research-article

CertLedger: : A new PKI model with Certificate Transparency based on blockchain

Authors:

Murat Yasin Kubilay,

Mehmet Sabir Kiraz,

Hacı Ali MantarAuthors Info & Claims

Volume 85, Issue C

Pages 333 - 352

https://doi.org/10.1016/j.cose.2019.05.013

Published: 01 August 2019 Publication History

Abstract

In conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs’ absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept of Certificate Transparency (CT) in 2013. Later, several new PKI models are proposed to reduce the level of trust to the CAs. However, all of these proposals are still vulnerable to split-world attacks if the adversary is capable of showing different views of the log to the targeted victims. In this paper, we propose a new PKI architecture with certificate transparency based on blockchain, what we called CertLedger, to eliminate the split-world attacks and to provide certificate/revocation transparency. All TLS certificates’ validation, storage, and entire revocation process is conducted in CertLedger as well as Trusted CA certificate management. During a TLS connection, TLS clients get an efficient proof of existence of the certificate directly from its domain owners. Hence, privacy is now perfectly preserved by eliminating the traceability issue via OCSP servers. It also provides a unique, efficient, and trustworthy certificate validation process eliminating the conventional inadequate and incompatible certificate validation processes implemented by different software vendors. TLS clients in CertLedger also do not require to make certificate validation and store the trusted CA certificates anymore. We analyze the security and performance of CertLedger and provide a comparison with the previous proposals. Finally, we implement its protoype on Ethereum to demonstrate experimental results. The results show that the performance of the TLS handshake and certificate validation through CertLedger is significantly improved compared to the current TLS protocol.

References

[1]

M. Alicherry, A.D. Keromytis, Doublecheck: Multi-path verification against man-in-the-middle attacks, Proceedings of the 2009 IEEE symposium on computers and communications, 2009, pp. 557–563.

[2]

L. Axon, M. Goldsmith, PB-PKI: A privacy-aware blockchain-based PKI, 2016.

[3]

D. Basin, C. Cremers, Kim T.H.J., A. Perrig, R. Sasse, P. Szalachowski, ARPKI: attack resilient public-key infrastructure, Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. CCS ’14., 2014.

[4]

S.G.D. Boneh, R. Gennaro, Using level-1 homomorphic encryption to improve threshold DSA signatures for bitcoin wallet security, 2017.

[5]

Bouncy Castle JSSE Provider. https://www.bouncycastle.org/docs/tlsdocs1.5on/overview-summary.html(visited 2019-04-08).

[6]

CWE-295: Improper certificate validation. https://cwe.mitre.org/data/definitions/295.html(visited 2019-04-08).

[7]

Cardano. https://www.cardano.org/en/home/ (visited 2019-04-08).

[8]

M. Castro, B. Liskov, et al., Practical Byzantine fault tolerance, Proceedings of the OSDI, 99, 1999, pp. 173–186.

[9]

Certificate Lifetimes Ballot. https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/(visited 2019-04-08).

[10]

Certificate Patrol. http://patrol.psyced.org (visited 2019-04-08).

[11]

Chen J., Yao S., Yuan Q., He K., Ji S., Du R., Certchain: Public and efficient certificate audit based on blockchain for TLS connections, Proceedings of the conference on computer communications IEEE INFOCOM 2018-IEEE, IEEE, 2018, pp. 2060–2068.

[12]

L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, E. Messeri, Efficient gossip protocols for verifying the consistency of certificate logs, Proceedings of the 2015 IEEE conference on communications and network security (CNS), 2015, pp. 415–423.

[13]

S.A. Crosby, D.S. Wallach, Efficient data structures for tamper-evident logging., Proceedings of the USENIX security symposium, 2009, pp. 317–334.

[14]

C. Decker, R. Wattenhofer, Information propagation in the bitcoin network, Proceedings of the 2013 IEEE thirteenth international conference on peer-to-peer computing (P2P), IEEE, 2013, pp. 1–10.

[15]

Diginotar, March 2011. https://en.wikipedia.org/wiki/DigiNotar (visited 2019-04-08).

[16]

EFFSSL. The EFF SSL observatory. https://www.eff.org/observatory (visited 2019-04-08).

[17]

EOS.IO Technical White Paper v2. https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md(visited 2019-04-08).

[18]

P. Eckersley, Sovereign key cryptography for internet domains. Internet draft., 2012.

[19]

P. Eckersley, J. Burns, Is the SSLiverse a safe place? chaos communication congress., 2010.

[20]

EthProof. https://github.com/zmitton/eth-proof (visited 2019-04-08).

[21]

European Telecommunications Standards Institute – ETSI. https://www.etsi.org (visited 2019-04-08).

[22]

N. Falliere, L.O. Murchu, E. Chien, W32. stuxnet dossier, 5, 2011, p. 29.

[23]

C. Fromknecht, D. Velicanu, S. Yakoubov, Certcoin: a namecoin based decentralized authentication system 6.857 class project, 2014.

[24]

R. Gennaro, S. Goldfeder, Fast multiparty threshold ECDSA with fast trustless setup, Proceedings of the 2018 acm sigsac conference on computer and communications security, CCS ’18, ACM, 2018, pp. 1179–1194.

[25]

HDD Disk Prices. https://diskprices.com (visited 2019-04-08).

[26]

Half the web is now encrypted. https://www.wired.com/2017/01/half-web-now-encrypted-makes-everyone-safer/(visited 2019-04-08).

[27]

B. Hof, STH Cross Logging, 2017.

[28]

Hyperledger Project. https://www.hyperledger.org/ (visited 2019-04-08).

[29]

Improved Digital Certificate Security, September 2015. https://security.googleblog.com/2015/09/improved-digital-certificate-security.html(visited 2019-04-08).

[30]

Institute of Electrical and Electronics Engineers-IEEE. https://www.ieee.org/index.html.

[31]

International Organization for Standardization. https://www.iso.org/home.html (visited 2019-04-08).

[32]

Internet Engineering Task Force. https://www.ietf.org (visited 2019-04-08).

[33]

A. Kiayias, A. Miller, D. Zindros, Non-interactive proofs of proof-of-work, 2017.

[34]

A. Kiayias, A. Russell, B. David, R. Oliynykov, Ouroboros: A provably secure proof-of-stake blockchain protocol, Proceedings of the advances in cryptology – CRYPTO 2017, Springer International Publishing, 2017, pp. 357–388.

[35]

Kim T.H.-J., Huang L.S., A. Perrig, C. Jackson, V. Gligor, Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure, Proceedings of the twenty-second international conference on world wide web, ACM, New York, NY, 2013, pp. 679–690.

[36]

S. King, S. Nadal, PPCOIN: Peer-to-peer crypto-currency with proof-of-stake, self-published paper, August 19 (2012).

[37]

A. Langley, Public-key pinning. imperialviolet, 2011.

[38]

Langley A. Revocation checking and Chrome’s CRL. https://www.imperialviolet.org/2012/02/05/crlsets.html(visited 2019-04-08).

[39]

B. Laurie, A. Langley, E. Kasper, Certificate Transparency, RFC6962, 2013.

[40]

Liu Y., W. Tome, Zhang L., D. Choffnes, D. Levin, B. Maggs, A. Mislove, A. Schulman, C. Wilson, An end-to-end measurement of certificate revocation in the web’s PKI, Proceedings of the 2015 internet measurement conference, ACM, 2015, pp. 183–196.

[41]

Luu L., Zamani M., Bunz B., Flyclient:Super Light Client For CryptoCurrencies. https://scalingbitcoin.org/stanford2017/Day1/flyclientscalingbitcoin.pptx.pdf(visited 2019-04-08).

[42]

Maintaining Digital Certificate Security, March 2015. https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html(visited 2019-04-08).

[43]

M. Marlinspike, T. Perrin, Trust assertions for certificate keys (tack). internet draft, 2012.

[44]

S. Matsumoto, R.M. Reischuk, IKP: Turning a PKI around with decentralized automated incentives, Proceedings of the 2017 IEEE symposium on security and privacy (SP), IEEE, 2017, pp. 410–426.

[45]

D. Mazieres, D. Shasha, Building secure file systems out of byzantine storage, Proceedings of the twenty-first annual symposium on principles of distributed computing, ACM, 2002, pp. 108–117.

[46]

Merkle Patricia Tree. https://github.com/ethereum/wiki/wiki/Patricia-Tree(visited 2019-04-08).

[47]

Mozilla Asked to Revoke Trustwave CA for Allowing SSL Eavesdropping, February 2012. https://www.eweek.com/security/mozilla-asked-to-revoke-trustwave-ca-for-allowing-ssl-eavesdropping(visited 2019-04-08).

[48]

NEO – An Open Network For Smart Economy. https://neo.org. (visited 2019-04-08).

[49]

NEO White Paper. https://docs.neo.org/en-us/ (visited 2019-04-08).

[50]

NSA Impersonated Google in MitM Attacks. https://www.helpnetsecurity.com/2013/09/16/nsa-impersonated-google-in-mitm-attacks/(visited 2019-04-08).

[51]

S. Nakamoto, Bitcoin: a peer-to-peer electronic cash system, 2008.

[52]

Namecoin. https://www.namecoin.org/ (visited 2019-04-08).

[53]

NetCraft. OCSP Server Performance in April 2013. https://news.netcraft.com/archives/2013/05/23/ocsp-server-performance-in-april-2013.html.

[54]

L. Nordberg, D. Gillmor, T. Ritter, Gossiping in CT, 2018.

[55]

Ontology Technology Whitepaper. https://ont.io/wp/Ontology-technology-white-paper-EN.pdf(visited 2019-04-08).

[56]

Phillip. Comodo ssl affiliate the recent ra compromise, March 2011. https://blog.comodo.com/other/the-recent-ra-compromise/(visited 2019-04-08).

[57]

RFC 5280: Internet X.509 Public Key Infrastructure: Certificate and CRL profile. https://tools.ietf.org/html/rfc5280.

[58]

Bitcoin Wiki. https://en.bitcoin.it/wiki/Help:FAQ#Why_do_I_have_to_wait_10_minutes_before_I_can_spend_money_I_received.3F(visited 2019-04-08).

[59]

Ripple. https://ripple.com (visited 2019-04-08).

[60]

Rivest R.L. Can we eliminate certificate revocation lists?; Berlin, Heidelberg: Springer Berlin Heidelberg. p. 178–183.

[61]

M.D. Ryan, Enhanced certificate transparency and end-to-end encrypted mail, Proceedings of the network and distributed system security symposium (NDSS) The Internet Society, 2014.

[62]

E.B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, M. Virza, ZeroCash: Decentralized anonymous payments from Bitcoin, Proceedings of the 2014 IEEE symposium on security and privacy (SP), IEEE, 2014, pp. 459–474.

[63]

D. Schwartz, N. Youngs, A. Britto, et al., The ripple protocol consensus algorithm, 5 (2014).

[64]

Smart Contracts: Building Blocks for Digital Markets. http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html(visited 2019-04-08).

[65]

Soghoian C., Stamm S. Certified lies: Detecting and defeating government interception attacks against SSL(Short Paper); Springer Berlin Heidelberg. p. 250–259.

[66]

Superfish Vulnerability, March 2015. https://support.lenovo.com/tr/en/product_security/superfish(visited 2019-04-08).

[67]

Symantec to Acquire Blue Coat and Define the Future of Cybersecurity, June 2016. https://www.symantec.com/about/newsroom/press-releases/2016/symantec_0612_01(visited 2019-04-08).

[68]

Symantec. Marketscore proxyserver certificate. https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20804(visited 2019-04-08).

[69]

E. Syta, I. Tamas, D. Visher, D.I. Wolinsky, P. Jovanovic, L. Gasser, N. Gailly, I. Khoffi, B. Ford, Keeping authorities ”honest or bust” with decentralized witness cosigning, Proceedings of the IEEE symposium on security and privacy (SP), 2016, pp. 526–545.

[70]

TLS PKI History. https://www.feistyduck.com/ssl-tls-and-pki-history/(visited 2019-04-08).

[71]

The Verisign Domain Name Industry Brief Q4 2018. https://www.verisign.com/en_US/domain-names/dnib/index.xhtml(visited 2019-04-08).

[72]

Turktrust CA Problems, January 2013. https://securelist.com/turktrust-ca-problems-21/34893/(visited 2019-04-08).

[73]

K. Wüst, A. Gervais, Do you need a blockchain?, IACR Cryptol. ePrint Arch. 2017 (2017) 375.

[74]

Wang Z., Lin J., Cai Q., Wang Q., Jing J., Zha D., Blockchain-based certificate transparency and revocation transparency, Proceedings of the financial cryptography and data security, Springer International Publishing, 2018.

[75]

Wardle P. Ay MaMi. https://objective-see.com/blog/blog_0x26.html(visited 2019-04-08).

[76]

Web3.js – Ethereum Javascript Api. https://github.com/ethereum/web3.js// (visited 2019-04-08).

[77]

D. Wendlandt, D.G. Andersen, A. Perrig, Perspectives: Improving ssh-style host authentication with multi-path probing, Proceedings of the USENIX 2008 annual technical conference, ATC’08, USENIX Association, Berkeley, CA, USA, 2008, pp. 321–334.

[78]

G. Wood, Ethereum: A secure decentralised generalised transaction ledger, Ether. Proj. Yellow Paper 151 (2014) 1–32.

[79]

A. Yakubov, W.M. Shbair, A. Wallbom, D. Sanda, R. State, A blockchain-based PKI management framework, Proceedings of the 2018 IEEE/IFIP network operations and management symposium NOMS 2018, 2018, pp. 1–6.

[80]

Yu J., V. Cheval, M. Ryan, DTKI: a new formalized PKI with verifiable trusted parties, Comput J 59 (11) (2016) 1695–1713.

Cited By

Wijethilaka SKumar Yadav ABraeken ALiyanage M(2024)Blockchain-Based Secure Authentication and Authorization Framework for Robust 5G Network SlicingIEEE Transactions on Network and Service Management10.1109/TNSM.2024.341641821:4(3988-4005)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1109/TNSM.2024.3416418
Tortola DLisi AMori PRicci L(2024)Tethering Layer 2 solutions to the blockchainComputer Communications10.1016/j.comcom.2024.07.017225:C(289-310)Online publication date: 18-Nov-2024
https://dl.acm.org/doi/10.1016/j.comcom.2024.07.017
Zhang TZhang ZZhao KGupta BArya V(2023)A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial InternetInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.33348119:1(1-25)Online publication date: 8-Nov-2023
https://dl.acm.org/doi/10.4018/IJSWIS.333481
Show More Cited By

Index Terms

CertLedger: A new PKI model with Certificate Transparency based on blockchain

Index terms have been assigned to the content through auto-classification.

Recommendations

Revocation Speedrun: How the WebPKI Copes with Fraudulent Certificates
PACMNET

The TLS ecosystem depends on certificates to bootstrap secure connections. Certificate Authorities (CAs) are trusted to issue these correctly. However, as a result of security breaches or attacks, certificates may be issued fraudulently and need to be ...
DomainPKI: Domain Aware Certificate Management
SIGITE '20: Proceedings of the 21st Annual Conference on Information Technology Education

Certificate Authority (CA) is a single point of failure in the trust model of X.509 Public Key Infrastructure (PKI), since CA is the only entity to sign and distribute public key certificates and no one else is involved in certificate verification. In ...
RFC-directed differential testing of certificate validation in SSL/TLS implementations
ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Certificate validation in Secure Socket Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS is correctly implemented. With this motivation, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 85, Issue C

Aug 2019

453 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 August 2019

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wijethilaka SKumar Yadav ABraeken ALiyanage M(2024)Blockchain-Based Secure Authentication and Authorization Framework for Robust 5G Network SlicingIEEE Transactions on Network and Service Management10.1109/TNSM.2024.341641821:4(3988-4005)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1109/TNSM.2024.3416418
Tortola DLisi AMori PRicci L(2024)Tethering Layer 2 solutions to the blockchainComputer Communications10.1016/j.comcom.2024.07.017225:C(289-310)Online publication date: 18-Nov-2024
https://dl.acm.org/doi/10.1016/j.comcom.2024.07.017
Zhang TZhang ZZhao KGupta BArya V(2023)A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial InternetInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.33348119:1(1-25)Online publication date: 8-Nov-2023
https://dl.acm.org/doi/10.4018/IJSWIS.333481
Kumagai KKakei SShiraishi YSaito S(2023)Distributed Public Key Certificate-Issuing Infrastructure for Consortium Certificate Authority Using Distributed Ledger TechnologySecurity and Communication Networks10.1155/2023/95594392023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/9559439
Wang QLi RWang QGalindo DChen SXiang Y(2023)Transparent Registration-Based Encryption through BlockchainDistributed Ledger Technologies: Research and Practice10.1145/35683152:1(1-14)Online publication date: 14-Mar-2023
https://dl.acm.org/doi/10.1145/3568315
Sivaselvan NBhat KRajarajan MDas A(2023)A New Scalable and Secure Access Control Scheme Using Blockchain Technology for IoTIEEE Transactions on Network and Service Management10.1109/TNSM.2023.324612020:3(2957-2974)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3246120
Zhu QJing AGan CGuan XQin Y(2023)HCSC: A Hierarchical Certificate Service Chain Based on Reputation for VANETsIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.325027924:6(6123-6145)Online publication date: 6-Mar-2023
https://dl.acm.org/doi/10.1109/TITS.2023.3250279
Khan SLuo FZhang ZUllah FAmin FQadri SHeyat MRuby RWang LUllah SLi MLeung VWu K(2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1109/COMST.2023.3323640
Zhang QHe YLai RHou ZZhao G(2023)A survey on the efficiency, reliability, and security of data query in blockchain systemsFuture Generation Computer Systems10.1016/j.future.2023.03.044145:C(303-320)Online publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.future.2023.03.044
Liang WYou LHu G(2023)LRS_PKIComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.110043237:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.110043
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents