TY - JOUR
T1 - SCM
T2 - Secure and accountable TLS certificate management
AU - Khan, Salabat
AU - Zhang, Zijian
AU - Zhu, Liehuang
AU - Rahim, Mussadiq Abdul
AU - Ahmad, Sadique
AU - Chen, Ruoyu
N1 - Publisher Copyright:
© 2020 John Wiley & Sons, Ltd.
PY - 2020/10/1
Y1 - 2020/10/1
N2 - In classical public-key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain- and log-based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log-based PKIs are still exposed to split-world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain-based PKIs have scaling and high-cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next-generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA-signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain-based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain- and log-based PKI schemes.
AB - In classical public-key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain- and log-based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log-based PKIs are still exposed to split-world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain-based PKIs have scaling and high-cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next-generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA-signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain-based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain- and log-based PKI schemes.
KW - blockchain
KW - log server (LS)
KW - public-key infrastructure (PKI)
KW - split-world attack
KW - transparency
KW - transport layer security (TLS)
UR - http://www.scopus.com/inward/record.url?scp=85088788316&partnerID=8YFLogxK
U2 - 10.1002/dac.4503
DO - 10.1002/dac.4503
M3 - Article
AN - SCOPUS:85088788316
SN - 1074-5351
VL - 33
JO - International Journal of Communication Systems
JF - International Journal of Communication Systems
IS - 15
M1 - e4503
ER -