ca pki
In this article, we will once again dive deeper into the problems of the current system and consider the solutions being developed that can overcome existing shortcomings.
在本文中,我们将再次更深入地研究当前系统的问题,并考虑可以克服现有缺点的正在开发的解决方案。
公钥基础设施的当前挑战 (Current Challenges of Public Key Infrastructure)
The most commonly employed approach to public key infrastructures (PKIs) is the Web PKI. It’s a Certificate Authority based system that adopts a centralized trust infrastructure. The task that PKI solves is to ensure the security of correspondence between the subject identifier and its public key. Such compliance must be checked to verify the authenticity of the party with whom the secure connection is established. The most important task is to establish the correspondence between the identity (identification data) and the user's public key. This problem is solved using a public key certificate — an electronic document used to prove ownership of a public key. The certificate contains the public key and user credentials, as well as the electronic signature of the trusted party that verifies the user. In order to ensure the integrity and authenticity of the certificate, it is signed by a trusted party – a certification authority.
Web PKI是最常用的公钥基础结构(PKI)方法。 这是一个基于证书颁发机构的系统,采用集中式信任基础结构。 PKI解决的任务是确保主题标识符与其公钥之间的对应关系的安全性。 必须检查这种符合性以验证建立安全连接的一方的真实性。 最重要的任务是在身份(标识数据)和用户的公共密钥之间建立对应关系。 使用公钥证书可以解决此问题,公钥证书是用于证明公钥所有权的电子文档。 该证书包含公钥和用户凭据,以及验证用户的受信方的电子签名。 为了确保证书的完整性和真实性,证书由受信任方(证书颁发机构)签名。
Centralized Web PKI solutions have a number of acute problems:
集中式Web PKI解决方案存在许多严重问题:
- There are some challenges associated with quick notification of key compromise, since the formation and distribution of the list of revoked certificates can take from several minutes to an hour. As a result, there is no 100% guarantee that this key belongs to a specific user at the current time. 快速通知关键妥协存在一些挑战,因为被撤销证书列表的形成和分发可能需要几分钟到一个小时。 因此,不能100%保证此密钥当前属于特定用户。
- If the certificate is verified online (by request to the certification authority), then the user’s privacy is violated, since the certification authority will know the entire history of user interaction. 如果证书是在线验证的(通过向证书颁发机构提出请求),则将侵犯用户的隐私,因为证书颁发机构将了解用户交互的全部历史记录。
Difficulties associated with detecting the presence of certificates of unwanted root certification authorities. In this case, hardware can be installed on the path of encrypted traffic between the client and the server, which decrypts all the data unnoticed by the client and server.
与检测不需要的根证书颁发机构的证书有关的困难。 在这种情况下,可以将硬件安装在客户端和服务器之间的加密流量路径上,从而解密客户端和服务器未注意到的所有数据。
Several certificates can be issued for the same name, i.e. the same identifier can be certified at different root centers.
可以为同一名称颁发多个证书,即可以在不同的根中心对同一标识符进行认证。
The certificate renewal process is complicated, because you need to contact the registration center once again, change data, regenerate the certificate and certify it with a certification authority.
证书更新过程很复杂,因为您需要再次联系注册中心,更改数据,重新生成证书并通过证书颁发机构进行认证。
There are different standards for electronic signatures, as a result the need to select algorithms arises and users suffer from compatibility problems.
电子签名有不同的标准,因此需要选择算法,并且用户会遇到兼容性问题。
The center of the system is always an attack point, and compromising the root certificate will expose the entire system to a bunch of vulnerabilities.
系统的中心始终是攻击点,并且破坏根证书会使整个系统暴露于一系列漏洞中。
Identifier management is in the hands of a centralized organization, and does not belong to the identifier owner himself.
标识符管理在一个集中式组织的手中,并不属于标识符所有者本人。
As we can see, public key infrastructure is in desperate need of an overhaul to eliminate the security holes that threaten an otherwise sound means of securing enterprise systems. The Internet Engineering Task Force (IETF) responsible for Web PKI itself has created a memo describing current issues of PKI agreeing that the current implementation of Web PKI has problems that shouldn’t be ignored. The out-of-date PKI design poses high security risks because a single point of failure can be used to open any encrypted online communication. Centralized PKI systems are struggling to keep up with the evolving digital landscape and there is a need for a better designed, decentralized approach to PKIs.
如我们所见,公钥基础结构迫切需要进行大修,以消除可能威胁采用其他可靠方法来保护企业系统的安全漏洞。 负责Web PKI的Internet工程任务组(IETF)自己创建了一份备忘录,描述了PKI的当前问题,并同意Web PKI的当前实现存在不容忽视的问题。 过时的PKI设计会带来很高的安全风险,因为可以使用单点故障来打开任何加密的在线通信。 集中式PKI系统正努力跟上不断发展的数字环境,因此需要一种更好的设计,去中心化的PKI方法。
分权化解救 (Decentralization Comes to the Rescue)
In decentralized PKI, blockchain acts as a decentralized key-value storage. It is capable of securing the data read to prevent MITM (Man-In-The-Middle) attacks, and to minimize the power of third parties. By bringing the power of blockchain technology to the systems, DPKI resolves the issues with traditional PKI systems. The decentralized nature of the management framework can tackle the problems with the CA systems through certificate revocation, eliminating single points of failure, and reacting fast to misuses of CAs. Blockchain is able to make the process transparent, immutable, and prevent attackers from breaking in, thus effectively avoiding the MITM attacks.
在去中心化的PKI中,区块链充当去中心化的键值存储。 它能够保护读取的数据,以防止MITM(中间人)攻击,并最大程度地降低第三方的力量。 通过将区块链技术的功能引入系统,DPKI解决了传统PKI系统的问题。 管理框架的分散性质可以通过证书吊销,消除单点故障以及对滥用CA做出快速React来解决CA系统的问题。 区块链能够使流程透明,不变,并防止攻击者闯入,从而有效地避免了MITM攻击。
Blockchain-based solutions do not require any specialized standards to operate with data on the blockchain – they only require software that allows them to interact with the chain. This enables IT systems to verify certificates with APIs for interaction with the blockchain and ensures interoperability with all platforms (server, desktop or mobile). Further advantages of blockchain in the context of PKI include the following:
基于区块链的解决方案不需要任何专门的标准就可以处理区块链上的数据,它们只需要允许它们与链进行交互的软件即可。 这使IT系统能够使用API验证证书以与区块链进行交互,并确保与所有平台(服务器,台式机或移动平台)的互操作性。 在PKI上下文中区块链的其他优势包括:
透明度。 (Transparency.)
All participants on the blockchain will have access to the logic of the smart contract, providing transparency as to what is being agreed in the digital contract. Transactions are also recorded to provide a clear audit trail.
区块链上的所有参与者都将可以访问智能合约的逻辑,从而提供数字合约中所约定内容的透明性。 还记录交易,以提供清晰的审计线索。
资源减少。 (Resource reduction.)
With blockchain and smart contracts acting as middlemen or agents, resources and time taken for transactions can be reduced. This is especially so in the case of smart contracts in which predefined conditions are agreed upon, and a self-executing process takes place once these conditions are met.
通过区块链和智能合约充当中间人或代理,可以减少交易所需的资源和时间。 在其中约定了预定义条件的智能合约的情况下尤其如此,一旦满足这些条件,便会执行自执行过程。
消除错误。 (Eliminating errors.)
With all nodes on the network processing transactions individually, updating and reconciling the records, errors in calculations can be omitted.
由于网络上的所有节点分别处理事务,更新和核对记录,因此可以避免计算错误。
诚信 (Integrity.)
Records are reconciled against each other to ensure that no unauthorized changes are being made.
记录相互核对,以确保未进行未经授权的更改。
耐用性。 (Durability.)
As records are not controlled by particular nodes alone, there is no single point of failure in the entire blockchain network. This makes a blockchain network more durable and robust.
由于记录并非仅由特定节点控制,因此整个区块链网络中没有单点故障。 这使得区块链网络更加持久和强大。
改进的容错能力和DDoS抵抗力。 (Improved fault-tolerance and DDoS resistance.)
One of the features blockchain offers is the mitigation of denial-of-service (DDoS) attacks risks. This is done by offloading the throughput pressure among all the nodes in the network. An app developer, that utilizes the blockchain approach, is able to host an independent node to serve their users or, depending on the case, just use any publicly available node.
区块链提供的功能之一是减轻拒绝服务(DDoS)攻击风险。 这是通过减轻网络中所有节点之间的吞吐量压力来完成的。 利用区块链方法的应用程序开发人员能够托管一个独立的节点来为其用户提供服务,或者视情况而定,仅使用任何公共可用的节点。
基于区块链的PKI的方法 (Approaches to Blockchain-Based PKI)
At the moment, there are several approaches to solving the problems outlined above, as follows:
目前,有几种方法可以解决上述问题,如下所示:
基于事务绑定技术的分散式公共密钥基础结构(DPKI),作者: ENCRY技术与创新总监Andrey Chmora。 (Decentralized Public Key Infrastructure (DPKI) Based on Transaction Binding Technology, by Andrey Chmora, Technology and Innovations Director at ENCRY.)
Andrey Chmora suggested a new approach for building a PKI to eliminate the existing disadvantages using the distributed ledger (blockchain) technology. The patented technology described in one of our previous articles proposes the way to verify that particuar sets of public keys really belong to particular owners without the need for certification centers and a concept of certificate as a whole. It is proposed to create a null transaction in order to store the information about the owner and his e-wallet (from which a commission fee for adding a transaction to the ledger is debited). A null transaction serves as an «anchor» for hooking up the next transactions along with the data about public keys. Each transaction of this type contains a specialized data structure which is called «notification» – a structured data set of functional fields that stores information about the owner's public key and guarantees persistence of this key by adding it to one of the related records in the distributed ledger.
Andrey Chmora建议了一种新的方法来构建PKI,以使用分布式分类帐(区块链)技术消除现有的缺点。 我们之前的一篇文章中描述的专利技术提出了一种方法,可以验证特定的公钥集确实属于特定所有者,而无需认证中心和整个证书概念。 建议创建一个空交易,以便存储有关所有者及其电子钱包的信息(从中扣除将交易添加到分类账的佣金)。 空事务充当“锚”,用于挂接下一个事务以及有关公钥的数据。 这种类型的每笔交易都包含一个称为“通知”的特殊数据结构,该结构是功能字段的结构化数据集,用于存储有关所有者公钥的信息,并通过将其添加到分布式的相关记录之一中来保证该密钥的持久性分类帐。
IKP(Instant Karma PKI)—通过区块链转变PKI ,作者是卡内基梅隆大学的Stephanos Matsumoto和苏黎世联邦理工学院的Raphael Reischuk。 (IKP (Instant Karma PKI) — Turning a PKI Around with Blockchain, by Stephanos Matsumoto of Carnegie Mellon University and Raphael Reischuk of ETH Zurich.)
The researchers argue that log-based PKI enhancements such as Certificate Transparency do not offer sufficient incentives to logs and monitors, and do not offer any actions that domains can take in response to CA misbehavior. To address this problem, they propose IKP, a blockchain-based PKI enhancement that offers automatic responses to CA misbehavior and incentives for those who help detect misbehavior. Through their research they demonstrate that IKP's decentralized nature and smart contract system allows open participation, offers incentives for vigilance over CAs, enables financial recourse against misbehavior, and that the incentives and increased deterrence offered by IKP are technically and economically viable.
研究人员认为,基于日志的PKI增强(例如证书透明性)不能为日志和监视器提供足够的诱因,也不能提供域可以采取的任何措施来响应CA的不良行为。 为了解决这个问题,他们提出了IKP,这是一种基于区块链的PKI增强功能,可以自动响应CA不良行为,并为那些有助于检测不良行为的人提供激励措施。 通过他们的研究,他们证明了IKP的分散性和智能合约系统允许公开参与,提供对CA保持警惕的激励机制,使人们有能力对不当行为进行财务追索,并且IKP提供的激励机制和威慑力量在技术和经济上都是可行的。
分散式公钥基础结构(DPKI) ,由Respect Network,PWC,Open Identity Exchange和Alacrity Software赞助。 (Decentralized Public Key Infrastructure (DPKI), sponsored by Respect Network, PWC, Open Identity Exchange, and Alacrity Software.)
The researcher group argues that the security and usability problems of PKI can be addressed through the use of decentralized key-value datastores to create a specification for a Decentralized Public Key Infrastructure (DPKI). The foundational precept of DPKI is that identities belong to the entities they represent. That requires designing a decentralized infrastructure where every identity is controlled not by a trusted third-party, but by its principal owner. The research has demonstrated that DPKI works even on resource-constrained mobile devices, and that it is able to preserve the integrity of identifiers by protecting organizations from private key loss or compromise. DPKI has advantages at each stage of the PKI life cycle. It makes permission-less bootstrapping of online identities possible and provides for the simple creation of stronger SSL certificates.
该研究小组认为,可以通过使用分散式键值数据存储库来创建分散式公钥基础结构(DPKI)规范来解决PKI的安全性和可用性问题。 DPKI的基本原则是身份属于它们所代表的实体。 这就要求设计一个分散的基础架构,其中每个身份都不由受信任的第三方控制,而是由其主要所有者控制。 研究表明,DPKI甚至可以在资源受限的移动设备上运行,并且能够通过保护组织免受私钥丢失或破坏的影响,保持标识符的完整性。 DPKI在PKI生命周期的每个阶段均具有优势。 它使在线身份的无许可自举成为可能,并提供了简单创建功能更强的SSL证书的功能。
Karen Lewison和Francisco Corella,通过区块链PKI支持丰富的凭证 。 (Backing Rich Credentials with a Blockchain PKI, by Karen Lewison and Francisco Corella.)
The investigators are addressing the problem of remote identity proofing. While their approach of implementing PKI on a blockchain with on-chain storage requires the presence of an issuing CA, it comes with many advantages. Revocation checking is performed on the verifier’s local copy of the blockchain without requiring CRLs or OCSP. This proposal solves a longstanding problem of traditional PKIs by not requiring the use of a service that issues certificate revocation lists (CRLs) or responds to online certificate status protocol (OCSP) queries.
研究人员正在解决远程身份证明的问题。 尽管他们在具有链上存储的区块链上实施PKI的方法需要存在颁发CA,但它具有许多优势。 撤销检查在验证者的区块链本地副本上执行,而无需CRL或OCSP。 该提议通过不需要使用发布证书吊销列表(CRL)或响应在线证书状态协议(OCSP)查询的服务,解决了传统PKI的一个长期问题。
PB-PKI:基于隐私感知的基于区块链的PKI , 作者是牛津大学的Louise Axon和Michael Goldsmith。 (PB-PKI: a Privacy-Aware Blockchain-Based PKI, by Louise Axon and Michael Goldsmith, University of Oxford.)
The researchers argue that existing proposals do not provide the privacy awareness that is required of PKI in certain present and emerging applications. Their research aimed to demonstrate how a blockchain-based PKI can be constructed to provide varying levels of privacy awareness. Although the proposal achieves total anonymity, this comes at some security cost: network members may tamper in the short term with the public keys of others. The security of PB-PKI can be improved by achieving a slightly lower level of privacy through attestation by neighbor groups, who verify key changes at updates.
研究人员认为,现有的提议并未提供某些当前和新兴应用中PKI所需的隐私意识。 他们的研究旨在证明如何构建基于区块链的PKI,以提供不同级别的隐私意识。 尽管该提议实现了完全匿名,但这是以一定的安全成本为代价的:网络成员可能会在短期内篡改其他成员的公钥。 PB-PKI的安全性可以通过邻居组的认证来实现,从而通过稍微降低隐私级别来提高安全性,邻居组在更新时验证密钥更改。
结论 (Conclusion)
The age of PKI controlled by certificate authorities is coming to an end. The evolving needs of enterprises, their increased connectivity, and the enhanced capabilities of ever more sophisticated attackers have necessitated a transition to a more resilient alternative. That alternative resides on the blockchain, where many of the fundamental weaknesses of traditional PKI do not apply. Blockchain is not a security panacea, but in the context of PKI, there are compelling benefits to be had from utilizing a decentralized environment.
由证书颁发机构控制的PKI时代即将结束。 企业不断变化的需求,日益增长的连通性以及越来越老练的攻击者的增强功能,使得必须过渡到更具弹性的替代方案。 这种选择位于区块链上,传统PKI的许多基本弱点都不适用。 区块链不是万能的灵丹妙药,但是在PKI的背景下,利用分散的环境将带来令人信服的收益。
ca pki
6020
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
