Abstract
Public key infrastructure (PKI) is the core of authentications performed in secure internet communications. The most popular PKI arrangement is the certificate authority (CA)-based PKI. The traditional security protocols use this CA-based PKI to provide server-side authentications. In this approach, the server-side uses its public key certificate that is the server’s public key signed by a trusted CA. This CA-based PKI is not able to properly address the challenges associated with the growing demand of secure internet communications. We identified two major problems with this CA-based PKI to be used in secure communications. First, the mis-issuance of certificates or the disclosure of any such CAs’ private keys can cause serious problems to the security of these internet communications. Second, revoking an issued public key certificate or any trusted CA’s certificate is not a trivial task. In this paper, we proposed a distributed key server architecture (DKS-PKI) that provides a PKI arrangement that can solve the above mentioned problems. The proposed architecture offers registration/issuance, storage, distribution, and revocation of certificates in an efficient manner. It ensures transparency and accountability of the certificate issuers. All the registered/issued certificates and their sensitive identity information are verified and stored into a permissioned distributed storage system. The key-server nodes are responsible to make these issued certificates publicly accessible by means of their associated 256-bit unique identifiers (UIDs). We presented a thorough security analysis of the proposed architecture.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aberer, K., Datta, A., Hauswirth, M.: A decentralised public key infrastructure for customer-to-customer e-commerce. Int. J. Bus. Process Integr. Manag. 1, 26–33 (2005)
Barker, E., Roginsky, A.: Transitioning the use of cryptographic algorithms and key lengths, March 2019. https://doi.org/10.6028/NIST.SP.800-131Ar2
Barker, E.B., Dang, Q.H.: SP 800–57 Pt3 R1. Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, January 2015. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf. Accessed 04 Dec 2021
Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., Cooper, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, May 2008. https://doi.org/10.17487/RFC5280. https://www.rfc-editor.org/info/rfc5280
Charette, R.: DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands, September 2011. https://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands. Accessed 25 July 2022
ComputerWorld.com: To punish Symantec, Google may distrust a third of the web’s SSL certificates, March 2017. https://www.computerworld.com/article/3184573/to-punish-symantec-google-may-distrust-a-third-of-the-webs-ssl-certificates.html. Accessed 24 July 2022
Constantin, L.: French intermediate certificate authority issues rogue certs for Google domains, December 2013. https://www.computerworld.com/article/2486614/french-intermediate-certificate-authority-issues-rogue-certs-for-google-domains.html. Accessed 25 July 2022
Ellison, C.: SPKI Requirements. RFC 2692, September 1999. https://doi.org/10.17487/RFC2692. https://www.rfc-editor.org/info/rfc2692
Faisal, A., Zulkernine, M.: Graphene: a secure cloud communication architecture. In: Zhou, J., Deng, R., Li, Z., Majumdar, S., Meng, W., Wang, L., Zhang, K. (eds.) ACNS 2019. LNCS, vol. 11605, pp. 51–69. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29729-9_3
Faisal, A., Zulkernine, M.: A secure architecture for TCP/UDP-based cloud communications. Int. J. Inf. Secur. 20(2), 161–179 (2020). https://doi.org/10.1007/s10207-020-00511-w
Hoogstraaten, H.: Black tulip report of the investigation into the diginotar certificate authority breach. Technical report, Fox-IT BV, August 2012. https://doi.org/10.13140/2.1.2456.7364. Accessed 25 July 2022
Laurie, B., Langley, A., Kasper, E.: Certificate Transparency. RFC 6962, June 2013. https://doi.org/10.17487/RFC6962. https://rfc-editor.org/rfc/rfc6962.txt
Leyden, J.: 23,000 HTTPS certs will be axed in next 24 hours after private keys leak, March 2018. https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/. Accessed 25 July 2022
Matsumoto, S., Reischuk, R.M.: IKP: turning a PKI around with blockchains. Cryptology ePrint Archive, Paper 2016/1018 (2016). https://eprint.iacr.org/2016/1018
Matsumoto, S., Reischuk, R.M.: IKP: turning a PKI around with decentralized automated incentives. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 410–426 (2017). https://doi.org/10.1109/SP.2017.57
Matsumoto, S., Szalachowski, P., Perrig, A.: Deployment challenges in log-based PKI enhancements. In: Proceedings of the Eighth European Workshop on System Security, EuroSec 2015. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2751323.2751324
Mozilla.org: CA/Symantec Issues. https://wiki.mozilla.org/CA/Symantec_Issues. Accessed 24 July 2022
Rivest, R., Lampson, B.: SDSI - a simple distributed security infrastructure, August 1996. https://people.csail.mit.edu/rivest/sdsi10.html. Accessed 24 July 2022
Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, D.C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960, June 2013. https://doi.org/10.17487/RFC6960. https://www.rfc-editor.org/info/rfc6960
SecurityIntelligence.com: Symantec’s SSL Certificate May Get Cut Off by Chrome, March 2017. https://securityintelligence.com/news/symantecs-ssl-certificate-gets-cut-off-by-chrome/. Accessed 25 July 2022
Symantec: Test Certificates Incident Final Report v3, October 2015. https://bug1214321.bmoattachments.org/attachment.cgi?id=8852862. Accessed 24 July 2022
Szalachowski, P., Chuat, L., Perrig, A.: PKI safety net (PKISN): addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), p. 407–422 (2016). https://doi.org/10.1109/EuroSP.2016.38
Williams, O.: Google to drop China’s CNNIC Root Certificate Authority after trust breach, April 2015. https://thenextweb.com/insider/2015/04/02/google-to-drop-chinas-cnnic-root-certificate-authority-after-trust-breach/. Accessed 25 July 2022
Yakubov, A., Shbair, W.M., Wallbom, A., Sanda, D., State, R.: A blockchain-based PKI management framework. In: NOMS 2018–2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–6, April 2018
Ylonen, T., Thomas, B., Lampson, B., Ellison, C., Rivest, R.L., Frantz, W.S.: SPKI Certificate Theory. RFC 2693, September 1999. https://doi.org/10.17487/RFC2693. https://www.rfc-editor.org/info/rfc2693
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Faisal, A., Zulkernine, M. (2022). DKS-PKI: A Distributed Key Server Architecture for Public Key Infrastructure. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-23690-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23689-1
Online ISBN: 978-3-031-23690-7
eBook Packages: Computer ScienceComputer Science (R0)