基于区块链的高透明度PKI认证协议

doi:10.11959/j.issn.2096-109x.2022052

摘要/Abstract

摘要：

公钥基础设施（PKI）作为互联网空间安全基础设施的重要组成部分，为互联网的信息传输提供必要的真实性、完整性、机密性和不可否认性。现有的公钥基础设施存在证书颁发机构权力过大、吊销查询困难等问题。随着区块链技术的发展，可以利用区块链技术去中心化、透明度高、结构扁平等优点来解决上述公钥基础设施存在的问题，提高整个互联网建立信任关系的能力和效率。因此，提出基于区块链的高透明度PKI认证协议。该协议通过加入门限签名技术提出了改进的实用拜占庭容错共识算法（TS-PBFT）。TS-PBFT算法降低了原有实用拜占庭容错（PBFT，practical Byzantine fault tolerance）共识算法的通信复杂度，减少了通信开销；TS-PBFT 算法在视图切换协议的主节点选举引入了外界监督机制，增加了可监管性；TS-PBFT 算法在快速一致性协议中引入了批处理机制，提升了共识过程的性能。该协议一方面在提出的PBFT 算法的基础上引入了区块链技术，提升了证书吊销查询的安全性，并引入了计数布隆过滤器，提升了证书查询的效率；另一方面，该协议在证书的生命周期管理中增加了证书审计流程，对证书颁发机构的行为做出监管，促使其提高安全标准，达到限制其权力的目的。安全性分析和效率实验分析表明，所提协议系统具有抵抗伪装申请证书攻击等安全属性，与已有PKI协议相比在TLS/SSL握手耗时上具有优势。

关键词: 区块链, 拜占庭容错, 公钥基础设施, 认证协议

Abstract:

The public key infrastructure (PKI), as an significant component of the current Internet security infrastructure, guarantees the information transmission with the necessary authenticity, integrity, confidentiality and non-repudiation.However, the existing PKI also has shortcomings of excessive power of certification authority and difficulties in revoking and querying.Blockchain can be used to solve those problems by leveraging its advantages, such as decentralization, high transparency and flat structure.Furthermore, the ability and efficiency of the entire Internet to establish trust relationships may be improved.The transparent public key infrastructure (PKI) certification protocol based on the blockchain was proposed.The TS-PBFT algorithm was designed in the proposed protocol by adopting the threshold signature technology to the Practical Byzantine fault tolerance (PBFT) algorithm.The TS-PBFT algorithm reduced the communication overhead via reducing the communication complexity, strengthened the supervision via introducing external monitoring mechanism in the master node election of the view change protocol, and also improved the performance of the consensus mechanism via adding a batch processing mechanism.Moreover, a transparent blockchain-based PKI certification protocol was designed.The proposed protocol increased the security of certificate revocation and query, it also improved the efficiency of the certificate query by the introduction of counting bloom filters.Besides, the proposed protocol added audit function into the certificate lifecycle management.Accordingly, it can supervise the behavior of the certificate authority (CA), prompt it to improve security standards, and then achieve the purpose of limiting its authority.According to the security analysis and efficiency experiments, the proposed protocol was equipped with security properties, such as the resistance to spoofing certificate application attacks, and it achieved the best performance on TLS/SSL handshake time compared with existing PKI protocols.

Key words: blockchain, Byzantine fault tolerant, public key infrastructure, authentication protocol

中图分类号:

TP393

陈立全, 李潇, 杨哲懿, 钱思杰. 基于区块链的高透明度PKI认证协议[J]. 网络与信息安全学报, 2022, 8(4): 1-11.

Liquan CHEN, Xiao LI, Zheyi YANG, Sijie QIAN. Blockchain-based high transparent PKI authentication protocol[J]. Chinese Journal of Network and Information Security, 2022, 8(4): 1-11.

图/表 9

图1

图2

图3

表1

图4

表2

表3

表4

图5

参考文献 20

[1]	MATHUR S , ARORA A . Internet of things (IoT) and PKI-based Security Architecture[M]// Industrial Internet of Things and Cyber-Physical Systems:Transforming the Conventional to Digital. 2020: 25-46.
[2]	SERRANO N , HADAN H , CAMP L J . A complete study of PKI (PKI’s Known Incidents)[J]. SSRN Electronic Journal, 2019(47).
[3]	KAMINSKY D , PATTERSON M L , SASSAMAN L . PKI layer cake:new collision attacks against the global X.509 infrastructure[C]// International Conference on Financial Cryptography and Data Security. 2010: 289-303.
[4]	PRINS J R , CYBERCRIME B U . DigiNotar certificate authority breach “operation black tulip”[J]. Fox-IT, 2011,(11): 18.
[5]	DAVIDSON S , DE FILIPPI P , POTTS J . Blockchains and the economic institutions of capitalism[J]. Journal of Institutional Economics, 2018,14(4): 639-658.
[6]	FROMKNECHT C , VELICANU D , YAKOUBOV S . Certcoin:a namecoin based decentralized authentication system6.857 class project[J]. Unpublished Class Project, 2014.
[7]	AXON L , GOLDSMITH M . PB-PKI:a privacy-aware blockchain-based PKI[C]// SECRYPT. 2017: 311-318.
[8]	MATSUMOTO S , REISCHUK R M . IKP:turning a PKI around with decentralized automated incentives[C]// 2017 IEEE Symposium on Security and Privacy (SP). 2017: 410-426.
[9]	CHEN J , YAO S , YUAN Q ,et al. Certchain:public and efficient certificate audit based on blockchain for tls connections[C]// IEEE INFOCOM 2018-IEEE Conference on Computer Communications. 2018: 2060-2068.
[10]	KUBILAY M Y , KIRAZ M S , MANTAR H A . CertLedger:a new PKI model with certificate transparency based on blockchain[J]. Computers ＆ Security, 2019,85: 333-352.
[11]	马晓婷, 马文平, 刘小雪 . 基于区块链技术的跨域认证方案[J]. 电子学报, 2018,46(11): 2571-2579.
	MA X T , MA W P , LIU X X . A cross domain authentication scheme based on blockchain technology[J]. Acta Electronica Sinica, 2018,46(11): 2571-2579.
[12]	王昊, 吴天昊, 朱孔林 ,等. 交叉口场景下基于区块链技术的匿名车辆身份认证方案[J]. 网络与信息安全学报, 2020,6(5): 27-35.
	WANG H , WU T H , ZHU K L ,et al. Anonymous vehicle authentication scheme based on blockchain technology in the intersection scenario[J]. Chinese Journal of Network and Information Security, 2020,6(5): 27-35.
[13]	张勖, 马欣 . 基于区块链的轻量化移动自组网认证方案[J]. 网络与信息安全学报, 2020,6(4): 14-22.
	ZHANG X , MA X . Lightweight mobile Ad Hoc network authentication scheme based on blockchain[J]. Chinese Journal of Network and Information Security, 2020,6(4): 14-22.
[14]	LAMPORT L , FISCHER M . Byzantine generals and transaction commit protocols[R]. Technical Report 6. 1982.
[15]	CASTRO M , LISKOV B . Practical byzantine fault tolerance[C]// OSDI. 1999: 173-186.
[16]	HAO X , YU L , ZHIQIANG L ,et al. Dynamic practical byzantine fault tolerance[C]// 2018 IEEE Conference on Communications and Network Security (CNS). 2018: 1-8.
[17]	LI F , LIU K , LIU J ,et al. DHBFT:Dynamic hierarchical byzantine fault-tolerant consensus mechanism based on credit[C]// Asia-Pacific Web (APWeb) and Web-Age Information Management (WAIM) Joint International Conference on Web and Big Data. 2020: 3-17.
[18]	CHARITON A A , DEGKLERI E , PAPADOPOULOS P ,et al. CCSP:a compressed certificate status protocol[C]// IEEE INFOCOM 2017-IEEE Conference on Computer Communications. 2017: 1-9.
[19]	BASIN D , CREMERS C , KIM T H J ,et al. ARPKI:Attack resilient public-key infrastructure[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 382-393.
[20]	CHEN J , YAO S , YUAN Q ,et al. Checks and balances:a tripartite public key infrastructure for secure Web-based connections[C]// IEEE INFOCOM 2017-IEEE Conference on Computer Communications. 2017: 1-9.

区块结构	可信度列表	双计数布隆过滤器	BcCert证书
TB-PKI协议	具备	具备	具备
比特币	不具备	不具备	不具备

阶段	耗时	起始时刻	终止时刻
证书申请	8 103	0	8 103
共识阶段	5 001	44	5 045
查询阶段	90	8 013	8 103

阶段	耗时	起始时刻	终止时刻
证书更新	8 379	0	8 379
共识阶段	5 970	163	6 133
查询阶段	99	8 280	8 379

阶段	耗时	起始时刻	终止时刻
证书吊销	7 562	0	7 562
共识阶段	5 020	103	5 123
查询阶段	23	7 539	7 562