CertLedger: A New PKI Model with Certi cate Transparency Based on Blockchain

Abstract

In conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs' absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept of Certi cate Transparency (CT) in 2013. Later, several new PKI models are proposed to reduce the level of trust to the CAs. However, all of these proposals are still vulnerable to split-world attacks if the adversary is capable of showing different views of the log to the targeted victims. In this paper, we propose a new PKI architecture with certi cate transparency based on blockchain, what we called CertLedger, to eliminate the split-world attacks and to provide certi cate/revocation transparency. All TLS certi cates' validation, storage, and entire revocation process is conducted in CertLedger as well as Trusted CA certi cate management. During a TLS connection, TLS clients get an efficient proof of existence of the certi cate directly from its domain owners. Hence, privacy is now perfectly preserved by eliminating the traceability issue via OCSP servers. It also provides a unique, efficient, and trustworthy certi cate validation process eliminating the conventional inadequate and incompatible certi cate validation processes implemented by different software vendors. TLS clients in CertLedger also do not require to make certi cate validation and store the trusted CA certi cates anymore. We analyze the security and performance of CertLedger and provide a comparison with the previous proposals. Finally, we implement its protoype on Ethereum to demonstrate experimental results. The results show that the performance of the TLS handshake and certi cate validation through CertLedger is signi cantly improved compared to the current TLS protocol.