Boosting Or Even Replacing PKI
We encounter encryption in numerous guises when we go online, most commonly in messaging apps and whilst using online banking. But these are just two examples of data exchanges that are encrypted. And yet both use encryption in different ways. On the one hand, messaging apps encrypt content (using symmetric cryptography), effectively hiding it from third-parties, whereas online banking uses encryption for user authentication (asymmetric cryptography).
This is where PKI (Public Key Infrastructure) comes in.
What is PKI?
‘PKI supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.’ TechTarget
Via Public Key Infrastructure, ‘data is encrypted using a single key that is negotiated by the two communicating entities, after a pair of keys is used to establish a secure channel of communication.’
‘In any properly designed and implemented PKI system, identity key pairs are generated on the user’s device, that is, the phone, smart card, computer, tablet, etc. The certification authority NEVER has access to the private key. It’s impossible for the certification authority to intrude on the asymmetric process; it does not have the means to do so. The certification authority merely signs the certificate, that is, the public key.’ Steph Authenticity
Where Are the Flaws in the PKI System?
The major flaws are that it’s relatively easy for criminals to access these systems and spoof digital certificates, supposedly the markers that a person and transaction are legitimate.
PKI creates what’s known as a chain of trust, or trust infrastructure. This is the system that allows secure communication and exchange of data over an otherwise insecure public network. Users trust that the encryption will hold and protect their information, whenever it is moved back or forth. The predominant way of doing this is through digital certificates signed with public encryption keys. However, like any chain, PKI is only as strong as its weakest link.
Encrypting and decrypting our data is reliant on a Certificate Authority (CA), where the information is all stored centrally. Similar to how we hand over personal data to Facebook or Google, it means relinquishing control and ownership of that data to an external company.
‘Although a CA is often referred to as a “trusted third party,” shortcomings in the security procedures of various CAs in recent years has jeopardized trust in the entire PKI on which the Internet depends. If one CA is compromised, the security of the entire PKI is at risk. For example, in 2011, Web browser vendors were forced to blacklist all certificates issued by the Dutch CA DigiNotar after more than 500 fake certificates were discovered.’ TechTarget
We’ve previously explored the weaknesses in the current centralised systems, such as CAs. In essence, this makes them a target for hacks, leaving the data being exchanged exposed and vulnerable.
How Does Blockchain Boost PKI?
Firstly, it’s all about that distributed ledger technology again. This basis of the blockchain creates an environment of transparency.
The data used to issue public keys is spread over a decentralised ledger housed across a number of nodes, rather than in one centralised location. This removes the easy target for hackers. It also makes it much harder to spoof digital certificates — control over the issuing of these certificates can’t be gained from one data location. This means no one can impersonate the owner of a particular identity.
Overall, the blockchain also improves the integrity of data and guarantees confidentiality in ways that PKI alone no longer can. It allows the user to access every transaction in the data’s history, and be sure of who made those transactions without spoofs or hacks.
Democracy Of Blockchain
It follows then, that with no one third-party issuing the certificates, users regain control of their own data and decide how and when it is used. Every transaction is recorded on the blockchain, giving complete transparency.
It’s not just theory either, CertCoin is already using blockchain technology to store and distribute public keys. There’s no authority issuing certificates, and customers control their own certificates and identities.
Or, working closer to the existing PKI system, REMME uses dApps to secure digital identities. Pomcor uses blockchain to issue certificates and store hashes, but still have a third-party certificate authority to issue certificates. That third-party is less likely to be targeted for hacks, when the data they’re using is still distributed across the ledger.
Can Blockchain Replace PKI?
It’s certainly being attempted. Take Estonia for instance, where much of their trust infrastructure, from voting to banking, is backed by blockchain. Then there’s data security company Guardtime, currently the world’s biggest blockchain company, based on revenue.
This, however, is based on KSI rather than PKI — Keyless Signature Infrastructure.
That doesn’t mean there are no keys involved — they are still used to verify identity and secure transactions with encryption. This allows for every party to a transaction to execute their own part of the data exchange independently. Everyone can then also verify the process has been executed correctly, without needing to have the data itself sent to them. It’s far more secure and confidential than existing models. Mostly because those digital signatures are not vulnerable to the keys being compromised or stolen.
Each party keeps hold of their own keys and uses them independently when called to interact with the smart contract. This means that digital signatures and certificates can now have a long-term shelf life, instead of continually having to be generated and regenerated. Your private key should always be secure within your wallet, with no other party ever having possession of it. We can reliably assume then that the keys aren’t corrupted and that the identity they verify is legitimate.
In Estonia, Guardtime are now responsible for blockchain encryption and storage of over 1 million health records using this KSI technology. Verizon and other companies are now adopting it.
Strong Options With Blockchain
Whether outright replacing with KSI, or boosting the existing methods of PKI to make them more secure and transparent, blockchain underpins a better and more reliable method of digital identity and encryption.
Expect more companies to adopt this method, and soon.
Addendum — 06 August 2018
The article above has been edited and updated in response to feedback received from a community member. We have taken the information shared on board and revised this article so that it is more reflective of the nature and workings of PKI technology. We thank Steph Authenticity for their contribution to this piece.
For more information regarding MEDIA Protocol find us on our social channels below:
Website: www.mediaprotocol.org
Facebook: https://www.facebook.com/MEDIAProtocol
Twitter: https://twitter.com/MEDIA_Protocol
LinkedIn: https://www.linkedin.com/company/media-protocol/
Telegram: https://t.me/Media_Protocol_Community and https://t.me/MP_Announcements
Medium: https://medium.com/@mediaprotocolsm
YouTube: https://www.youtube.com/c/MEDIAProtocol
