Decentralized Public Key Infrastructure

How do I know that I’m writing this article on actual Medium.com?

Because I can see the green-colored padlock next to the URL on my browser. The browser only shows the green padlock if the URL has a valid certificate. A digital certificate is a digital document issued by a trusted party to certify the identity of someone or something.

OK. Then the real question,

How does my browser know that the certificate is valid?

Because the certificate is issued by someone who can be trusted.

Let’s go to the story.

Medium.com needs a secure way to communicate with its users. Therefore, they generate an encryption key (public key) and a decryption key (private key). They keep the decryption key securely and publish the encryption key for the users. The strategy behind the encryption key and the decryption key is that the users can encrypt the communication with Medium.com using the encryption key. But only Medium.com can decrypt the communication since only they own the decryption key. But now we have a big problem.

How do we know the published public key can be trusted?

That’s where Central Authorities (CA) and Registration Authority (RA) come. First, Medium.com requests RA to issue a certificate that shows proof of the ownership of the public key. Then RA verifies the identity of Medium.com (This can be an automated or human verification). Then the request is sent to a CA. Once the certificate is issued with the public key, the users can verify the ownership of the public key with the CA or a third party called validation authority (VA) that subordinated with the CA. When you open Medium.com on your browser, the browser does the verification of the certification on behalf of you through the CA or VA.

Here CA, RA and VA are trusted third parties.

This is called Public Key Infrastructure or PKI.

Public Key Infrastructure

What if CA is not actually trustworthy?

If someone can forge a certificate for trusted applications like PayPal, whole communication is visible to that person, including passwords, bank accounts, and credit/debit card numbers.

Do you know that in 2011, a 21-year-old student hacked into 4 CAs and forged certificates? That incident was called Comodo attack because Comodo was one of the vulnerable CA which had 40% of market shares at that time.

Also, there are plausible incidents of government agencies forced CAs to forge certificates.

There can be two situations where CA is not secure,

1. CA is not trustworthy
2. Someone has unauthorized access to CA

Either way, we had to blindly trust the CAs.

However, the story has changed with the advent of the Blockchain technology.

Decentralized Public key infrastructure

The blockchain is a distributed decentralized data store. The followings are the properties of blockchain that are useful for Decentralized Public Key Infrastructure (DPKI),

1. Data written into the blockchain cannot be deleted, modified. Also, the order of data written into the blockchain cannot be changed. The updates to the existing data are included as new data.
2. Anyone can keep a copy of blockchain whether the keeper is honest or malicious. Unless more than 50% of the keepers are honest, the actual blockchain exits.
3. Anyone can write to the blockchain. (This may cost money)
4. The identifiers of the writers in the blockchain are public key/verification key of digital signatures. A digital signature has 2 key called signing key (private key) and verification key (public key). The owner of the digital signature keeps the signing key to himself and publishes the public key to the world. the writer includes a signature created by signing data using the signing key. Then others can verify data using the verification key. Read more.

Source: Link

In DPKI, there are CAs and RAs. But they are not black-boxes anymore.

When Medium.com asked for the certificate, the CA insert the certificate into the Blockchain. The users or VAs read certificates from the Blockchain.

Decentralized Public Key Infrastructure

What are the advantages of DPKI?

1. The certificate cannot be deleted or modified by anyone once its is written into the Blockchain.
2. The users or VA can validate the certificate because it is signed by the CA’s signing key.
3. The certificate can be found from any copy of the Blockchain.
4. The CA does not control the storage of your certificate. The Blockchain does. Therefore no single point of failure.
5. The CA can not forge the certificate and pretend to be Medium.com because Medium.com is watching.
6. Users can see the updates immediately when the certificate is revoked or expired.
7. Blockchain holds the history of CAs. The history shows the reputation of a CA.

What are the disadvantages of DPKI?

1. Still, external forces are cable of forcing CAs to forge certificates. However, if the actual party is watching, they can warn the users. Also, this may affect the reputation of the CA.
2. Current Blockchain implementations are slow and still at the research stage.

The public key infrastructure depends on the trust of third parties. The decentralized public key infrastructure reduces the dependence on the third parties by decentralizing the storage of digital certificates. This new era will create a trustworthy environment on the Internet where we don’t have to trust PKI blindly.

References

[1] https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/final-documents/dpki.pdf