SCM: Secure and accountable TLS certificate management
【Author】 Khan, Salabat; Zhang, Zijian; Zhu, Liehuang; Rahim, Mussadiq Abdul; Ahmad, Sadique; Chen, Ruoyu
【Source】INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS
【影响因子】1.882
【Abstract】In classical public-key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain- and log-based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log-based PKIs are still exposed to split-world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain-based PKIs have scaling and high-cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next-generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA-signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain-based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain- and log-based PKI schemes.
【Keywords】blockchain; log server (LS); public-key infrastructure (PKI); split-world attack; transparency; transport layer security (TLS)
【发表时间】2020 OCT
【收录时间】2022-01-02
【文献类型】
【主题类别】
--
【DOI】 10.1002/dac.4503
评论