A decentralized dynamic PKI based on blockchain

The central role of the certificate authority (CA) in traditional public key infrastructure (PKI) makes it fragile and prone to compromises and operational failures. Maintaining CAs and revocation lists is demanding especially in loosely-connected and large systems. Log-based PKIs have been proposed as a remedy but they do not solve the problem effectively. We provide a general model and a solution for decentralized and dynamic PKI based on a blockchain and web of trust model where the traditional CA and digital certificates are removed and instead, everything is registered on the blockchain. Registration, revocation, and update of public keys are based on a consensus mechanism between a certain number of entities that are already part of the system. Any node which is part of the system can be an auditor and initiate the revocation procedure once it finds out malicious activities. Revocation lists are no longer required as any node can efficiently verify the public keys through witnesses.

[1]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[2]  Xinxin Fan Scalable practical byzantine fault tolerance with short-lived signature schemes , 2018, CASCON.

[3]  Mohsen Toorani Security analysis of the IEEE 802.15.6 standard , 2016, Int. J. Commun. Syst..

[4]  Elisa Bertino,et al.  Blockchain-Based PKI Solutions for IoT , 2018, 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC).

[5]  Atsuki Momose,et al.  Force-Locking Attack on Sync Hotstuff , 2019, IACR Cryptol. ePrint Arch..

[6]  Haci Ali Mantar,et al.  CertLedger: A New PKI Model with Certificate Transparency Based on Blockchain , 2018, IACR Cryptol. ePrint Arch..

[7]  Adrian Perrig,et al.  PoliCert: Secure and Flexible TLS Certificate Management , 2014, CCS.

[8]  Ze Wang,et al.  Blockchain-Based Certificate Transparency and Revocation Transparency , 2018, IEEE Transactions on Dependable and Secure Computing.

[9]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[10]  kc claffy,et al.  Blockchain-based Decentralized Public Key Management for Named Data Networking , 2018 .

[11]  Muneeb Ali,et al.  Blockstack: A Global Naming and Storage System Secured by Blockchains , 2016, USENIX Annual Technical Conference.

[12]  Mark Ryan,et al.  DTKI: A New Formalized PKI with Verifiable Trusted Parties , 2014, Comput. J..

[13]  Hao Xu,et al.  Dynamic Practical Byzantine Fault Tolerance , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[14]  Mario Zagar,et al.  Comparative analysis of blockchain consensus algorithms , 2018, 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[15]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[16]  Leonid Reyzin,et al.  Efficient Asynchronous Accumulators for Distributed PKI , 2016, SCN.

[17]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[18]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[19]  Charles Shen,et al.  Blockchain for Cities—A Systematic Literature Review , 2018, IEEE Access.

[20]  Michael Goldsmith,et al.  PB-PKI: A Privacy-aware Blockchain-based PKI , 2017, SECRYPT.

[21]  Mustafa Al-Bassam SCPKI: A Smart Contract-based PKI and Identity System , 2017 .

[22]  Radu State,et al.  A blockchain-based PKI management framework , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[23]  C. Stathakopoulou,et al.  Mir-BFT: High-Throughput BFT for Blockchains , 2019, ArXiv.

[24]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[25]  Ralf Sasse,et al.  ARPKI: Attack Resilient Public-Key Infrastructure , 2014, CCS.

[26]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[27]  Melody Moh,et al.  CBPKI: Cloud Blockchain-based Public Key Infrastructure , 2019, ACM Southeast Regional Conference.

[28]  Olamide Omolola,et al.  Revisiting Privacy-aware Blockchain Public Key Infrastructure , 2019, IACR Cryptol. ePrint Arch..

[29]  Jan Camenisch,et al.  Accumulators with Applications to Anonymity-Preserving Revocation , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Jian Weng,et al.  Identity-Embedding Method for Decentralized Public-Key Infrastructure , 2014, INTRUST.

[31]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[32]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.

[33]  F. Corella Backing Rich Credentials with a Blockchain PKI ∗ , 2016 .

[34]  A. Sonnino,et al.  State Machine Replication in the Libra Blockchain , 2019 .

[35]  Mark Ryan,et al.  Enhanced Certificate Transparency and End-to-End Encrypted Mail , 2014, NDSS.

[36]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[37]  Raphael M. Reischuk,et al.  IKP: Turning a PKI Around with Blockchains , 2016, IACR Cryptol. ePrint Arch..

[38]  Thomas Ristenpart,et al.  The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks , 2007, EUROCRYPT.

[39]  Dragos Velicanu,et al.  A Decentralized Public Key Infrastructure with Identity Retention , 2014, IACR Cryptol. ePrint Arch..

[40]  Joseph Bonneau,et al.  EthIKS: Using Ethereum to Audit a CONIKS Key Transparency Log , 2016, Financial Cryptography Workshops.

[41]  Jeffrey Considine,et al.  Byzantine Agreement Given Partial Broadcast , 2005, Journal of Cryptology.

[42]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[43]  Miguel Castro,et al.  A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm , 1999 .

[44]  Bo Qin,et al.  Cecoin: A decentralized PKI mitigating MitM attacks , 2017, Future Gener. Comput. Syst..