Research On Digital Certificate Auditing Technology Based On Blockchain

With the popularity of the Internet,Secure Sockets Layer(SSL)and Transport Layer Security(TLS)are increasingly used in various Internet security scenarios.A major security risk for SSL/TLS services is that the Certificate Authority(CA)may be attacked or malicious.If a CA is trusted by the client that relies on the certificate issues a digital certificate with false information which can be successfully verified,the attacker can easily conduct a man_in-the-middle attack.Currently,some security incidents is caused by the attack of the CAs,so it is necessary to audit the CA's actions of operating digital certificates.In order to solve this problem,researchers proposed a certificate transparency(CT)-based digital certificate solution,but there is still a risk that a single point server will be attacked or do evil.Some decentralized solutions still fail to solve the Byzantine error caused by malicious nodes,which leads to the attack of audit process.Blockchain is a distributed database that can build an ever-increasing record in a decentralized network environment.It is characterized by decentralization,trans-parency,and tampering.Based on blockchain technology,this dissertation constructs a solution of decentralized security authentication,which solves the security hidden dan-ger of digital certificate distribution scheme for centralized services.The main work carried out is as follows:1.In order to solve the security risk caused by over-reliance on centralized server in the process of digital certificate distribution,this dissertation designs a blockchain-based digital certificate auditing system architecture.The blockchain in the ar-chitecture is used to store the record of the CA operation digital certificate,and is maintained by the CA through the consensus mechanism.Each node in the PKI system can perform security audit on the record,which can better solve the decentralization problem and effectively protect against malicious attacks.2.In order to ensure the untouchable modification,traceability and query efficiency of the digital certificate audit data,a double-chain storage structure based on Merkel tree is proposed in this dissertation.The record of the CA operation digital certificate is verified by the Merkel tree.The record of the CA operation digital certificate is verified by the Merkel tree,and the traceability is ensured by the chain structure of the blockchain;The structure of separating certificate distribu-tion chain and certificate revocation chain is designed,and Merkel tree structure is optimized based on compressed prefix tree,which improves the query efficiency of the digital certificate audit data.3.In order to ensure the security of digital certificate auditing in CA network with malicious nodes,a Byzantine fault tolerant consensus mechanism based on node contribution is proposed.In order to solve the problem that the consensus mech-anism adopted by digital currencies such as Bitcoin consumes energy and its low time efficiency which is not suitable for digital certificate auditing scenar-ios,this dissertation adopts a consensus mechanism based on practical Byzan-tine fault-tolerant algorithm(PBFT),and optimizes its consistency algorithm and view changing protocol,which reduces the communication time complexity.At the same time,the PBFT's master node election mechanism and message authen-tication mechanism optimization algorithm based on node contribution degree are proposed,which improves the security of the consensus mechanism.4.Based on the design scheme,a prototype system is implemented.The experi-mental results show that the system time consumption can reach the standards available in the real scene;The increase of storage space is acceptable,and com-pared with the existing schemes,the efficiency of query blockchain is improved;The PBFT algorithm can support Byzantine fault tolerance for more abnormal nodes and has higher system throughput with the same abnormal nodes.