Visible to the public CertChain: Public and Efficient Certificate Audit Based on Blockchain for TLS Connections

TitleCertChain: Public and Efficient Certificate Audit Based on Blockchain for TLS Connections
Publication TypeConference Paper
Year of Publication2018
AuthorsChen, Jing, Yao, Shixiong, Yuan, Quan, He, Kun, Ji, Shouling, Du, Ruiying
Conference NameIEEE INFOCOM 2018 - IEEE Conference on Computer Communications
ISBN Number978-1-5386-4128-6
Keywordsauditing, blockchain system, blockchain-based public, Certchain, certificate audit service, certificate forward traceability, certificate revocation checking, certificate revocation mechanisms, certification, cryptographic protocols, data consistency, data privacy, data structure, data structures, DCBF, dependability-rank based consensus protocol, dual counting bloom filter, Electronic mail, Human Behavior, log servers, log-based schemes, Metrics, Monitoring, Protocols, pubcrawl, public key cryptography, query processing, resilience, Resiliency, revoked certificates checking, Scalability, security analysis, Servers, SSL connections, SSL Trust Models, system monitoring, telecommunication security, TLS connections

In recent years, real-world attacks against PKI take place frequently. For example, malicious domains' certificates issued by compromised CAs are widespread, and revoked certificates are still trusted by clients. In spite of a lot of research to improve the security of SSL/TLS connections, there are still some problems unsolved. On one hand, although log-based schemes provided certificate audit service to quickly detect CAs' misbehavior, the security and data consistency of log servers are ignored. On the other hand, revoked certificates checking is neglected due to the incomplete, insecure and inefficient certificate revocation mechanisms. Further, existing revoked certificates checking schemes are centralized which would bring safety bottlenecks. In this paper, we propose a blockchain-based public and efficient audit scheme for TLS connections, which is called Certchain. Specially, we propose a dependability-rank based consensus protocol in our blockchain system and a new data structure to support certificate forward traceability. Furthermore, we present a method that utilizes dual counting bloom filter (DCBF) with eliminating false positives to achieve economic space and efficient query for certificate revocation checking. The security analysis and experimental results demonstrate that CertChain is suitable in practice with moderate overhead.

Citation Keychen_certchain:_2018