Blockchain-Based Certificate Transparency and Revocation Transparency

Wang, Ze; Lin, Jingqiang; Cai, Quanwei; Wang, Qiongxiao; Jing, Jiwu; Zha, Daren

doi:10.1007/978-3-662-58820-8_11

Cited by 40 publications

(33 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Regarding blockchain implementation of PKI and Certificate Transparency, an important aspect of research was considered in [25]. Authors looked at the potential techniques to realize TLS handshake based on blockchain's local light node technically built-in to the browser.…”

Section: Related Workmentioning

confidence: 99%

BlockPGP: A Blockchain-based Framework for PGP Key Servers

Yakubov

Shbair

Khan

et al. 2020

IJNC

View full text Add to dashboard Cite

Pretty Good Privacy (PGP) is one of the most prominent cryptographic standards offering end-to-end encryption for email messages and other sensitive information exchange. PGP allows to verify the identity of the correspondent in information exchange as well as the information integrity. PGP implements asymmetric encryption with certificates shared through a network of PGP key servers. In this paper, we propose a new PGP management framework with the key servers infrastructure implemented using blockchain technology. Our approach offers fast propagation of certificate revocation among PGP key servers and elimination of man-in-the-middle risks. It also grants users the required access control to update their own PGP certificates, which is not the case with the current PGP key servers. A prototype has been implemented using Ethereum blockchain and an open source key server, named Hockeypuck. Finally, we evaluated the prototype with extensive experiments. Our results show that our solution is practical and it could be integrated with the existing public PGP key servers infrastructure.

show abstract

Section: Related Workmentioning

confidence: 99%

BlockPGP: A Blockchain-based Framework for PGP Key Servers

Yakubov

Shbair

Khan

et al. 2020

IJNC

View full text Add to dashboard Cite

show abstract

“…However, the authors in Blockstack [39] identified that a single miner in [34] holds over 51% of computation power and clients are exposed to 51% attacks. Wang et al [40] presented a PKI framework to manage TLS certificates and their revocation on a blockchain medium. In this blockchain-based PKI, each domain server has two key-pairs, namely, publishing key-pair and TLS key-pair.…”

Section: Related Workmentioning

confidence: 99%

Attack-Resilient TLS Certificate Transparency

et al. 2020

View full text Add to dashboard Cite

The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

show abstract

“…Blockchain‐based CT and revocation 20 is a new framework that stores certificates along with the revocation status (i.e., OCSP and CRL) in the blockchain transaction. In Wang et al, 20 web servers possess two public keys simultaneously: the publishing key endorsed by a set of web servers (used to approve transactions) and another public key endorsed by a trusted CA. The subject publishes the CA‐signed certificate using the publishing key to a global certificate blockchain.…”

Section: Related Workmentioning

confidence: 99%

“…The subject publishes the CA‐signed certificate using the publishing key to a global certificate blockchain. However, Wang et al 20 relies on the CA for revocation transparency. Moreover, a powerful adversary controlling some web servers can get a certificate from a dishonest CA to impersonate the server 18 …”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

SCM: Secure and accountable TLS certificate management

Khan

Zhang

Zhu

et al. 2020

Int J Communication

View full text Add to dashboard Cite

Summary In classical public‐key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain‐ and log‐based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log‐based PKIs are still exposed to split‐world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain‐based PKIs have scaling and high‐cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next‐generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA‐signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain‐based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain‐ and log‐based PKI schemes.

show abstract

Blockchain-Based Certificate Transparency and Revocation Transparency

Cited by 40 publications

References 24 publications

BlockPGP: A Blockchain-based Framework for PGP Key Servers

BlockPGP: A Blockchain-based Framework for PGP Key Servers

Attack-Resilient TLS Certificate Transparency

SCM: Secure and accountable TLS certificate management

Contact Info

Product

Resources

About