JIANG Peipei,WANG Qian,CHEN Yanjiao,LI Qi,SHEN Chao

DOI: https://doi.org/10.11959/j.issn.1000-436x.2021035

2021-01-01

Abstract:While the security of blockchain has been the central concern of both academia and industry since the very start, new security threats continue to emerge, which poses great risks to the blockchain ecosystem.A systematic study was conducted on the most state-of-the-art research on potential security issues of blockchain.Specifically, a taxonomy was developed by considering the blockchain framework as a four-layer system, and the analysis on the most recent attacks against security loopholes in each layer was provided.Countermeasures that can strengthen the blockchain were also discussed by highlighting their fundamental ideas and comparing different solutions.Finally, the forefront of research and potential directions of blockchain security were put forward to encourage further studies on the security of blockchain.

Abba Garba,Qinwen Hu,Zhong Chen,Muhammad Rizwan Asghar

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00108

2020-01-01

Abstract:Recently, real-world attacks against the web Public Key Infrastructure (PKI) have arisen more frequently. The current PKI that use Registration Authorities/Certificate Authorities (RAs/CAs) model suffer from notorious security vulnerabilities. Most of these vulnerabilities are due to compromises of RAs, which lead to impersonation attacks resulting in CAs misbehaving to issue bogus certificates. To counter this problem, many approaches, such as Certificate Transparency (CT), ARPKI, and PoliCert, have been proposed. Nonetheless, no solution has yet gained widespread acceptance as a result of complexity and deployability issues. Moreover, existing approaches still require to satisfy complicated interactions and synchronisation among the entities that are involved during certificate issuance, updates, and revocations. In this paper, we propose a new Blockchain-Based PKI (BB-PKI) to address these vulnerabilities of CA misbehaviour caused by impersonation attacks against RAs. Certificate Issuance Request (CIR) should be vouched by manifold RAs. Multiple CAs shall sign and issue the certificate using an out-of-band secure communication channel. Any RA that contributes to the verification process of a user's request can publish the certificate in the blockchain by creating a smart contract certificate transaction. BB-PKI offers strong security guarantees, compromising $n - 1$ of the RAs or CAs is not enough to launch impersonation attacks, meaning that attackers cannot compromise more than the threshold of the latter signatures to launch an attack.

Ratna Halder,Dipanjan Das Roy,Dongwan Shin

DOI: https://doi.org/10.3390/jcp4020010

2024-03-31

Journal of Cybersecurity and Privacy

Abstract:Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs.

computer science, information systems, interdisciplinary applications, software engineering

Chengyuan Zhang,Changqing An,Tao Yu,Zhiyan Zheng,Jilong Wang

DOI: https://doi.org/10.1109/noms59830.2024.10575605

2024-01-01

Abstract:The validity and efficiency of certificate revocation in today's web Public Key Infrastructure (PKI) are consistently overlooked. In this paper, we analyse current certificate revocation schemes from the perspective of Certificate Authorities (CAs) and browsers. We find that the average size of CRL files collected from popular CAs can be as large as 2MB and the average response time of OCSP is around 430ms, which means that the time overhead brought by current certificate revocation schemes is not negligible. Moreover, browsers often fail to perform the revocation check correctly and allow websites to use revoked certificates, which can help attackers to launch man-in-the-middle attacks using fraudulent certificates.We also summarise existing problems and propose a novel certificate revocation scheme utilizing DNS resource records for efficient and privacy-preserving distribution. We have implemented a prototype to evaluate the performance of our scheme, and test results show that our scheme is time-efficient and able to withstand realistic workloads. We hope that our work can stimulate further discussion of the problems in Web PKI.

Jing Chen,Shixiong Yao,Quan Yuan,Kun He,Shouling Ji,Ruiying Du

DOI: https://doi.org/10.1109/infocom.2018.8486344

2018-01-01

Abstract:In recent years, real-world attacks against PKI take place frequently. For example, malicious domains' certificates issued by compromised CAs are widespread, and revoked certificates are still trusted by clients. In spite of a lot of research to improve the security of SSL/TLS connections, there are still some problems unsolved. On one hand, although log-based schemes provided certificate audit service to quickly detect CAs' misbehavior, the security and data consistency of log servers are ignored. On the other hand, revoked certificates checking is neglected due to the incomplete, insecure and inefficient certificate revocation mechanisms. Further, existing revoked certificates checking schemes are centralized which would bring safety bottlenecks. In this paper, we propose a blockchain-based public and efficient audit scheme for TLS connections, which is called Certchain. Specially, we propose a dependability-rank based consensus protocol in our blockchain system and a new data structure to support certificate forward traceability. Furthermore, we present a method that utilizes dual counting bloom filter (DCBF) with eliminating false positives to achieve economic space and efficient query for certificate revocation checking. The security analysis and experimental results demonstrate that CertChain is suitable in practice with moderate overhead.

Murat Yasin Kubilay,Mehmet Sabir Kiraz,Haci Ali Mantar

DOI: https://doi.org/10.48550/arXiv.1806.03914

2018-10-01

Abstract:In conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs' absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept of Certificate Transparency (CT) in 2013. Later, several new PKI models (e.g., AKI, ARPKI, and DTKI) are proposed to reduce the level of trust to the CAs. However, all of these proposals are still vulnerable to split-world attacks if the adversary is capable of showing different views of the log to the targeted victims. In this paper, we propose a new PKI architecture with certificate transparency based on blockchain, what we called CertLedger, to eliminate the split-world attacks and to provide an ideal certificate/revocation transparency. All TLS certificates, their revocation status, entire revocation process, and trusted CA management are conducted in the CertLedger. CertLedger provides a unique, efficient, and trustworthy certificate validation process eliminating the conventional inadequate and incompatible certificate validation processes implemented by different software vendors. TLS clients in the CertLedger also do not require to make certificate validation and store the trusted CA certificates anymore. We analyze the security and performance of the CertLedger and provide a comparison with the previous proposals.

Cryptography and Security

Xinyi Luo,Zhuo Xu,Kaiping Xue,Qiantong Jiang,Ruidong Li,David Wei

DOI: https://doi.org/10.1109/icdcs54860.2022.00121

2022-01-01

Abstract:As the voucher for identity, digital certificates and the public key infrastructure (PKI) system have always played a vital role to provide the authentication services. In recent years, with the increase in attacks on traditional centralized PKIs and the extensive deployment of blockchains, researchers have tried to establish blockchain-based secure decentralized PKIs and have made significant progress. Although blockchain enhances security, it brings new problems in scalability due to the inherent limitations of blockchain’s data structure and consensus mechanism, which become much severe for the massive access in the era of 5G and B5G. In this paper, we propose ScalaCert to mitigate the scalability problems of blockchain-based PKIs by utilizing redactable blockchain for "on-cert" revocation. Specifically, we utilize the redactable blockchain to record revocation information directly on the original certificate ("on-cert") and remove additional data structures such as CRL, significantly reducing storage overhead. Moreover, the combination of redactable and consortium blockchains brings a new kind of attack called deception of versions (DoV) attack. To defend against it, we design a random-block-node-check (RBNC) based freshness check mechanism. Security and performance analyses show that ScalaCert has sufficient security and effectively solves the scalability problem of the blockchain-based PKI system.

Christos Patsonakis,Katerina Samari,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1109/DAPPCON.2019.00022

2019-02-03

Abstract:Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, constitutes a powerful tool for the decentralization of PKIs. To verify the validity of identity records, blockchain-based identity systems store on chain either all identity records, or, a small (or even constant) sized amount of data to verify identity records stored off chain. However, as most of these systems have never been implemented, there is little information regarding the practical implications of each design's tradeoffs. In this work, we first implement and evaluate the only provably secure, smart contract based PKI of [1] on top of Ethereum. This construction incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction which, eliminates the need for trusted setup, preserves the security properties of [1] and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum. Furthermore, we compare these two systems with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract's state, to illustrate several shortcomings of Ethereum and its cost model. We propose several modifications for fine tuning the model, which would be useful to be considered for any smart contract platform like Ethereum so that it reaches its full potential to support arbitrary distributed applications.

Distributed, Parallel, and Cluster Computing

Erhan Turan,Sevil Sen,Tamer Ergun

DOI: https://doi.org/10.1109/access.2024.3394657

IF: 3.9

2024-05-03

IEEE Access

Abstract:The conventional Public Key Infrastructure (PKI) has long been plagued by security issues stemming from its centralized and non-transparent design. In recent years, blockchain-based PKI architectures have emerged as promising solutions to overcome such issues. However, existing research has predominantly focused on SSL certificates, overlooking other certificate types used for purposes such as facilitating electronic signatures/seals, code signing, and S/MIME- all reliant on the foundational PKI infrastructure. In this study, we present a novel blockchain-based PKI architecture designed to accommodate diverse certificate types. Combining the principles of the Web of Trust with a centralized model, our SemiDec-PKI establishes a resilient, distributed infrastructure. This unique synergy minimizes reliance on a single central authority, mitigating the vulnerabilities associated with traditional PKI systems' single points of failure. With a cross-check mechanism and collective consensus of trusted entities, SemiDec-PKI provides higher fault tolerance, preventing disruptions from certificate misissuance or compromised certificate authorities. Furthermore, it introduces a stake-based reward-punishment mechanism which incentives honest behavior and penalizes malicious actions, serving as a potent deterrent against impersonation attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qi Feng,Debiao He,Sherali Zeadally,Muhammad Khurram Khan,Neeraj Kumar

DOI: https://doi.org/10.1016/j.jnca.2018.10.020

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Blockchain, as a decentralized and distributed public ledger technology in peer-to-peer network, has received considerable attention recently. It applies a linked block structure to verify and store data, and applies the trusted consensus mechanism to synchronize changes in data, which makes it possible to create a tamper-proof digital platform for storing and sharing data. It is believed that blockchain can be utilized in diverse Internet interactive systems (e.g., Internet of Things, supply chain systems, identity management, and so on). However, there are some privacy challenges that may hinder the applications of blockchain. The goal of this survey is to provide some insights into the privacy issues associated with blockchain. We analyze the privacy threats in blockchain and discuss existing cryptographic defense mechanisms, i.e., anonymity and transaction privacy preservation. Furthermore, we summarize some typical implementations of privacy preservation mechanisms in blockchain and explore future research challenges that still need to be addressed in order to preserve privacy when blockchain is used.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Xiaoqi Li,Peng Jiang,Ting Chen,Xiapu Luo,Qiaoyan Wen

DOI: https://doi.org/10.48550/arXiv.1802.06993

2020-11-05

Abstract:Since its inception, the blockchain technology has shown promising application prospects. From the initial cryptocurrency to the current smart contract, blockchain has been applied to many fields. Although there are some studies on the security and privacy issues of blockchain, there lacks a systematic examination on the security of blockchain systems. In this paper, we conduct a systematic study on the security threats to blockchain and survey the corresponding real attacks by examining popular blockchain systems. We also review the security enhancement solutions for blockchain, which could be used in the development of various blockchain systems, and suggest some future directions to stir research efforts into this area.

Cryptography and Security

Adrian-Tudor Dumitrescu,Johan Pouwelse

2024-01-11

Abstract:The Public Key Infrastructure existed in critical infrastructure systems since the expansion of the World Wide Web, but to this day its limitations have not been completely solved. With the rise of government-driven digital identity in Europe, it is more important than ever to understand how PKI can be an efficient frame for eID and to learn from mistakes encountered by other countries in such critical systems. This survey aims to analyze the literature on the problems and risks that PKI exhibits, establish a brief timeline of its evolution in the last decades and study how it was implemented in digital identity projects.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Rim Gasmi,Sarra Hammoudi,Manal Lamri,Saad Harous

DOI: https://doi.org/10.1007/s11277-023-10664-1

IF: 2.017

2023-08-04

Wireless Personal Communications

Abstract:Users' security is one of the most important issues in Internet of Things (IoT) due to the high number of IoT devices involved in different applications. Security threats are evolving at a rapid pace that make the current security and privacy measures unsuitable. Therefore, several researchers have been attracted by this domain with the aim of proposing either new or improved solutions to address the problem of security in IoT. Blockchain technology is a relatively new invention in modern IoT applications to solve the security issue. It is based on the use of a public immutable ledger called a blockchain. After conducting a verification process, several parts on a network encode transactions into this ledger. Moreover, Machine learning (ML) algorithms have been used as emerging solutions to improve IoT security. Reinforcement learning (RL) is the most popular machine learning technique proposed to secure IoT systems. Unlike other ML methods, RL can observe, learn and interact with the environment even if it has minimum information about the considered parameters. Various researches have been proposed to treat security problem in IoT based on either RL technique or Blockchain technology or a combination of both techniques. Therefore, we believe there is a need for a comprehensive survey on works proposed in recent years that address security issues using these techniques. In this paper, we provide a summary of research efforts made in the past few years, from 2018 to 2021, addressing security issues using RL and blockchain techniques in the IoT domain.

telecommunications

Ali Shahidinejad,Jemal Abawajy

DOI: https://doi.org/10.1145/3645087

IF: 16.6

2024-02-10

ACM Computing Surveys

Abstract:Authentication and Session Key Generation Protocols (SKGPs) play an essential role in securing the communication channels of connected Internet of Things (IoT) devices. Recently, through blockchain integration, scholars have tried to enhance the security and applicability of SKGPs. In brief, blockchain is a distributed ledger technology that can provide interesting features such as immutability, transparency, and accountability without any need for the active participation of trusted parties. This survey presents a comprehensive critical review of blockchain-assisted authentication and SKGPs, suggested for different IoT domains, including Internet of Vehicles (IoV), Internet of Drones (IoD), and Industrial IoT (IIoT). Our survey categorizes existing schemes based on several criteria, including IoT application domains, security aspects, and blockchain components. By presenting an unbiased critical review and taxonomy of protocols, we aim to clarify the key challenges. Our review will specifically indicate what properties authors gained or lost through the integration of blockchain. This survey is the only one that offers all prerequisites for interested readers in blockchain-integrated SKGPs, such as security features and attacks, attack models, verification tools, blockchain types, blockchain platforms, consensus mechanisms, and etc. Further, our survey elaborates existing research gaps in blockchain-assisted SKGPs. Doing so, we aim to guide future research in this field and provide researchers with the essential information they require.

computer science, theory & methods

Oleksandr Dulia,Dmytro Minochkin

DOI: https://doi.org/10.20535/2411-1031.2023.11.2.293496

2023-12-28

Abstract:This article delves into the vital role of Public Key Infrastructure (PKI) in securing and authenticating communications across a multitude of fields. PKI has evolved from a mere technical concept into a cornerstone of secure digital communications, playing a central role in various domains such as web security, healthcare, finance, the Internet of Things (IoT), and government services. PKI employs cryptographic techniques and digital certificates to establish trust, ensure data integrity, and enable secure communications, thus acting as the backbone of digital security. In the wake of the digital revolution, the demand for reliable and robust security solutions has skyrocketed. The diversity and scale of modern digital platforms necessitate adaptable security solutions, a challenge which PKI tackles through its flexible implementation. Despite sharing core principles, the implementation of PKI demonstrates divergences influenced by factors such as scale, complexity, resource constraints, regulatory environments, and trust models. This article offers an extensive comparison of PKI's utilization across various domains, highlighting the commonalities and divergences. It explores how PKI is tailored to meet the unique requirements and challenges of each sector and discusses the certificate lifecycle management in varying contexts. Moreover, it provides an analysis of the current state of PKI applications and challenges, offering insights into the evolving landscape of threats and technologies. Not only does the article address the current state of PKI, but it also presents a forward-looking perspective on its potential future developments. As the digital landscape continues to evolve and expand, it is crucial to anticipate the emerging challenges and devise strategies for proactive adaptation. This article thus serves as a comprehensive resource for understanding the role and impact of PKI in the contemporary digital infrastructure. Ultimately, the article seeks to underline the importance of PKI and highlight the need for continued research and development in this area. As our reliance on digital communications and transactions continues to grow, the role of PKI in safeguarding these interactions becomes increasingly significant. This comprehensive review serves as a valuable resource for researchers, practitioners, and policymakers in understanding the diverse applications of PKI and its critical role in securing the digital world.

Pawel Szalachowski

DOI: https://doi.org/10.48550/arXiv.1804.00875

2018-04-03

Abstract:The Transport Layer Security (TLS) protocol is a de facto standard of secure client-server communication on the Internet. Its security can be diminished by a variety of attacks that leverage on weaknesses in its design and implementations. An example of a major weakness is the public-key infrastructure (PKI) that TLS deploys, which is a weakest-link system and introduces hundreds of links (i.e., trusted entities). Consequently, an adversary compromising a single trusted entity can impersonate any website. Notary systems, based on multi-path probing, were early and promising proposals to detect and prevent such attacks. Unfortunately, despite their benefits, they are not widely deployed, mainly due to their long-standing unresolved problems. In this paper, we present Persistent and Accountable Domain Validation (PADVA), which is a next-generation TLS notary service. PADVA combines the advantages of previous proposals, enhancing them, introducing novel mechanisms, and leveraging a blockchain platform which provides new features. PADVA keeps notaries auditable and accountable, introduces service-level agreements and mechanisms to enforce them, relaxes availability requirements for notaries, and works with the legacy TLS ecosystem. We implemented and evaluated PADVA, and our experiments indicate its efficiency and deployability.

Cryptography and Security

Kaustubh Dwivedi,Ankit Agrawal,Ashutosh Bhatia,Kamlesh Tiwari

2024-04-28

Abstract:The widespread adoption of blockchain technology has amplified the spectrum of potential threats to its integrity and security. The ongoing quest to exploit vulnerabilities emphasizes how critical it is to expand on current research initiatives. Thus, using a methodology based on discrete blockchain layers, our survey study aims to broaden the existing body of knowledge by thoroughly discussing both new and known attack vectors inside the blockchain ecosystem. This survey proposes a novel classification of blockchain attacks and an in-depth investigation of blockchain data security. In particular, the paper provides a thorough discussion of the attack techniques and vulnerabilities that are specific to each tier, along with a detailed look at mitigating techniques. We reveal the deep dynamics of these security concerns by closely investigating the fundamental causes of attacks at various blockchain tiers. We clarify mitigation methods for known vulnerabilities and offer new information on recently developed attack vectors. We also discuss the implications of quantum computing in blockchain and the weaknesses in the current technology that can be exploited in the future. Our study advances the field of blockchain security and privacy research while also contributing to our understanding of blockchain vulnerabilities and attacks. This survey paper is a useful tool for readers who want to learn more about the intricacies of blockchain security. It also invites researchers to help strengthen blockchain privacy and security, paving the way for further developments in this dynamic and ever-evolving field.

Cryptography and Security

Stefan Kambiz Behfar,Jon Crowcroft

2023-11-03

Abstract:This study addresses the security challenges associated with the current internet transformations, specifically focusing on emerging technologies such as blockchain and decentralized storage. It also investigates the role of Web3 applications in shaping the future of the internet. The primary objective is to propose a novel design for 'smart certificates,' which are digital certificates that can be programmatically enforced. Utilizing such certificates, an enterprise can better protect itself from cyberattacks and ensure the security of its data and systems. Web3 recent security solutions by companies and projects like Certik, Forta, Slither, and Securify are the equivalent of code scanning tool that were originally developed for Web1 and Web2 applications, and definitely not like certificates to help enterprises feel safe against cyberthreats. We aim to improve the resilience of enterprises' digital infrastructure by building on top of Web3 application and put methodologies in place for vulnerability analysis and attack correlation, focusing on architecture of different layers, Wallet/Client, Application and Smart Contract, where specific components are provided to identify and predict threats and risks. Furthermore, Certificate Transparency is used for enhancing the security, trustworthiness and decentralized management of the certificates, and detecting misuses, compromises, and malfeasances.

Cryptography and Security,Artificial Intelligence

Abel C. H. Chen

DOI: https://doi.org/10.1109/ICSSES62373.2024.10561274

2024-08-05

Abstract:In recent years, with the advancement of quantum computing, mainstream asymmetric cryptographic methods in the current Public Key Infrastructure (PKI) systems are gradually being threatened. Therefore, this study explores X.509 security certificates based on Post-Quantum Cryptography (PQC) and discusses implemented solutions. This study compares mainstream asymmetric cryptographic methods (including RSA and Elliptic Curve Digital Signature Algorithm (ECDSA)) with standard PQC methods (including Falcon, Dilithium, SPHINCS+), comparing the efficiency of certificate generation, signature generation, and signature verification. Finally, recommendations for a solution based on PQC for X.509 security certificates are proposed.

Cryptography and Security,Software Engineering

Rajesh Kumar

DOI: https://doi.org/10.55041/ijsrem11514

2022-01-24

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Since when bitcoin make an entry in cryptocurrency which is based on blockchain technology gets so much popularity just from initial phase itself, now most of the cryptocurrency are moving towards blockchain framework and using different hashing function. In this advancement most of the works are now using blockchain technology from cryptocurrency to smart online retails platforms which has been used by Walmart. since its going to be most used term and popular technology most of the attackers are targeting and just by using some loopholes and any other technical glitches or any other way they are attacking over this technology. since its going to be future and everyone is concerned for its security and privacy, here we did a good comparison of many attacks already did on this blockchain frameworks and we summarize this attacks and we tried to give our own opinion to make it more reliable and flexible. Key Words: Consensus, PoW, PoS, PoL, PoI, Bloch Chain,