PBCert: Privacy-Preserving Blockchain-Based Certificate Status Validation Toward Mass Storage Management

Yao, Shixiong; Chen, Jing; He, Kun; Du, Ruxu; Zhu, Tianqing; Chen, Xin

doi:10.1109/access.2018.2889898

Cited by 34 publications

(10 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yao et al [25] developed a privacy-preserving blockchainbased certificate status validation scheme (PBCert). It stores certificate operations in a blockchain to support public audits and efficient revocation checking, which uses the online certificate status protocol.…”

Section: B Pki Enhanced By Dltmentioning

confidence: 99%

“…In these scenarios, the attack is successful if is not detected by the verifier via VAL-Tx because the purpose of the attacker is to make trust . Cecoin [17] BlockPGP [18] Bubbles of Trust [19] CTB [22] CertLedger [23] PBCert [25] Meta-PKI (this work) This section considers an attack in which the attacker takes over a Meta-CA and adds to the CA_CERT section of the ledger.…”

Section: A Attackermentioning

confidence: 99%

See 1 more Smart Citation

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

et al. 2020

View full text Add to dashboard Cite

In Internet of Things ecosystems, where various entities trade data and data analysis results, public key infrastructure plays an important role in establishing trust relationships between these entities to specify who trusts whose private keys. The owner of a private key is provided with a public key certificate issued by a certificate authority (CA) representing a trusted third party. Although this certificate ensures the reliability of the ecosystem by verifying the data source and preventing the denial of trading, it often causes an overconcentration of trust in a particular CA. Consequently, if that CA is infringed, all the related trust relationships become compromised. The paper proposes a distributed authentication infrastructure called Meta-PKI that decentralizes such overconcentration via a cross-certification procedure performed by multiple CAs. Although cross-certification is capable of establishing mutual trust relationships, it does not evaluate the trustworthiness of other CAs in a standardized manner. Therefore, this paper also proposes a new crosscertification method using a distributed ledger technology for building trust relationships based on unified criteria. It also describes the implementation of a Meta-PKI system for Hyperledger Fabric as a proof of concept. Once trust relationships have been established, it takes approximately 65.7 ms to validate them using the proposed system, which is secure against CA takeover and spoofing by outsider attackers.

show abstract

Section: B Pki Enhanced By Dltmentioning

confidence: 99%

Section: A Attackermentioning

confidence: 99%

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

et al. 2020

View full text Add to dashboard Cite

show abstract

“…CertChain adopted the Ouroboros [44] as a consensus algorithm, which relies on CA and bookkeeper's reputation for a leader selection. PBCert [45] identified shortcomings in CertChain and proposed enhancement to mitigate the issues. CertLegder [41] presented a PKI framework where all certificate-related operations and data are handled on a blockchain medium.…”

Section: Related Workmentioning

confidence: 99%

Attack-Resilient TLS Certificate Transparency

et al. 2020

View full text Add to dashboard Cite

The security of Public-Key Infrastructure (PKI) for Internet-based communications has lately attracted researchers' attention because of Certification Authorities (CAs) crashes and consequent attacks. Google Certificate Transparency and subsequent log-based PKI proposals (e.g., AKI and ARPKI) have succeeded in making certificate-management processes more transparent, accountable, and verifiable. However, those proposals failed to solve the root CA generous delegation of trust to intermediate CAs, non-conformant certificate-issuance by them, and lack of rigorous authentication of domain ownership during certificate-issuance problems. This study presents Attack-Resilient TLS Certificate Transparency (ARCT) based on log servers to address these problems. ARCT enables root CA to enforce intermediate CAs to follow community standards through leveraging a log server at each root level. It also introduces a collaborative domain ownership verification method that deters false certificate-issuance and ensures that a set of CAs validates every certificate before any client will accept it. A certificate collectively approved by a set of CAs assures users that the certificate has been seen, and not instantly detected malicious, by a group of CAs. Finally, formal security and performance evaluations prove the reliability and effectiveness of ARCT.

show abstract

“…Certchain uses Ouroboros 60 as consensus algorithms, which is based on the ranking of a bookkeeper or a CA for a leader selection. PBCert 61 identified and mitigated some privacy‐ and efficiency‐related issues through the separation of certificate revocation control and storage plane. However, PBCert uses data structure and consensus algorithm of Certchain, which is vulnerable to MitM attacks in case of a dishonest bookkeeper 18 …”

Section: Related Workmentioning

confidence: 99%

SCM: Secure and accountable TLS certificate management

Khan

Zhang

Zhu

et al. 2020

Int J Communication

View full text Add to dashboard Cite

Summary In classical public‐key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain‐ and log‐based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log‐based PKIs are still exposed to split‐world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain‐based PKIs have scaling and high‐cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next‐generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA‐signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain‐based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain‐ and log‐based PKI schemes.

show abstract

PBCert: Privacy-Preserving Blockchain-Based Certificate Status Validation Toward Mass Storage Management

Cited by 34 publications

References 21 publications

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

Attack-Resilient TLS Certificate Transparency

SCM: Secure and accountable TLS certificate management

Contact Info

Product

Resources

About