Self-C2AD: Enhancing CA Auditing in IoT with Self-Enforcement Based on an SM2 Signature Algorithm

Abstract

Malicious certificate authorities (CAs) pose a significant threat to the security of the Internet of Things (IoT). Existing CA auditing schemes primarily rely on passive detection and public data collection, lacking real-time and comprehensive monitoring. In this paper, we propose a novel double-authentication preventing signature scheme based on an SM2 algorithm, referred to as Dap-SM2. We further enhance its functionality by introducing Self-C2AD, a CA auditing mechanism with self-enforcement. In our proposed mechanism, any malicious CA that generates two certificates with different descriptions (such as public key and basic information) for the same IoT device will immediately lose its private key. To ensure the security of our proposed scheme, we provide a detailed security analysis of Dap-SM2. The analysis demonstrates that our Self-C2AD mechanism meets the necessary security requirements, offering robust protection against malicious CAs. Additionally, we conduct an efficiency evaluation and present experimental data to illustrate the promising potential of our construction for future IoT applications. By introducing the Dap-SM2 scheme and the Self-C2AD mechanism, we address the critical issue of malicious CAs in the IoT domain. Our approach provides real-time and comprehensive auditing capabilities, surpassing the limitations of existing schemes. The security analysis confirms the effectiveness of Dap-SM2, while the efficiency evaluation and experimental data demonstrate its suitability for practical IoT applications. In summary, our work presents a novel solution to combat the threat of malicious CAs in the IoT context. The Dap-SM2 scheme, coupled with the Self-C2AD mechanism, offers enhanced security and real-time auditing capabilities. The security analysis validates the robustness of our approach, while the efficiency evaluation and experimental data showcase its potential for future IoT deployments.