【Author】
Wang, Ze; Lin, Jingqiang; Cai, Quanwei; Wang, Qiongxiao; Zha, Daren; Jing, Jiwu
【Source】IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING
【Abstract】Traditional X.509 public key infrastructures (PKIs) depend on trusted certification authorities (CAs) to sign certificates, used in SSL/TLS to authenticate web servers and establish secure channels. However, recent security incidents indicate that CAs may (be compromised to) sign fraudulent certificates. In this article, we propose blockchain-based certificate transparency (CT) and revocation transparency (RT) to balance the absolute authority of CAs. Our scheme is compatible with X.509 PKIs but significantly reinforces the security guarantees of a certificate. The CA-signed certificates and their revocation status information of an SSL/TLS web server are published by the subject (i.e., the web server) as a transaction in the global certificate blockchain. The certificate blockchain acts as append-only public logs to monitor CAs' certificate signing and revocation operations, and an SSL/TLS web server is granted with the cooperative control on its certificates. A browser compares the certificate received in SSL/TLS negotiations with the ones in the public certificate blockchain, and accepts it only if it is published and not revoked. We implement the prototype system with Firefox and Nginx, and the experimental results show that it introduces reasonable overheads.
【Keywords】Web servers; Blockchain; Browsers; Publishing; Public key; Blockchain; certificate transparency; certificate revocation; public key infrastructure; trust management
【摘要】传统的 X.509 公钥基础设施 (PKI) 依赖受信任的证书颁发机构 (CA) 来签署证书,在 SSL/TLS 中用于验证 Web 服务器并建立安全通道。然而,最近的安全事件表明证书颁发机构 可能(被破坏)签署欺诈性证书。在本文中,我们提出了基于区块链的证书透明度(CT)和撤销透明度(RT)来平衡 CA 的绝对权威。我们的方案与 X.509 PKI 兼容,但显着加强了证书的安全保证。 SSL/TLS Web 服务器的 CA 签名证书及其撤销状态信息由主体(即 Web 服务器)作为全局证书区块链中的事务发布。证书区块链充当仅附加的公共日志来监控 CA 的证书签名和撤销操作,并授予 SSL/TLS Web 服务器对其证书的协作控制。浏览器将在 SSL/TLS 协商中收到的证书与公共证书区块链中的证书进行比较,并仅在它已发布且未撤销时才接受它。我们用 Firefox 和 Nginx 实现了原型系统,实验结果表明它引入了合理的开销。
【关键词】网络服务器;区块链;浏览器;出版;公钥;区块链;证书透明度;证书吊销;公钥基础设施;信任管理
评论