Skip to main content
SpringerLink
Log in

BlockVoke – Fast, Blockchain-Based Certificate Revocation for PKIs and the Web of Trust

  • Conference paper
  • First Online:
Information Security (ISC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12472))

Included in the following conference series:

Abstract

A reliable certificate revocation mechanism is crucial, as illustrated by the recent revocation of 1.7 million certificates issued by the Let’s Encrypt certificate authority. It is just as essential to get revocation information to users in an efficient and timely manner without impacting their privacy. Existing approaches such as Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) fail with respect to either of those metrics, while approaches that try to mitigate both, such as OCSP-Staple and Must-Staple suffer from soft-failure modes and meager adoption rates. To address these issues, we propose the BlockVoke scheme, which decentralizes revocations, allowing certificate owners as well as CAs to revoke certificates, and distribute revocation information rapidly. Our approach furthermore allows the revocation of CA root certificates, which is not possible with traditional approaches. The use of a blockchain as an underlying layer ensures the continued availability and immutability of revocation information. BlockVoke interacts favorably with approaches such as CRLite and Certificate Revocation Vectors (CRV), allowing organizations to update revocation filters with as little delay as required by their security policies. We also demonstrate the cost-efficiency of our approach in comparison to other approaches such as CRLs, showing its high feasibility.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bitcoin Wiki - Multisignature (2019). https://en.bitcoin.it/w/index.php?title=Multisignature&oldid=67043. Accessed 1 Sept 2020

  2. Baldi, M., Chiaraluce, F., Frontoni, E., Gottardi, G., Sciarroni, D., Spalazzi, L.: Certificate validation through public ledgers and blockchains. In: Proceedings of the First Italian Conference on Cybersecurity, ITASEC 2017, pp. 156–165 (2017)

    Google Scholar 

  3. Basin, D.A., Cremers, C., Kim, T.H., Perrig, A., Sasse, R., Szalachowski, P.: Design, analysis, and implementation of ARPKI: an attack-resilient public-key infrastructure. IEEE Trans. Depend. Secure Comput. 15(3), 393–408 (2018)

    Article  Google Scholar 

  4. Berkowsky, J.A., Hayajneh, T.: Security issues with certificate authorities. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 449–455. IEEE (2017)

    Google Scholar 

  5. Blockchain Explorer - Blockchain.com: Bitcoin - Average Block Size (MB) (2020). https://www.blockchain.com/charts/avg-block-size. Accessed 1 Apr 2020

  6. Blockchain Explorer - Blockchain.com: Bitcoin - Average Transactions per Block (2020). https://www.blockchain.com/charts/n-transactions-per-block. Accessed 1 Apr 2020

  7. Blockchain Explorer - Blockchain.com: Bitcoin - Fees per Transaction (USD) (2020). https://www.blockchain.com/charts/fees-usd-per-transaction. Accessed 1 Apr 2020

  8. Blockchain Explorer - Blockchain.com: Bitcoin - Median Confirmation Time (2020). https://www.blockchain.com/charts/median-confirmation-time. Accessed 1 Apr 2020

  9. Bugzilla: Bugzilla #1311713 - Comodo: CA Comodo used broken OCR and issued certificates to the wrong people (2016). https://bugzilla.mozilla.org/show_bug.cgi?id=1311713. Accessed 19 Mar 2020

  10. Bugzilla: Bugzilla #1619179 - Let’s Encrypt: Incomplete revocation for CAA rechecking bug (2020). https://bugzilla.mozilla.org/show_bug.cgi?id=1619179#c7. Accessed 18 Mar 2020

  11. Callas, J. and PGP Corporation and Donnerhacke, L. and IKS GmbH and Finney, H. and PGP Corporation and Shaw, D. and Thayer, R.: OpenPGP Message Format. IETF RFC4880, November 2007. Accessed 24 Mar 2020

    Google Scholar 

  12. Chen, J., Yao, S., Yuan, Q., He, K., Ji, S., Du, R.: CertChain: public and efficient certificate audit based on blockchain for TLS connections. In: IEEE INFOCOM - IEEE Conference on Computer Communications, pp. 2060–2068. IEEE (2018)

    Google Scholar 

  13. Chung, T., et al.: Is the web ready for OCSP must-staple? In: Proceedings of the Internet Measurement Conference 2018, pp. 105–118 (2018)

    Google Scholar 

  14. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC5280, May 2008. Accessed 18 Mar 2020

    Google Scholar 

  15. Eastlake, D.: Transport Layer Security (TLS) Extensions: Extension Definitions. IETF RFC6066, January 2011. Accessed 18 March 2020

    Google Scholar 

  16. Etherscan.io: Ether Daily Price (USD) Chart (2020). https://etherscan.io/chart/etherprice. Accessed 31 Mar 2020

  17. Etherscan.io: Ethereum Average Gas Price Chart (2020). https://etherscan.io/chart/gasprice. Accessed 31 Mar 2020

  18. Fromknecht, C., Velicanu, D., Yakoubov, S.: A Decentralized Public Key Infrastructure with Identity Retention. IACR Cryptology ePrint Archive, p. 803 (2014)

    Google Scholar 

  19. Hallam-Baker, P.: X.509v3 Extension: OCSP Stapling Required - Draft-hallambaker-muststaple-00 (2012). https://tools.ietf.org/html/draft-hallambaker-muststaple-00. Accessed 18 Mar 2020

  20. Hansen, R.J.: SKS Keyserver Network Under Attack (2019). https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. Accessed 25 Mar 2020

  21. Horst, H.A., Miller, D.: Digital Anthropology. A&C Black, London (2013)

    Google Scholar 

  22. Hu, Q., Asghar, M.R., Brownlee, N.: Checking certificate revocation efficiently using certificate revocation guard. J. Inf. Secur. Appl. 48, 102356 (2019)

    Google Scholar 

  23. ImperialViolet: Revocation Checking and Chrome’s CRL (2012). https://www.imperialviolet.org/2012/02/05/crlsets.html. Accessed 26 Mar 2020

  24. Hoffman-Andrews, J.: Let’s Encrypt - 2020.02.29 CAA Rechecking Bug (2020). https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591. Accessed 18 Mar 2020

  25. JamesLE: Let’s Encrypt - Revoking Certain Certificates on March 4 (2020). https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864. Accessed 18 Mar 2020

  26. J.C. Jones: CRLite: Speeding Up Secure Browsing (2020). https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/. Accessed 19 Mar 2020

  27. Khare, R., Rifkin, A.: Weaving a web of trust. World Wide Web J. 2(3), 77–112 (1997)

    Google Scholar 

  28. Klafter, R., Swanson, E.: Evil 32: Check Your GPG Fingerprints (2014). https://evil32.com/. Accessed 25 Mar 2020

  29. Kocher, P.C.: On certificate revocation and validation. In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055481

    Chapter  Google Scholar 

  30. Kubilay, M.Y., Kiraz, M.S., Mantar, H.A.: CertLedger: a new PKI model with certificate transparency based on blockchain. Comput. Secur. 85, 333–352 (2019)

    Article  Google Scholar 

  31. Larisch, J., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: CRLite: a scalable system for pushing all TLS revocations to all browsers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 539–556. IEEE (2017)

    Google Scholar 

  32. Leiding, B.: Link topological analysis of the PGP web of trust. Bachelor’s Thesis, University of Rostock, Rostock, Germany (2015)

    Google Scholar 

  33. Leiding, B., Cap, C.H., Mundt, T., Rashidibajgan, S.: Authcoin: validation and authentication in decentralized networks. In: The 10th Mediterranean Conference on Information Systems - MCIS 2016, Paphos, Cyprus, September 2016

    Google Scholar 

  34. Let’s Encrypt: Let’s Encrypt - Statistics (2020). https://letsencrypt.org/de/stats/. Accessed 06 Apr 2020

  35. Song, L.: Signing an Ethereum Transaction the Hard Way (2018). https://lsongnotes.wordpress.com/2018/01/14/signing-an-ethereum-transaction-the-hard-way/. Accessed 06 Apr 2020

  36. Liu, Y., et al.: An end-to-end measurement of certificate revocation in the web’s PKI. In: Proceedings of the 2015 Internet Measurement Conference, pp. 183–196. ACM (2015)

    Google Scholar 

  37. Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008). https://bitcoin.org/bitcoin.pdf. Accessed 15 Mar 2020

  38. Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE J. Sel. Areas Commun. 18(4), 561–570 (2000)

    Article  Google Scholar 

  39. Perlman, R.: An overview of PKI trust models. IEEE Network 13(6), 38–43 (1999)

    Article  Google Scholar 

  40. Pettersen, Y.: The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. IETF RFC6961, June 2013. Accessed 22 March 2020

    Google Scholar 

  41. Prince, M.: The Hidden Costs of Heartbleed (2014). https://blog.cloudflare.com/the-hard-costs-of-heartbleed/. Accessed 1 Sept 2020

  42. Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_2

  43. Santesson, S., Myers, M., Malpani, A., Galperin, S., Adams, C.: X. 509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. IETF RFC6960, June 2013. Accessed 18 Mar 2020

    Google Scholar 

  44. Singh, H.J., Hafid, A.S.: Prediction of transaction confirmation time in Ethereum blockchain using machine learning. In: Prieto, J., Das, A., Ferretti, S., Pinto, A., Corchado, J. (eds.) BLOCKCHAIN 2019. AISC, vol. 1010, pp. 126–133. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-23813-1_16

  45. Smith, T., Dickinson, L., Seamons, K.: Let’s revoke: scalable global certificate revocation. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020. The Internet Society (2020)

    Google Scholar 

  46. Su, K., Li, J., Fu, H.: Smart city and the applications. In: International Conference on Electronics, Communications and Control (ICECC), pp. 1028–1031. IEEE (2011)

    Google Scholar 

  47. Wood, G.: Ethereum Yellow Paper: A Secure Decentralized Generalised Transaction Ledger - BYZANTIUM VERSION 7e819ec - 2019–10-20 (2019). https://ethereum.github.io/yellowpaper/paper.pdf. Accessed 06 Apr 2020

  48. Yakubov, A., Shbair, W., Wallbom, A., Sanda, D., et al.: A blockchain-based PKI management framework. In: The First IEEE/IFIP International Workshop on Managing and Managed by Blockchain (Man2Block) Colocated with IEEE/IFIP NOMS 2018, Tapei, Tawain 23–27 April 2018 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electronics Engineering and Computer Science, Peking University, Beijing, China

    Abba Garba

  2. Institute of Computer Science, University of Goettingen, Goettingen, Germany

    Arne Bochem & Benjamin Leiding

Authors
  1. Abba Garba
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arne Bochem
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benjamin Leiding
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arne Bochem .

Editor information

Editors and Affiliations

  1. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  3. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Yannan Li

  5. Informatics, Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Garba, A., Bochem, A., Leiding, B. (2020). BlockVoke – Fast, Blockchain-Based Certificate Revocation for PKIs and the Web of Trust. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62974-8_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62973-1

  • Online ISBN: 978-3-030-62974-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation