test network, and the results are made publicly available for verification and validation. As a result, the proposed Ethereum blockchain-based PKI mechanism enables secure, transparent, and auditable issuance and management of digital certificates together with the solution of Sybil, Spoofing, and Man-in-the-Middle (MITM) attacks.

Yannan Li,Yong Yu,Chunwei Lou,Nadra Guizani,Lianhai Wang

DOI: https://doi.org/10.1109/mnet.011.2000085

IF: 10.294

2020-01-01

IEEE Network

Abstract:The public key infrastructure (PKi) has been widely adopted to create, manage, distribute, store and revoke digital certificates, which plays an important role in bootstrapping secure communications. A PKi system authenticates entities with the corresponding public keys and it lays the security foundation for public-key cryptosystems in public-key encryption and digital signatures. However, traditional PKi systems suffer from security breaches, such as single-point-of-failure and man-in-the-middle attacks due to the existence of a centralized certificate authority. in this article, we review the traditional centralized PKi system as well as the subjected security concerns, and then we propose possible solutions to address these issues with the emerging blockchain technology. Two frameworks are presented where blockchain is utilized as a public bulletin board or trusted majority. We implement the functions to evaluate the off-chain time costs and on-chain gas costs of the proposal, which demonstrate the feasibility and practicality of the proposal.

Ratna Halder,Dipanjan Das Roy,Dongwan Shin

DOI: https://doi.org/10.3390/jcp4020010

2024-03-31

Journal of Cybersecurity and Privacy

Abstract:Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs.

computer science, information systems, interdisciplinary applications, software engineering

Erhan Turan,Sevil Sen,Tamer Ergun

DOI: https://doi.org/10.1109/access.2024.3394657

IF: 3.9

2024-05-03

IEEE Access

Abstract:The conventional Public Key Infrastructure (PKI) has long been plagued by security issues stemming from its centralized and non-transparent design. In recent years, blockchain-based PKI architectures have emerged as promising solutions to overcome such issues. However, existing research has predominantly focused on SSL certificates, overlooking other certificate types used for purposes such as facilitating electronic signatures/seals, code signing, and S/MIME- all reliant on the foundational PKI infrastructure. In this study, we present a novel blockchain-based PKI architecture designed to accommodate diverse certificate types. Combining the principles of the Web of Trust with a centralized model, our SemiDec-PKI establishes a resilient, distributed infrastructure. This unique synergy minimizes reliance on a single central authority, mitigating the vulnerabilities associated with traditional PKI systems' single points of failure. With a cross-check mechanism and collective consensus of trusted entities, SemiDec-PKI provides higher fault tolerance, preventing disruptions from certificate misissuance or compromised certificate authorities. Furthermore, it introduces a stake-based reward-punishment mechanism which incentives honest behavior and penalizes malicious actions, serving as a potent deterrent against impersonation attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhichao Ruan,Wei Ye,Yankai Xie,Haixing Li,Chi Zhang,Lingbo Wei

DOI: https://doi.org/10.1109/icc45041.2023.10278733

2023-01-01

Abstract:Blockchain is the most promising technology to tackle the security challenges of certificate revocation schemes, such as vulnerability to the single point of failure and lack of accountability systems. However, current blockchain-based certificate revocation systems suffer from privacy problems as the blockchain nodes can learn which website the client is going to connect with and infer the end-user's private information, such as identity, location, and health condition. In this paper, we propose a decentralized certificate revocation scheme that allows clients to securely and privately verify revocation information. We not only take advantage of blockchain to provide security guarantees but also further craft a novel multi-server offline/online private information retrieval (PIR) protocol named MOO-PIR to preserve query privacy for clients even if a subset of servers collude. Finally, we provide security analysis and performance evaluation, demonstrating that our scheme can protect client privacy without compromising efficiency.

Christos Patsonakis,Katerina Samari,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1109/DAPPCON.2019.00022

2019-02-03

Abstract:Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, constitutes a powerful tool for the decentralization of PKIs. To verify the validity of identity records, blockchain-based identity systems store on chain either all identity records, or, a small (or even constant) sized amount of data to verify identity records stored off chain. However, as most of these systems have never been implemented, there is little information regarding the practical implications of each design's tradeoffs. In this work, we first implement and evaluate the only provably secure, smart contract based PKI of [1] on top of Ethereum. This construction incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction which, eliminates the need for trusted setup, preserves the security properties of [1] and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum. Furthermore, we compare these two systems with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract's state, to illustrate several shortcomings of Ethereum and its cost model. We propose several modifications for fine tuning the model, which would be useful to be considered for any smart contract platform like Ethereum so that it reaches its full potential to support arbitrary distributed applications.

Distributed, Parallel, and Cluster Computing

Xinyi Luo,Zhuo Xu,Kaiping Xue,Qiantong Jiang,Ruidong Li,David Wei

DOI: https://doi.org/10.1109/icdcs54860.2022.00121

2022-01-01

Abstract:As the voucher for identity, digital certificates and the public key infrastructure (PKI) system have always played a vital role to provide the authentication services. In recent years, with the increase in attacks on traditional centralized PKIs and the extensive deployment of blockchains, researchers have tried to establish blockchain-based secure decentralized PKIs and have made significant progress. Although blockchain enhances security, it brings new problems in scalability due to the inherent limitations of blockchain’s data structure and consensus mechanism, which become much severe for the massive access in the era of 5G and B5G. In this paper, we propose ScalaCert to mitigate the scalability problems of blockchain-based PKIs by utilizing redactable blockchain for "on-cert" revocation. Specifically, we utilize the redactable blockchain to record revocation information directly on the original certificate ("on-cert") and remove additional data structures such as CRL, significantly reducing storage overhead. Moreover, the combination of redactable and consortium blockchains brings a new kind of attack called deception of versions (DoV) attack. To defend against it, we design a random-block-node-check (RBNC) based freshness check mechanism. Security and performance analyses show that ScalaCert has sufficient security and effectively solves the scalability problem of the blockchain-based PKI system.

Murat Yasin Kubilay,Mehmet Sabir Kiraz,Haci Ali Mantar

DOI: https://doi.org/10.48550/arXiv.1806.03914

2018-10-01

Abstract:In conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs' absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept of Certificate Transparency (CT) in 2013. Later, several new PKI models (e.g., AKI, ARPKI, and DTKI) are proposed to reduce the level of trust to the CAs. However, all of these proposals are still vulnerable to split-world attacks if the adversary is capable of showing different views of the log to the targeted victims. In this paper, we propose a new PKI architecture with certificate transparency based on blockchain, what we called CertLedger, to eliminate the split-world attacks and to provide an ideal certificate/revocation transparency. All TLS certificates, their revocation status, entire revocation process, and trusted CA management are conducted in the CertLedger. CertLedger provides a unique, efficient, and trustworthy certificate validation process eliminating the conventional inadequate and incompatible certificate validation processes implemented by different software vendors. TLS clients in the CertLedger also do not require to make certificate validation and store the trusted CA certificates anymore. We analyze the security and performance of the CertLedger and provide a comparison with the previous proposals.

Cryptography and Security

Julian Springer,Philipp Haindl

2024-07-05

Abstract:This research investigates the potential use of a blockchain-based Public Key Infrastructure (PKI) within an organization and compares it to conventional PKI systems. The goal is to assess the advantages and disadvantages of both approaches in order to determine the feasibility of employing blockchain technology for a decentralized PKI. The study will also evaluate the impact of current legal frameworks, such as the Cyber Resilience Act (CRA) and NIS-2 Directive. The study will examine various implementations of blockchain PKIs based on factors such as security, performance, and platform. The results indicate that blockchain-based PKIs can overcome the limitations of conventional PKIs by decentralizing the trust anchor, providing greater security. Blockchain technology allows for the immutable and transparent management of certificates, making tampering significantly more challenging. Additionally, blockchain-based PKIs offer enhanced mechanisms for identifying and addressing certificate misconduct.

Cryptography and Security,Software Engineering

Yue Fu,Rong Du,Dagang Li

DOI: https://doi.org/10.1007/978-3-030-00018-9_25

2018-01-01

Abstract:Under some applications, identity-authentication must be involved into block-chain systems. However, the introduction of traditional PKI mechanism in block-chain systems is not proper for 3 reasons: (1) a centralized certification authority (CA) represents a single point of failure in the network; (2) the numbers and locations of nodes vary in time; (3) it introduces additional centralized factors in the block-chain system that is already decentralized. For the sake of decentralization multi-CA scenario is considered to distribute CA-functionality to nodes. Further, armed with secret sharing scheme, a practical distributed CA-based PKI scheme is proposed that is well-associated with existed mechanisms (such as POW) in the original system. Finally, solutions of verification and multi-level assigning issues are constructed via verifiable secret sharing and multilevel secret sharing tools.

Yue Li,Mingcheng Xu,Gaojian Xu

DOI: https://doi.org/10.1007/s11227-022-04558-5

2022-05-18

Abstract:Nowadays, most of the federation chain identity authentication adopts the certificate authentication of CA (Certification Authority) under PKI (Public Key Infrastructure) system, but the authentication of CA is one-way authentication, and users cannot evaluate the trustworthiness of CA, and its centralized structure is prone to the single point of failure, which will bring great security risks. To address this problem, we propose an efficient and reliable two-way authentication scheme to achieve membership authentication of the federated chain through elliptic curves and bilinear pairs. Membership authentication is performed directly by the federated chain supervisor through smart contracts, and then key negotiation is conducted among members, and the shared key determined after key negotiation generates a hash digest through a hash function as the unique transaction address of the federated chain members. This scheme can effectively solve the problems of CA one-way authentication and the easy failure of centralized CA. Through experimental and theoretical analysis, the scheme is able to resist multiple attacks and performs better in terms of overhead compared with the same type of protocol. We also design a scheme using Lagrangian interpolation to cope with the necessary key recovery and key update.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Han Bao,Xiaoping Zhang,Gaoyuan Wang,Renrui Tian,Jinrong Duan,Youjian Zhao

DOI: https://doi.org/10.1109/icc45041.2023.10279752

2023-01-01

Abstract:Internet of Things (IoT) devices have achieved rapid development but most of them are vulnerable to spoofing attacks and spoofing-related attacks. It is crucial to verify source identity at the near-source end to defend against attacks, save network forwarding resources, and relieve the authentication pressure on the receiver end. In this paper, we propose Smart-PKI, a blockchain-based distributed identity validation scheme for IoT Devices. In the architecture of Smart-PKI, near-source forwarders can verify the authenticity of the source identity of packets and can filter spoofed packets. Besides, we apply Merkle Patricia Trie (MPT) to the Smart-PKI blockchain to enable lightweight blockchain copy storage and efficient retrieval and verification of identity information on forwarders. Meanwhile, Smart-PKI proposes an identity restoration mechanism and enables solutions for the attacks caused by public and private key compromise. Furthermore, we implement Smart-PKI on Network Simulator Version 3 (NS3) and evaluate its performance against reflection denial-of-service (DDoS) attacks. The simulation results demonstrate the effectiveness and efficiency of Smart-PKI and it outperforms existing blockchain-based PKI solutions for IoT devices in terms of network latency for verifying certificates.

Ke Huang,Yi Mu,Fatemeh Rezaeibagha,Xiaosong Zhang,Ting Chen

DOI: https://doi.org/10.1109/mnet.101.2100088

IF: 10.294

2021-01-01

IEEE Network

Abstract:Blockchain is a publicly distributed ledger used to record transactions in Bitcoin-like cryptocurrencies. In recent years, the successful integrations of Public-Key Cryptographic (PKC) algorithms with cryptocurrencies have driven researchers to pursue the study of PKC. However, it is challenging to technically integrate PKC algorithms with blockchain properly in that the studies of blockchain leverage to broad domains and each existing problem can lead to diverse solutions. For cryptographically-solvable problems, it is important to find a secure and practical integration of PKC algorithm with blockchain. We systematically review three major topics in cryptocurrencies, including security, privacy and scalability. We conduct a case analysis which demonstrates how to integrate PKC with blockchains. As an illustration, we propose mutable blockchain which incorporates multiple PKC schemes and show how to use it to remove double-spending transactions via redaction. We then give a concrete construction. As suggested by our performance evaluation, the adopted PKC algorithms can run scalably and efficiently and avoid bottlenecks in the system.

Jing Chen,Shixiong Yao,Quan Yuan,Kun He,Shouling Ji,Ruiying Du

DOI: https://doi.org/10.1109/infocom.2018.8486344

2018-01-01

Abstract:In recent years, real-world attacks against PKI take place frequently. For example, malicious domains' certificates issued by compromised CAs are widespread, and revoked certificates are still trusted by clients. In spite of a lot of research to improve the security of SSL/TLS connections, there are still some problems unsolved. On one hand, although log-based schemes provided certificate audit service to quickly detect CAs' misbehavior, the security and data consistency of log servers are ignored. On the other hand, revoked certificates checking is neglected due to the incomplete, insecure and inefficient certificate revocation mechanisms. Further, existing revoked certificates checking schemes are centralized which would bring safety bottlenecks. In this paper, we propose a blockchain-based public and efficient audit scheme for TLS connections, which is called Certchain. Specially, we propose a dependability-rank based consensus protocol in our blockchain system and a new data structure to support certificate forward traceability. Furthermore, we present a method that utilizes dual counting bloom filter (DCBF) with eliminating false positives to achieve economic space and efficient query for certificate revocation checking. The security analysis and experimental results demonstrate that CertChain is suitable in practice with moderate overhead.

Pawel Szalachowski

DOI: https://doi.org/10.48550/arXiv.1804.00875

2018-04-03

Abstract:The Transport Layer Security (TLS) protocol is a de facto standard of secure client-server communication on the Internet. Its security can be diminished by a variety of attacks that leverage on weaknesses in its design and implementations. An example of a major weakness is the public-key infrastructure (PKI) that TLS deploys, which is a weakest-link system and introduces hundreds of links (i.e., trusted entities). Consequently, an adversary compromising a single trusted entity can impersonate any website. Notary systems, based on multi-path probing, were early and promising proposals to detect and prevent such attacks. Unfortunately, despite their benefits, they are not widely deployed, mainly due to their long-standing unresolved problems. In this paper, we present Persistent and Accountable Domain Validation (PADVA), which is a next-generation TLS notary service. PADVA combines the advantages of previous proposals, enhancing them, introducing novel mechanisms, and leveraging a blockchain platform which provides new features. PADVA keeps notaries auditable and accountable, introduces service-level agreements and mechanisms to enforce them, relaxes availability requirements for notaries, and works with the legacy TLS ecosystem. We implemented and evaluated PADVA, and our experiments indicate its efficiency and deployability.

Cryptography and Security

Bo Qin,Jikun Huang,Qin Wang,Xizhao Luo,Bin Liang,Wenchang Shi

DOI: https://doi.org/10.1016/j.future.2017.08.025

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:For numerous applications, it is essential to reliably link a public key with its owner. The current solution is to employ the well-known Public Key Infrastructure (PKI), represented by a trusted certificate authority (CA), to fulfill this assignment by signing the certificate for the public key after validating its owner. However, due to the centralized architecture, it raises the single-point failure problem with unpredictable threats. In this paper, we present a distributed certificate scheme, referred to as Cecoin which is inspired by the well-known Bitcoin by employing its irreversible unforgeability and public verifiability. In Cecoin, the certificates can be treated as currencies and recorded on block chain, which removes the single point failure problem. The miners can verify the validity of certificates following a set of rules to ensure ownership consistency, and allow an identity to bind multiple public-key certificates. For efficient retrieval and verification of certificates, and quick operations, we incorporate the modified Merkle Patricia tree and employ it to implement a distributed Certificate Library. To allow the owner to transfer the possession of identity, we design an online fair exchange protocol without a trusted third party. Security and efficiency analyses show that our Cecoin provides strong security with desirable efficiency.

Jason Chia,Swee-Huay Heng,Ji-Jian Chin,Syh-Yuan Tan,Wei-Chuen Yau

DOI: https://doi.org/10.3390/sym13081535

2021-08-20

Symmetry

Abstract:Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).

Makan Rafiee,Lars Hupel

2024-12-05

Abstract:Central Bank Digital Currency (CBDC) is a new form of money, issued by a country's or region's central bank, that can be used for a variety of payment scenarios. Depending on its concrete implementation, there are many participants in a production CBDC ecosystem, including the central bank, commercial banks, merchants, individuals, and wallet providers. There is a need for robust and scalable Public Key Infrastructure (PKI) for CBDC to ensure the continued trust of all entities in the system. This paper discusses the criteria that should flow into the design of a PKI and proposes a certificate hierarchy, together with a rollover concept ensuring continuous operation of the system. We further consider several peculiarities, such as the circulation of offline-capable hardware wallets.

Cryptography and Security,Networking and Internet Architecture

Yuan Su,Yuheng Wang,Jiliang Li,Zhou Su,Witold Pedrycz,Qinnan Hu

DOI: https://doi.org/10.1109/tsusc.2024.3350343

2024-01-01

IEEE Transactions on Sustainable Computing

Abstract:The Public Key Infrastructure (PKI) system is the cornerstone of today's security communications. All users in the service domain covered by the same PKI system are able to authenticate each other before exchanging messages. However, there is identity isolation in different domains, making the identity of users in different domains cannot be recognized by PKI systems in other domains. To achieve cross-domain authentication, the consortium blockchain system is leveraged in the existing schemes. Unfortunately, the consortium blockchain-based authentication schemes have the following challenges: high cost, privacy concerns, scalability and economic unsustainability. To solve these challenges, we propose a scalable and privacy-preserving cross-domain authentication scheme called Bifrost-Auth. Firstly, Bifrost-Auth is designed to use a decentralized oracle to directly interact with blockchains in different domains instead of maintaining a consortium blockchain and enables mutual authentication for users lying in different domains. Secondly, users can succinctly authenticate their membership of the domain by the accumulator technique, where the membership proof is turned into zero knowledge to protect users' privacy. Finally, Bifrost-Auth is proven to be secure against various attacks, and thorough experiments are carried out and demonstrate the security and efficiency of Bifrost-Auth.

Haijian ZHOU,Ping LUO,Daoshun WANG,Yiqi DAI

DOI: https://doi.org/10.3321/j.issn:1000-0054.2008.07.025

2008-01-01

Abstract:Public key infrastructures (PKI) achieve authentication and key exchange by utilizing public key cryptography; however, the system's centralized models tend to be the bottleneck in the network. To improve PKI efficiency, a caching authentication model was developed. The model takes advantage of symmetric root key caching and public key certificates caching, with the caching authentication extended to among the certification authorities (CA) to increase re-usage of cached information. An improved certificate revocation list (CRL) look-up mechanism is introduced to enhance CRL look-up efficiency. Performance analyses show that, compared with the common X.509 protocol, the CA caching authentication effectively reduces the CRL look-up times and network communications in the authentication procedures. The authentication model eases bottlenecks for PKI frameworks, while guaranteeing authentication security and integrity.