Abstract
A reliable certificate revocation mechanism is crucial, as illustrated by the recent revocation of 1.7 million certificates issued by the Let’s Encrypt certificate authority. It is just as essential to get revocation information to users in an efficient and timely manner without impacting their privacy. Existing approaches such as Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) fail with respect to either of those metrics, while approaches that try to mitigate both, such as OCSP-Staple and Must-Staple suffer from soft-failure modes and meager adoption rates. To address these issues, we propose the BlockVoke scheme, which decentralizes revocations, allowing certificate owners as well as CAs to revoke certificates, and distribute revocation information rapidly. Our approach furthermore allows the revocation of CA root certificates, which is not possible with traditional approaches. The use of a blockchain as an underlying layer ensures the continued availability and immutability of revocation information. BlockVoke interacts favorably with approaches such as CRLite and Certificate Revocation Vectors (CRV), allowing organizations to update revocation filters with as little delay as required by their security policies. We also demonstrate the cost-efficiency of our approach in comparison to other approaches such as CRLs, showing its high feasibility.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bitcoin Wiki - Multisignature (2019). https://en.bitcoin.it/w/index.php?title=Multisignature&oldid=67043. Accessed 1 Sept 2020
Baldi, M., Chiaraluce, F., Frontoni, E., Gottardi, G., Sciarroni, D., Spalazzi, L.: Certificate validation through public ledgers and blockchains. In: Proceedings of the First Italian Conference on Cybersecurity, ITASEC 2017, pp. 156–165 (2017)
Basin, D.A., Cremers, C., Kim, T.H., Perrig, A., Sasse, R., Szalachowski, P.: Design, analysis, and implementation of ARPKI: an attack-resilient public-key infrastructure. IEEE Trans. Depend. Secure Comput. 15(3), 393–408 (2018)
Berkowsky, J.A., Hayajneh, T.: Security issues with certificate authorities. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 449–455. IEEE (2017)
Blockchain Explorer - Blockchain.com: Bitcoin - Average Block Size (MB) (2020). https://www.blockchain.com/charts/avg-block-size. Accessed 1 Apr 2020
Blockchain Explorer - Blockchain.com: Bitcoin - Average Transactions per Block (2020). https://www.blockchain.com/charts/n-transactions-per-block. Accessed 1 Apr 2020
Blockchain Explorer - Blockchain.com: Bitcoin - Fees per Transaction (USD) (2020). https://www.blockchain.com/charts/fees-usd-per-transaction. Accessed 1 Apr 2020
Blockchain Explorer - Blockchain.com: Bitcoin - Median Confirmation Time (2020). https://www.blockchain.com/charts/median-confirmation-time. Accessed 1 Apr 2020
Bugzilla: Bugzilla #1311713 - Comodo: CA Comodo used broken OCR and issued certificates to the wrong people (2016). https://bugzilla.mozilla.org/show_bug.cgi?id=1311713. Accessed 19 Mar 2020
Bugzilla: Bugzilla #1619179 - Let’s Encrypt: Incomplete revocation for CAA rechecking bug (2020). https://bugzilla.mozilla.org/show_bug.cgi?id=1619179#c7. Accessed 18 Mar 2020
Callas, J. and PGP Corporation and Donnerhacke, L. and IKS GmbH and Finney, H. and PGP Corporation and Shaw, D. and Thayer, R.: OpenPGP Message Format. IETF RFC4880, November 2007. Accessed 24 Mar 2020
Chen, J., Yao, S., Yuan, Q., He, K., Ji, S., Du, R.: CertChain: public and efficient certificate audit based on blockchain for TLS connections. In: IEEE INFOCOM - IEEE Conference on Computer Communications, pp. 2060–2068. IEEE (2018)
Chung, T., et al.: Is the web ready for OCSP must-staple? In: Proceedings of the Internet Measurement Conference 2018, pp. 105–118 (2018)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC5280, May 2008. Accessed 18 Mar 2020
Eastlake, D.: Transport Layer Security (TLS) Extensions: Extension Definitions. IETF RFC6066, January 2011. Accessed 18 March 2020
Etherscan.io: Ether Daily Price (USD) Chart (2020). https://etherscan.io/chart/etherprice. Accessed 31 Mar 2020
Etherscan.io: Ethereum Average Gas Price Chart (2020). https://etherscan.io/chart/gasprice. Accessed 31 Mar 2020
Fromknecht, C., Velicanu, D., Yakoubov, S.: A Decentralized Public Key Infrastructure with Identity Retention. IACR Cryptology ePrint Archive, p. 803 (2014)
Hallam-Baker, P.: X.509v3 Extension: OCSP Stapling Required - Draft-hallambaker-muststaple-00 (2012). https://tools.ietf.org/html/draft-hallambaker-muststaple-00. Accessed 18 Mar 2020
Hansen, R.J.: SKS Keyserver Network Under Attack (2019). https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. Accessed 25 Mar 2020
Horst, H.A., Miller, D.: Digital Anthropology. A&C Black, London (2013)
Hu, Q., Asghar, M.R., Brownlee, N.: Checking certificate revocation efficiently using certificate revocation guard. J. Inf. Secur. Appl. 48, 102356 (2019)
ImperialViolet: Revocation Checking and Chrome’s CRL (2012). https://www.imperialviolet.org/2012/02/05/crlsets.html. Accessed 26 Mar 2020
Hoffman-Andrews, J.: Let’s Encrypt - 2020.02.29 CAA Rechecking Bug (2020). https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591. Accessed 18 Mar 2020
JamesLE: Let’s Encrypt - Revoking Certain Certificates on March 4 (2020). https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864. Accessed 18 Mar 2020
J.C. Jones: CRLite: Speeding Up Secure Browsing (2020). https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/. Accessed 19 Mar 2020
Khare, R., Rifkin, A.: Weaving a web of trust. World Wide Web J. 2(3), 77–112 (1997)
Klafter, R., Swanson, E.: Evil 32: Check Your GPG Fingerprints (2014). https://evil32.com/. Accessed 25 Mar 2020
Kocher, P.C.: On certificate revocation and validation. In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055481
Kubilay, M.Y., Kiraz, M.S., Mantar, H.A.: CertLedger: a new PKI model with certificate transparency based on blockchain. Comput. Secur. 85, 333–352 (2019)
Larisch, J., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: CRLite: a scalable system for pushing all TLS revocations to all browsers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 539–556. IEEE (2017)
Leiding, B.: Link topological analysis of the PGP web of trust. Bachelor’s Thesis, University of Rostock, Rostock, Germany (2015)
Leiding, B., Cap, C.H., Mundt, T., Rashidibajgan, S.: Authcoin: validation and authentication in decentralized networks. In: The 10th Mediterranean Conference on Information Systems - MCIS 2016, Paphos, Cyprus, September 2016
Let’s Encrypt: Let’s Encrypt - Statistics (2020). https://letsencrypt.org/de/stats/. Accessed 06 Apr 2020
Song, L.: Signing an Ethereum Transaction the Hard Way (2018). https://lsongnotes.wordpress.com/2018/01/14/signing-an-ethereum-transaction-the-hard-way/. Accessed 06 Apr 2020
Liu, Y., et al.: An end-to-end measurement of certificate revocation in the web’s PKI. In: Proceedings of the 2015 Internet Measurement Conference, pp. 183–196. ACM (2015)
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008). https://bitcoin.org/bitcoin.pdf. Accessed 15 Mar 2020
Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE J. Sel. Areas Commun. 18(4), 561–570 (2000)
Perlman, R.: An overview of PKI trust models. IEEE Network 13(6), 38–43 (1999)
Pettersen, Y.: The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. IETF RFC6961, June 2013. Accessed 22 March 2020
Prince, M.: The Hidden Costs of Heartbleed (2014). https://blog.cloudflare.com/the-hard-costs-of-heartbleed/. Accessed 1 Sept 2020
Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_2
Santesson, S., Myers, M., Malpani, A., Galperin, S., Adams, C.: X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. IETF RFC6960, June 2013. Accessed 18 Mar 2020
Singh, H.J., Hafid, A.S.: Prediction of transaction confirmation time in Ethereum blockchain using machine learning. In: Prieto, J., Das, A., Ferretti, S., Pinto, A., Corchado, J. (eds.) BLOCKCHAIN 2019. AISC, vol. 1010, pp. 126–133. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-23813-1_16
Smith, T., Dickinson, L., Seamons, K.: Let’s revoke: scalable global certificate revocation. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020. The Internet Society (2020)
Su, K., Li, J., Fu, H.: Smart city and the applications. In: International Conference on Electronics, Communications and Control (ICECC), pp. 1028–1031. IEEE (2011)
Wood, G.: Ethereum Yellow Paper: A Secure Decentralized Generalised Transaction Ledger - BYZANTIUM VERSION 7e819ec - 2019–10-20 (2019). https://ethereum.github.io/yellowpaper/paper.pdf. Accessed 06 Apr 2020
Yakubov, A., Shbair, W., Wallbom, A., Sanda, D., et al.: A blockchain-based PKI management framework. In: The First IEEE/IFIP International Workshop on Managing and Managed by Blockchain (Man2Block) Colocated with IEEE/IFIP NOMS 2018, Tapei, Tawain 23–27 April 2018 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Garba, A., Bochem, A., Leiding, B. (2020). BlockVoke – Fast, Blockchain-Based Certificate Revocation for PKIs and the Web of Trust. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-62974-8_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62973-1
Online ISBN: 978-3-030-62974-8
eBook Packages: Computer ScienceComputer Science (R0)