A blockchain-based certificate revocation management and status verification system

From LRDE

Abstract

Revocation management is one of the main tasks of the Public Key Infrastructure (PKI). It is also critical to the security of any PKI. As a result of the increase in the number and sizes of networks as well as the adoption of novel paradigms such as the Internet of Things and their usage of the web, current revocation mechanisms are vulnerable to single point of failures as the network loads increase. To address this challenge, we take advantage of blockchains power and resiliency in order to propose an efficient decentralized certificates revocation management and status verification system. We use the extension field of the X509 certificate's structure to introduce a field that describes to which distribution point the certificate will belong to if revoked. Each distribution point is represented by a Bloom filter filled with revoked certificates. Bloom filters and revocation information are stored in a public blockchain. We developed a real implementation of our proposed mechanism in Python and the Namecoin blockchain. Then, we conducted an extensive evaluation of our scheme using performance metrics such as execution time and data consumption to demonstrate that it can meet the needed requirements with high efficiency and low cost. Moreover, we compare the performance of our approach with two of the most well-known/used revocation techniques which are Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL). The results obtained show that our proposed approach outperforms these current schemes.


Bibtex (lrde.bib)

@Article{	  christian.21.cs,
  title		= {A blockchain-based certificate revocation management and
		  status verification system},
  journal	= {Computers \& Security},
  volume	= {104},
  pages		= {102209},
  year		= {2021},
  issn		= {0167-4048},
  doi		= {https://doi.org/10.1016/j.cose.2021.102209},
  url		= {https://www.sciencedirect.com/science/article/pii/S016740482100033X},
  author	= {Yves Christian {Elloh Adja} and Badis Hammi and Ahmed
		  Serhrouchni and Sherali Zeadally},
  keywords	= {Authentication, Blockchain, Bloom filter, Certificate,
		  Revocation, Decentralization, PKI, Security, X509},
  abstract	= {Revocation management is one of the main tasks of the
		  Public Key Infrastructure (PKI). It is also critical to the
		  security of any PKI. As a result of the increase in the
		  number and sizes of networks as well as the adoption of
		  novel paradigms such as the Internet of Things and their
		  usage of the web, current revocation mechanisms are
		  vulnerable to single point of failures as the network loads
		  increase. To address this challenge, we take advantage of
		  blockchains power and resiliency in order to propose an
		  efficient decentralized certificates revocation management
		  and status verification system. We use the extension field
		  of the X509 certificate's structure to introduce a field
		  that describes to which distribution point the certificate
		  will belong to if revoked. Each distribution point is
		  represented by a Bloom filter filled with revoked
		  certificates. Bloom filters and revocation information are
		  stored in a public blockchain. We developed a real
		  implementation of our proposed mechanism in Python and the
		  Namecoin blockchain. Then, we conducted an extensive
		  evaluation of our scheme using performance metrics such as
		  execution time and data consumption to demonstrate that it
		  can meet the needed requirements with high efficiency and
		  low cost. Moreover, we compare the performance of our
		  approach with two of the most well-known/used revocation
		  techniques which are Online Certificate Status Protocol
		  (OCSP) and Certificate Revocation List (CRL). The results
		  obtained show that our proposed approach outperforms these
		  current schemes.}
}