Visible to the public Conifer: Centrally-Managed PKI with Blockchain-Rooted Trust

TitleConifer: Centrally-Managed PKI with Blockchain-Rooted Trust
Publication TypeConference Paper
Year of Publication2018
AuthorsDong, Yuhao, Kim, Woojung, Boutaba, Raouf
Conference Name2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)
Keywordsactive attackers, bitcoin, blockchain, blockchain-agnostic way, blockchain-rooted trust, blockchains, central trusted parties, centralized transparency, centrally-managed PKI, Conifer, CONIKS, cryptographic identities, data structures, domain names, Flexibility, highly decentralized trust, Human Behavior, insecure networks, Internet, Metrics, Monitoring, PKI Trust Models, pubcrawl, Public key, public key cryptography, public keys, Resiliency, Scalability, secure communications, secure distributed ledger, secure naming systems, security guarantees, traditional centralized PKIs, traditional centralized-trust systems, trustworthy binding, user-facing names
AbstractSecure naming systems, or more narrowly public key infrastructures (PKIs), form the basis of secure communications over insecure networks. All security guarantees against active attackers come from a trustworthy binding between user-facing names, such as domain names, to cryptographic identities, such as public keys. By offering a secure, distributed ledger with highly decentralized trust, blockchains such as Bitcoin show promise as the root of trust for naming systems with no central trusted parties. PKIs based upon blockchains, such as Namecoin and Blockstack, have greatly improved security and resilience compared to traditional centralized PKIs. Yet blockchain PKIs tend to significantly sacrifice scalability and flexibility in pursuit of decentralization, hindering large-scale deployability on the Internet. We propose Conifer, a novel PKI with an architecture based upon CONIKS, a centralized transparency-based PKI, and Catena, a blockchain-agnostic way of embedding a permissioned log, but with a different lookup strategy. In doing so, Conifer achieves decentralized trust with security at least as strong as existing blockchain-based naming systems, yet without sacrificing the flexibility and performance typically found in centralized PKIs. We also present our reference implementation of Conifer, demonstrating how it can easily be integrated into applications. Finally, we use experiments to evaluate the performance of Conifer compared with other naming systems, both centralized and blockchain-based, demonstrating that it incurs only a modest overhead compared to traditional centralized-trust systems while being far more scalable and performant than purely blockchain-based solutions.
DOI10.1109/Cybermatics_2018.2018.00200
Citation Keydong_conifer:_2018