KORGAN: An Efficient PKI Architecture Based on PBFT Through Dynamic Threshold Signatures

Abstract During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM) kinds of attacks that result in serious security incidents. In order to avoid such incidents, Yakubov et al. ((2018) A blockchain-based PKI man...

Full description

Saved in:
Bibliographic Details
Published inComputer journal Vol. 64; no. 4; pp. 564 - 574
Main Authors Yasin Kubilay, Murat, Sabir Kiraz, Mehmet, Ali Mantar, Haci
Format Journal Article
LanguageEnglish
Published Oxford University Press 01.04.2021
Subjects
dynamic threshold signatures
SSL/TLS
certificate transparency
PBFT
PKI
Online AccessGet full text
ISSN0010-4620
1460-2067
DOI10.1093/comjnl/bxaa081

Cover

Abstract Abstract During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM) kinds of attacks that result in serious security incidents. In order to avoid such incidents, Yakubov et al. ((2018) A blockchain-based PKI management framework. NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, Taipei, Taiwan, April, pp. 16. IEEE) recently proposed a new public key infrastructure (PKI) architecture where CAs issue, revoke and validate X.509 certificates on a public blockchain. However, in their proposal TLS clients are subject to MITM kinds of attacks, and certificate transparency is not fully provided. In this paper, we eliminate the issues of the Yakubov et al.’s scheme and propose a new PKI architecture based on permissioned blockchain with PBFT consensus mechanism where the consensus nodes utilize a dynamic threshold signature scheme to generate signed blocks. In this way, the trust to the intermediary entities can be completely eliminated during certificate validation. Our scheme enjoys the dynamic property of the threshold signature because TLS clients do not have to change the verification key even if the validator set is dynamic. We implement our proposal on private Ethereum network to demonstrate the experimental results. The results show that our proposal has negligible overhead during TLS handshake. The certificate validation duration is less than the duration in the conventional PKI and Yakubov et al.’s scheme.
AbstractList During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM) kinds of attacks that result in serious security incidents. In order to avoid such incidents, Yakubov et al. ((2018) A blockchain-based PKI management framework. NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, Taipei, Taiwan, April, pp. 16. IEEE) recently proposed a new public key infrastructure (PKI) architecture where CAs issue, revoke and validate X.509 certificates on a public blockchain. However, in their proposal TLS clients are subject to MITM kinds of attacks, and certificate transparency is not fully provided. In this paper, we eliminate the issues of the Yakubov et al.’s scheme and propose a new PKI architecture based on permissioned blockchain with PBFT consensus mechanism where the consensus nodes utilize a dynamic threshold signature scheme to generate signed blocks. In this way, the trust to the intermediary entities can be completely eliminated during certificate validation. Our scheme enjoys the dynamic property of the threshold signature because TLS clients do not have to change the verification key even if the validator set is dynamic. We implement our proposal on private Ethereum network to demonstrate the experimental results. The results show that our proposal has negligible overhead during TLS handshake. The certificate validation duration is less than the duration in the conventional PKI and Yakubov et al.’s scheme.
Abstract During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM) kinds of attacks that result in serious security incidents. In order to avoid such incidents, Yakubov et al. ((2018) A blockchain-based PKI management framework. NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, Taipei, Taiwan, April, pp. 16. IEEE) recently proposed a new public key infrastructure (PKI) architecture where CAs issue, revoke and validate X.509 certificates on a public blockchain. However, in their proposal TLS clients are subject to MITM kinds of attacks, and certificate transparency is not fully provided. In this paper, we eliminate the issues of the Yakubov et al.’s scheme and propose a new PKI architecture based on permissioned blockchain with PBFT consensus mechanism where the consensus nodes utilize a dynamic threshold signature scheme to generate signed blocks. In this way, the trust to the intermediary entities can be completely eliminated during certificate validation. Our scheme enjoys the dynamic property of the threshold signature because TLS clients do not have to change the verification key even if the validator set is dynamic. We implement our proposal on private Ethereum network to demonstrate the experimental results. The results show that our proposal has negligible overhead during TLS handshake. The certificate validation duration is less than the duration in the conventional PKI and Yakubov et al.’s scheme.
Author Sabir Kiraz, Mehmet
Ali Mantar, Haci
Yasin Kubilay, Murat
Author_xml – sequence: 1
  givenname: Murat
  surname: Yasin Kubilay
  fullname: Yasin Kubilay, Murat
  email: yasin.kubilay@gmail.com
  organization: Department of Computer Engineering, Gebze Technical University, 41400 Kocaeli, Turkey
– sequence: 2
  givenname: Mehmet
  surname: Sabir Kiraz
  fullname: Sabir Kiraz, Mehmet
  organization: School of Computer Science and Informatics, De Montfort University, LE1 9BH Leicester, UK
– sequence: 3
  givenname: Haci
  surname: Ali Mantar
  fullname: Ali Mantar, Haci
  organization: Department of Computer Engineering, Gebze Technical University, 41400 Kocaeli, Turkey
BookMark eNqF0E1PAjEQgOHGaCKgV8-9eliY7ke79bYgIIEIUUy8bUo_2BJoSXdJ5N8rgZOJ8TSZZJ45vG107bzTCD0Q6BLgSU_63cZte6svISAnV6hFUgpRDJRdoxYAgSilMdyidl1vACAGTlvoczp_GxevT7hweGiMlVa7Bi-mE1wEWdlGy-YQNO6LWivsHV70R0u8rII_rCv8fHRiZ-Vp13Xltwq_27UTJ1HfoRsjtrW-v8wO-hgNl4OXaDYfTwbFLJIJ402UiSwRUiVMgDAkVsDjXFHKWCpUzFeJMGnKVyyTTOWc0jw2QDNGVMLzDIhJkw5Kz39l8HUdtCmlbURjvWuCsNuSQHmqU57rlJc6P6z7i-2D3Ylw_Bs8noE_7P-7_QYM9Hm4
CitedBy_id crossref_primary_10_56294_dm2024365
crossref_primary_10_3390_info14100523
crossref_primary_10_1016_j_im_2023_103856
crossref_primary_10_1109_ACCESS_2024_3394657
crossref_primary_10_1109_COMST_2023_3323640
crossref_primary_10_1587_transfun_2023EAP1150
Cites_doi 10.1145/2815675.2815685
10.1007/s00145-005-0318-0
10.1109/ACCESS.2018.2889898
10.1145/3293611.3331591
10.1109/INFOCOM.2018.8486344
10.1109/COMST.2016.2548426
10.1016/j.cose.2019.05.013
10.1007/978-3-662-58820-8_11
10.1093/comjnl/bxw039
10.1007/3-540-45682-1_30
10.1109/NOMS.2018.8406325
10.1007/978-3-319-63688-7_12
10.1145/571637.571640
ContentType Journal Article
Copyright The British Computer Society 2020. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com 2020
Copyright_xml – notice: The British Computer Society 2020. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com 2020
DBID AAYXX
CITATION
DOI 10.1093/comjnl/bxaa081
DatabaseName CrossRef
DatabaseTitle CrossRef
DatabaseTitleList CrossRef
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1460-2067
EndPage 574
ExternalDocumentID 10_1093_comjnl_bxaa081
10.1093/comjnl/bxaa081
GroupedDBID -E4
-~X
.2P
.DC
.I3
0B8
0R~
123
18M
1OL
1TH
29F
3R3
4.4
41~
48X
5VS
5WA
6J9
6TJ
70D
85S
9M8
AAIJN
AAJKP
AAJQQ
AAMVS
AAOGV
AAPQZ
AAPXW
AARHZ
AASNB
AAUAY
AAUQX
AAVAP
AAYOK
ABDTM
ABEFU
ABEUO
ABIXL
ABNKS
ABPTD
ABQLI
ABQTQ
ABSAR
ABSMQ
ABTAH
ABXVV
ABZBJ
ACBEA
ACFRR
ACGFS
ACGOD
ACIWK
ACNCT
ACUFI
ACUTJ
ACYTK
ADEYI
ADEZT
ADGZP
ADHKW
ADHZD
ADIPN
ADOCK
ADQBN
ADRDM
ADRIX
ADRTK
ADVEK
ADYVW
ADZXQ
AECKG
AEGPL
AEGXH
AEJOX
AEKKA
AEKSI
AEMDU
AENEX
AENZO
AEPUE
AETBJ
AEWNT
AFFZL
AFIYH
AFOFC
AFXEN
AGINJ
AGKEF
AGMDO
AGSYK
AHXPO
AI.
AIDUJ
AIJHB
AJEEA
AJEUX
ALMA_UNASSIGNED_HOLDINGS
ALTZX
ALUQC
APIBT
APWMN
ASAOO
ATDFG
ATGXG
AXUDD
AZVOD
BAYMD
BCRHZ
BEFXN
BEYMZ
BFFAM
BGNUA
BHONS
BKEBE
BPEOZ
BQUQU
BTQHN
CAG
CDBKE
COF
CS3
CXTWN
CZ4
DAKXR
DFGAJ
DILTD
DU5
D~K
EBS
EE~
EJD
F20
F9B
FA8
FLIZI
FLUFQ
FOEOM
GAUVT
GJXCC
H13
H5~
HAR
HW0
HZ~
H~9
IOX
J21
JAVBF
KBUDW
KOP
KSI
KSN
M-Z
M49
MBTAY
ML0
MVM
N9A
NGC
NMDNZ
NOMLY
NU-
O0~
O9-
OCL
ODMLO
OJQWA
OJZSN
OWPYF
O~Y
P2P
PAFKI
PEELM
PQQKQ
Q1.
Q5Y
R44
RD5
RIG
RNI
ROL
ROX
ROZ
RUSNO
RW1
RXO
RZO
SC5
TAE
TJP
TN5
UCJ
VH1
VOH
WH7
WHG
X7H
XJT
XOL
XSW
YAYTL
YKOAZ
YXANX
ZHY
ZKX
ZY4
~91
AAYXX
ABAZT
ABDFA
ABEJV
ABGNP
ABVGC
ABVLG
ACUXJ
ADMLS
ADYJX
AGORE
AHGBF
AJBYB
AJNCP
ALXQX
ANAKG
CITATION
JXSIZ
ID FETCH-LOGICAL-c379t-5a53acd37a0af12d0928d66774ad29b3af449b75c7d896682f06571d398501f43
ISSN 0010-4620
IngestDate Thu Apr 24 22:59:02 EDT 2025
Tue Jul 01 02:55:07 EDT 2025
Wed Aug 28 03:17:42 EDT 2024
IsDoiOpenAccess false
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 4
Keywords dynamic threshold signatures
SSL/TLS
certificate transparency
PBFT
PKI
Language English
License This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model
LinkModel OpenURL
MergedId FETCHMERGED-LOGICAL-c379t-5a53acd37a0af12d0928d66774ad29b3af449b75c7d896682f06571d398501f43
OpenAccessLink https://dora.dmu.ac.uk/handle/2086/19743
PageCount 11
ParticipantIDs crossref_citationtrail_10_1093_comjnl_bxaa081
crossref_primary_10_1093_comjnl_bxaa081
oup_primary_10_1093_comjnl_bxaa081
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2021-04-01
PublicationDateYYYYMMDD 2021-04-01
PublicationDate_xml – month: 04
  year: 2021
  text: 2021-04-01
  day: 01
PublicationDecade 2020
PublicationTitle Computer journal
PublicationYear 2021
Publisher Oxford University Press
Publisher_xml – name: Oxford University Press
References Barnes (2021041913135000900_ref25) 2019
Yakubov (2021041913135000900_ref13) 2018
Patricia Tree (2021041913135000900_ref26)
Wang (2021041913135000900_ref11) 2019
Kiayias (2021041913135000900_ref18) 2017
Yin (2021041913135000900_ref22) 2019
NetCraft. OCSP Server Performance in September 2019 (2021041913135000900_ref30)
Wüst (2021041913135000900_ref21) 2018
Hyun-Jin Kim (2021041913135000900_ref9) 2013
(2021041913135000900_ref7) 2012
Noack (2021041913135000900_ref15) 2009; 1
Szabo (2021041913135000900_ref20) 1997
Laurie (2021041913135000900_ref6) 2013
Yu (2021041913135000900_ref10) 2016; 59
Boneh (2021041913135000900_ref23) 2001
Liu (2021041913135000900_ref29) 2015
Santesson (2021041913135000900_ref8) 2019
Chen (2021041913135000900_ref12) 2018
NetCraft. CRL Sites in September 2019 (2021041913135000900_ref31)
Eth Proof 2.0.0 (2021041913135000900_ref28)
Nakamoto (2021041913135000900_ref16) 2008
Conti (2021041913135000900_ref2) 2016; 18
Dierks (2021041913135000900_ref1) 2018
Castro (2021041913135000900_ref14) 2002; 20
Wood (2021041913135000900_ref17) 2014
LibraBFT Consensus Performance (2021041913135000900_ref27)
DigiNotar Public Report (2021041913135000900_ref3) 2012
Langley (2021041913135000900_ref4) 2015
Kubilay (2021041913135000900_ref5) 2019; 85
Yao (2021041913135000900_ref19) 2019; 7
Cachin (2021041913135000900_ref24) 2005; 18
References_xml – ident: 2021041913135000900_ref26
– year: 2019
  ident: 2021041913135000900_ref25
  article-title: Automatic Certificate Management Environment (ACME). RFC 8555 (Standard)
– start-page: 183
  volume-title: Proc. of the 2015 Internet Measurement Conf.
  year: 2015
  ident: 2021041913135000900_ref29
  article-title: An End-to-End Measurement of Certificate Revocation in the Web’s PKI
  doi: 10.1145/2815675.2815685
– volume: 18
  start-page: 219
  year: 2005
  ident: 2021041913135000900_ref24
  article-title: Random oracles in Constantinople: practical asynchronous Byzantine agreement using cryptography
  publication-title: J. Cryptol.
  doi: 10.1007/s00145-005-0318-0
– start-page: 679
  volume-title: Proc. of the 22nd Int. Conf. on World Wide Web
  year: 2013
  ident: 2021041913135000900_ref9
  article-title: Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure
– volume: 1
  start-page: 108
  year: 2009
  ident: 2021041913135000900_ref15
  article-title: Dynamic threshold cryptosystem without group manager
  publication-title: Netw. Protocols Algorithms
– volume: 7
  start-page: 6117
  year: 2019
  ident: 2021041913135000900_ref19
  article-title: PBCert: privacy-preserving blockchain-based certificate status validation toward mass storage management
  publication-title: IEEE Access
  doi: 10.1109/ACCESS.2018.2889898
– ident: 2021041913135000900_ref27
– start-page: 347
  volume-title: Proc. of the 2019 ACM Symposium on Principles of Distributed Computing
  year: 2019
  ident: 2021041913135000900_ref22
  article-title: HotStuff: BFT Consensus with Linearity and Responsiveness
  doi: 10.1145/3293611.3331591
– start-page: 2060
  volume-title: IEEE INFOCOM 2018-IEEE Conference on Computer Communications
  year: 2018
  ident: 2021041913135000900_ref12
  article-title: CertChain: Public and Efficient Certificate Audit Based on Blockchain for TLS Connections
  doi: 10.1109/INFOCOM.2018.8486344
– volume: 18
  start-page: 2027
  year: 2016
  ident: 2021041913135000900_ref2
  article-title: A survey of man in the middle attacks
  publication-title: IEEE Commun. Surv. Tutor.
  doi: 10.1109/COMST.2016.2548426
– year: 2014
  ident: 2021041913135000900_ref17
  article-title: Ethereum: a secure decentralised generalised transaction ledger
– ident: 2021041913135000900_ref28
– ident: 2021041913135000900_ref30
– volume: 85
  start-page: 333
  year: 2019
  ident: 2021041913135000900_ref5
  article-title: CertLedger: a new PKI model with certificate transparency based on blockchain
  publication-title: Comput. Secur.
  doi: 10.1016/j.cose.2019.05.013
– year: 2013
  ident: 2021041913135000900_ref6
  article-title: Certificate Transparency. RFC 6962 (Experimental)
– start-page: 144
  volume-title: Financial Cryptography and Data Security
  year: 2019
  ident: 2021041913135000900_ref11
  article-title: Blockchain-Based Certificate Transparency and Revocation Transparency
  doi: 10.1007/978-3-662-58820-8_11
– ident: 2021041913135000900_ref31
– year: 1997
  ident: 2021041913135000900_ref20
– year: 2018
  ident: 2021041913135000900_ref1
  article-title: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard)
– volume-title: Information Technology–Open Systems Interconnection–the Directory: Public-Key and Attribute Certificate Frameworks
  year: 2012
  ident: 2021041913135000900_ref7
– volume: 59
  start-page: 1695
  year: 2016
  ident: 2021041913135000900_ref10
  article-title: DTKI: a new formalized PKI with verifiable trusted parties
  publication-title: Comput. J.
  doi: 10.1093/comjnl/bxw039
– year: 2008
  ident: 2021041913135000900_ref16
  article-title: Bitcoin: a peer-to-peer electronic cash system
– start-page: 514
  volume-title: Advances in Cryptology — ASIACRYPT 2001
  year: 2001
  ident: 2021041913135000900_ref23
  article-title: Short Signatures from the Weil Pairing
  doi: 10.1007/3-540-45682-1_30
– start-page: 45
  year: 2018
  ident: 2021041913135000900_ref21
  article-title: Do you Need a Blockchain? 2018 Crypto Valley Conf. on Blockchain Technology (CVCBT)
– year: 2012
  ident: 2021041913135000900_ref3
  article-title: Black tulip report of the investigation into the DigiNotar certificate authority breach
– start-page: 1
  volume-title: NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium
  year: 2018
  ident: 2021041913135000900_ref13
  article-title: A blockchain-based PKI management framework
  doi: 10.1109/NOMS.2018.8406325
– start-page: 357
  volume-title: Advances in Cryptology – CRYPTO 2017
  year: 2017
  ident: 2021041913135000900_ref18
  article-title: Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol
  doi: 10.1007/978-3-319-63688-7_12
– year: 2019
  ident: 2021041913135000900_ref8
  article-title: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (Standard)
– year: 2015
  ident: 2021041913135000900_ref4
– volume: 20
  start-page: 398
  year: 2002
  ident: 2021041913135000900_ref14
  article-title: Practical Byzantine fault tolerance and proactive recovery
  publication-title: ACM Trans. Comput. Syst.
  doi: 10.1145/571637.571640
SSID ssj0002096
Score 2.2998824
Snippet Abstract During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM)...
During the past decade, several misbehaving certificate authorities (CAs) have issued fraudulent TLS certificates allowing man-in-the-middle (MITM) kinds of...
SourceID crossref
oup
SourceType Enrichment Source
Index Database
Publisher
StartPage 564
Title KORGAN: An Efficient PKI Architecture Based on PBFT Through Dynamic Threshold Signatures
Volume 64
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1Jb9NAFB6F9MKFHVE2jRASB8vUGY-X4ebSlkBIqUgq5RbN5mIUXJQ4EuLKH-eNZ-IMS6Fwsbw8jZL3fXqzvA2hpxHTYBpFEiqWyZAqIcNcMRmKTOa50HkmiclGHh-nw1P6ZpbMer1vXtTSuhHP5dff5pX8D6rwDnA1WbL_gGw3KLyAe8AXroAwXC-F8ejd-1fFsTvbO2yLQRjX_snodVD4DoJ9mKqUcQuc7B9Ng6lrzXNgm9GbZ70yXqhgUp3ZQp8rf826afwQ-L_JGAq-qupgtBbVgrdQAWi8i6KZcFEtg1G15O0R9Vh_-LTNtS4WlQm8aWx095DLyj99IAMvaOUPWY2-xQU7T1NifS_aGlmaRqEpG-9bYVvL3LGNeiY1cV_s7JzYnj6_GH5bFAug_Fgv4EZ84TyyvWB-Kqd9sfAVtENgr0H6aKc4GL-ddBM6ido2b91f6Wp_xnt2jD03wg9rG5Mv6S1VpjfQNbfHwIUlzE3U0_UtdH0DI3bm_DaaWf68wEWNO_ZgYA_22YNb9uDzGhv2YMce7NiDO_bgLXvuoNOjw-nLYeg6bYQyzlgTJjyJuVRxxiNeDoiKGMlVmsLWgCvCRMxLSpnIEpmpHPbHOSlh5ZoNVMzyJBqUNL6L-vV5re8hXJaEpYrEsR4wSnmSg0p1mZuqUlxxJnZRuNHRXLoy9KYbymJuwyHiudXp3Ol0Fz3r5D_bAiwXSj4Blf9F6P5lhB6gq1uuP0T9ZrnWj2Dt2YjHjhvfAbOBiCE
linkProvider EBSCOhost
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=KORGAN%3A+An+Efficient+PKI+Architecture+Based+on+PBFT+Through+Dynamic+Threshold+Signatures&rft.jtitle=Computer+journal&rft.au=Yasin+Kubilay%2C+Murat&rft.au=Sabir+Kiraz%2C+Mehmet&rft.au=Ali+Mantar%2C+Haci&rft.date=2021-04-01&rft.pub=Oxford+University+Press&rft.issn=0010-4620&rft.eissn=1460-2067&rft.volume=64&rft.issue=4&rft.spage=564&rft.epage=574&rft_id=info:doi/10.1093%2Fcomjnl%2Fbxaa081&rft.externalDocID=10.1093%2Fcomjnl%2Fbxaa081
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0010-4620&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0010-4620&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0010-4620&client=summon