Skip to main content
SpringerLink
Log in

DKS-PKI: A Distributed Key Server Architecture for Public Key Infrastructure

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13784))

Included in the following conference series:

  • 424 Accesses

Abstract

Public key infrastructure (PKI) is the core of authentications performed in secure internet communications. The most popular PKI arrangement is the certificate authority (CA)-based PKI. The traditional security protocols use this CA-based PKI to provide server-side authentications. In this approach, the server-side uses its public key certificate that is the server’s public key signed by a trusted CA. This CA-based PKI is not able to properly address the challenges associated with the growing demand of secure internet communications. We identified two major problems with this CA-based PKI to be used in secure communications. First, the mis-issuance of certificates or the disclosure of any such CAs’ private keys can cause serious problems to the security of these internet communications. Second, revoking an issued public key certificate or any trusted CA’s certificate is not a trivial task. In this paper, we proposed a distributed key server architecture (DKS-PKI) that provides a PKI arrangement that can solve the above mentioned problems. The proposed architecture offers registration/issuance, storage, distribution, and revocation of certificates in an efficient manner. It ensures transparency and accountability of the certificate issuers. All the registered/issued certificates and their sensitive identity information are verified and stored into a permissioned distributed storage system. The key-server nodes are responsible to make these issued certificates publicly accessible by means of their associated 256-bit unique identifiers (UIDs). We presented a thorough security analysis of the proposed architecture.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aberer, K., Datta, A., Hauswirth, M.: A decentralised public key infrastructure for customer-to-customer e-commerce. Int. J. Bus. Process Integr. Manag. 1, 26–33 (2005)

    Article  Google Scholar 

  2. Barker, E., Roginsky, A.: Transitioning the use of cryptographic algorithms and key lengths, March 2019. https://doi.org/10.6028/NIST.SP.800-131Ar2

  3. Barker, E.B., Dang, Q.H.: SP 800–57 Pt3 R1. Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, January 2015. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf. Accessed 04 Dec 2021

  4. Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., Cooper, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, May 2008. https://doi.org/10.17487/RFC5280. https://www.rfc-editor.org/info/rfc5280

  5. Charette, R.: DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands, September 2011. https://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands. Accessed 25 July 2022

  6. ComputerWorld.com: To punish Symantec, Google may distrust a third of the web’s SSL certificates, March 2017. https://www.computerworld.com/article/3184573/to-punish-symantec-google-may-distrust-a-third-of-the-webs-ssl-certificates.html. Accessed 24 July 2022

  7. Constantin, L.: French intermediate certificate authority issues rogue certs for Google domains, December 2013. https://www.computerworld.com/article/2486614/french-intermediate-certificate-authority-issues-rogue-certs-for-google-domains.html. Accessed 25 July 2022

  8. Ellison, C.: SPKI Requirements. RFC 2692, September 1999. https://doi.org/10.17487/RFC2692. https://www.rfc-editor.org/info/rfc2692

  9. Faisal, A., Zulkernine, M.: Graphene: a secure cloud communication architecture. In: Zhou, J., Deng, R., Li, Z., Majumdar, S., Meng, W., Wang, L., Zhang, K. (eds.) ACNS 2019. LNCS, vol. 11605, pp. 51–69. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29729-9_3

    Chapter  Google Scholar 

  10. Faisal, A., Zulkernine, M.: A secure architecture for TCP/UDP-based cloud communications. Int. J. Inf. Secur. 20(2), 161–179 (2020). https://doi.org/10.1007/s10207-020-00511-w

    Article  Google Scholar 

  11. Hoogstraaten, H.: Black tulip report of the investigation into the diginotar certificate authority breach. Technical report, Fox-IT BV, August 2012. https://doi.org/10.13140/2.1.2456.7364. Accessed 25 July 2022

  12. Laurie, B., Langley, A., Kasper, E.: Certificate Transparency. RFC 6962, June 2013. https://doi.org/10.17487/RFC6962. https://rfc-editor.org/rfc/rfc6962.txt

  13. Leyden, J.: 23,000 HTTPS certs will be axed in next 24 hours after private keys leak, March 2018. https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/. Accessed 25 July 2022

  14. Matsumoto, S., Reischuk, R.M.: IKP: turning a PKI around with blockchains. Cryptology ePrint Archive, Paper 2016/1018 (2016). https://eprint.iacr.org/2016/1018

  15. Matsumoto, S., Reischuk, R.M.: IKP: turning a PKI around with decentralized automated incentives. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 410–426 (2017). https://doi.org/10.1109/SP.2017.57

  16. Matsumoto, S., Szalachowski, P., Perrig, A.: Deployment challenges in log-based PKI enhancements. In: Proceedings of the Eighth European Workshop on System Security, EuroSec 2015. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2751323.2751324

  17. Mozilla.org: CA/Symantec Issues. https://wiki.mozilla.org/CA/Symantec_Issues. Accessed 24 July 2022

  18. Rivest, R., Lampson, B.: SDSI - a simple distributed security infrastructure, August 1996. https://people.csail.mit.edu/rivest/sdsi10.html. Accessed 24 July 2022

  19. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, D.C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960, June 2013. https://doi.org/10.17487/RFC6960. https://www.rfc-editor.org/info/rfc6960

  20. SecurityIntelligence.com: Symantec’s SSL Certificate May Get Cut Off by Chrome, March 2017. https://securityintelligence.com/news/symantecs-ssl-certificate-gets-cut-off-by-chrome/. Accessed 25 July 2022

  21. Symantec: Test Certificates Incident Final Report v3, October 2015. https://bug1214321.bmoattachments.org/attachment.cgi?id=8852862. Accessed 24 July 2022

  22. Szalachowski, P., Chuat, L., Perrig, A.: PKI safety net (PKISN): addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), p. 407–422 (2016). https://doi.org/10.1109/EuroSP.2016.38

  23. Williams, O.: Google to drop China’s CNNIC Root Certificate Authority after trust breach, April 2015. https://thenextweb.com/insider/2015/04/02/google-to-drop-chinas-cnnic-root-certificate-authority-after-trust-breach/. Accessed 25 July 2022

  24. Yakubov, A., Shbair, W.M., Wallbom, A., Sanda, D., State, R.: A blockchain-based PKI management framework. In: NOMS 2018–2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–6, April 2018

    Google Scholar 

  25. Ylonen, T., Thomas, B., Lampson, B., Ellison, C., Rivest, R.L., Frantz, W.S.: SPKI Certificate Theory. RFC 2693, September 1999. https://doi.org/10.17487/RFC2693. https://www.rfc-editor.org/info/rfc2693

Download references

Author information

Authors and Affiliations

  1. School of Computing, Queen’s University, Kingston, ON, Canada

    Abu Faisal & Mohammad Zulkernine

Authors
  1. Abu Faisal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Zulkernine
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abu Faisal .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Tirupati, Tirupati, India

    Venkata Ramana Badarla

  2. CSIRO Data61, Sydney, NSW, Australia

    Surya Nepal

  3. Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Faisal, A., Zulkernine, M. (2022). DKS-PKI: A Distributed Key Server Architecture for Public Key Infrastructure. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-23690-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23689-1

  • Online ISBN: 978-3-031-23690-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation