A Blockchain-Based Decentralized Public Key Infrastructure Using the Web of Trust-Reference-Cited by-同舟云学术

A Blockchain-Based Decentralized Public Key Infrastructure Using the Web of Trust

Published:2024-03-31 Issue:2 Volume:4 Page:196-222
ISSN:2624-800X
Container-title:Journal of Cybersecurity and Privacy
language:en
Short-container-title:JCP

Author:

Halder Ratna¹,Das Roy Dipanjan¹,Shin Dongwan¹

Affiliation:

1. Department of Computer Science & Engineering, New Mexico Tech, Socorro, NM 87801, USA

Abstract

Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs.

Publisher

MDPI AG

Link

https://www.mdpi.com/2624-800X/4/2/10/pdf

Reference49 articles.

1. Berkovits, S., Chokhani, S., Furlong, J.A., Geiter, J.A., and Guild, J.C. (1994). Public Key Infrastructure Study, National Institute of Standards and Technology. Final Report.

2. Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. (2024, March 29). RFC 5280; Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Internet Engineering Task Force, May 2008. Available online: https://doi.org/10.17487/RFC5280.

3. Securing the wireless internet;Gupta;IEEE Commun. Mag.,2001

4. International Telecommunication Union (2012). ITU-T Recommendation X. 509| ISO/IEC 9594-8: “Information Technology-Open Systems Interconnection-The Directory: Public-Key and Attribute Certificate Frameworks”, ITU. Tecnical Report.

5. Ayer, A. (2024, March 29). Misissued/Suspicious Symantec Certificates. Available online: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html.