A blockchain-based certificate revocation management and status verification system
From LRDE
- Authors
- Yves Christian Elloh Adja, Badis Hammi, Ahmed Serhrouchni, Sherali Zeadally
- Journal
- Computers & Security
- Type
- article
- Date
- 2021-01-01
Abstract
Revocation management is one of the main tasks of the Public Key Infrastructure (PKI). It is also critical to the security of any PKI. As a result of the increase in the number and sizes of networks as well as the adoption of novel paradigms such as the Internet of Things and their usage of the web, current revocation mechanisms are vulnerable to single point of failures as the network loads increase. To address this challenge, we take advantage of blockchains power and resiliency in order to propose an efficient decentralized certificates revocation management and status verification system. We use the extension field of the X509 certificate's structure to introduce a field that describes to which distribution point the certificate will belong to if revoked. Each distribution point is represented by a Bloom filter filled with revoked certificates. Bloom filters and revocation information are stored in a public blockchain. We developed a real implementation of our proposed mechanism in Python and the Namecoin blockchain. Then, we conducted an extensive evaluation of our scheme using performance metrics such as execution time and data consumption to demonstrate that it can meet the needed requirements with high efficiency and low cost. Moreover, we compare the performance of our approach with two of the most well-known/used revocation techniques which are Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL). The results obtained show that our proposed approach outperforms these current schemes.
Bibtex (lrde.bib)
@Article{ christian.21.cs,
title = {A blockchain-based certificate revocation management and
status verification system},
journal = {Computers \& Security},
volume = {104},
pages = {102209},
year = {2021},
issn = {0167-4048},
doi = {https://doi.org/10.1016/j.cose.2021.102209},
url = {https://www.sciencedirect.com/science/article/pii/S016740482100033X},
author = {Yves Christian {Elloh Adja} and Badis Hammi and Ahmed
Serhrouchni and Sherali Zeadally},
keywords = {Authentication, Blockchain, Bloom filter, Certificate,
Revocation, Decentralization, PKI, Security, X509},
abstract = {Revocation management is one of the main tasks of the
Public Key Infrastructure (PKI). It is also critical to the
security of any PKI. As a result of the increase in the
number and sizes of networks as well as the adoption of
novel paradigms such as the Internet of Things and their
usage of the web, current revocation mechanisms are
vulnerable to single point of failures as the network loads
increase. To address this challenge, we take advantage of
blockchains power and resiliency in order to propose an
efficient decentralized certificates revocation management
and status verification system. We use the extension field
of the X509 certificate's structure to introduce a field
that describes to which distribution point the certificate
will belong to if revoked. Each distribution point is
represented by a Bloom filter filled with revoked
certificates. Bloom filters and revocation information are
stored in a public blockchain. We developed a real
implementation of our proposed mechanism in Python and the
Namecoin blockchain. Then, we conducted an extensive
evaluation of our scheme using performance metrics such as
execution time and data consumption to demonstrate that it
can meet the needed requirements with high efficiency and
low cost. Moreover, we compare the performance of our
approach with two of the most well-known/used revocation
techniques which are Online Certificate Status Protocol
(OCSP) and Certificate Revocation List (CRL). The results
obtained show that our proposed approach outperforms these
current schemes.}
}