CertChain: Public And Efficient Certificate Audit Based On Blockchain For TLS Connections

Jing Chen Wuhan University, P.R. China
Shixiong Yao Wuhan University, P.R. China
Quan Yuan University of Texas-Permian Basin, USA
Kun He Wuhan University, P.R. China
Shouling Ji Zhejiang University, P.R. China & Georgia Institute of Technology, USA
Ruiying Du Wuhan University, P.R. China


In recent years, real-world attacks against PKI take place frequently. For example, malicious domains' certificates issued by compromised CAs are widespread, and revoked certificates are still trusted by clients. In spite of a lot of research to improve the security of SSL/TLS connections, there are still some problems unsolved. On one hand, although log-based schemes provided certificate audit service to quickly detect CAs' misbehavior, the security and data consistency of log servers are ignored. On the other hand, revoked certificates checking is neglected due to the incomplete, insecure and inefficient certificate revocation mechanisms. Further, existing revoked certificates checking schemes are centralized which would bring safety bottlenecks. In this paper, we propose a blockchain-based public and efficient audit scheme for TLS connections, which is called Certchain. Specially, we propose a dependability-rank based consensus protocol in our blockchain system and a new data structure to support certificate forward traceability. Furthermore , we present a method that utilizes dual counting bloom filter (DCBF) with eliminating false positives to achieve economic space and efficient query for certificate revocation checking. The security analysis and experimental results demonstrate that CertChain is suitable in practice with moderate overhead.

You may want to know: