Research On Digital Certificate Management And Cross-domain Authentication Based On Blockchain

As the basic component of public key infrastructure(PKI),digital certificate is the direct certificate of secure communication between entities on the Internet.Its issuing,updating and revocation operations are directly managed by the certification authority(CA).However,the centralized CA with too much power has the problem of single point of failure when attacked.Besides,there are some problems in certificate management,such as certificate transparency(CT)depends on centralized log server,certificate revocation list is large and has high delay,online certificate status protocol(OCSP)can't resist replay attack and so on.In addition,under the existing trust model,digital certificate cross-domain authentication has the problems of difficult to build certificate chain and low authentication efficiency caused by long certificate path.Blockchain technology has the characteristics of decentralization,transparency and nontampering,which provides an important idea to solve the above problems,namely,to realize the safe and efficient management and cross domain authentication of digital certificates.In order to meet the efficiency requirements of digital certificate management and crossdomain authentication in practical application after the introduction of blockchain technology,the phase-voted practical byzantine fault tolerance(PV-PBFT)is proposed by improving the practical byzantine fault tolerance(PBFT).In PV-PBFT consistency protocol,threshold signature is introduced,and the broadcast communication between all replicas is replaced by the communication between replicas and primary node by the phase-voted mechanism,which reduces the communication complexity to ().In PV-PBFT view replacement protocol,in order to avoid the security problem that each node turns to be the primary node,the node weight is defined to control the election of the primary node and improve the security of the primary node.The experimental results show that under the same conditions,the throughput of PVPBFT algorithm is about doubled compared with PBFT algorithm,and the consensus delay is reduced by two thirds.Secondly,in order to solve the problems of single point of failure in centralized CA,low efficiency of certificate status query,and certificate audit relying on log server,a blockchainbased certificate management scheme(BCMS)is proposed.The structure of blockchain certificate has been redesigned.The fields such as signature algorithm are deleted,and the fields such as certificate hash,block height and historical block height are added.In addition,the block structure is redefined.The certificate information is stored in the block body and the certificate revocation information is stored in the block header to achieve efficient certificate storage,query and transparent certificate audit.Finally,the whole process of certificate issuing,verifying,updating,revoking and auditing is given.Security analysis shows that BCMS can effectively resist the attack of forged certificate,revoked certificate and DDoS.The experimental results show that the BCMS can meet the efficiency requirements in the actual use scenarios.Finally,in view of the low efficiency of cross-domain authentication in the traditional trust model and the incompatibility of some blockchain-based improvements with the PKI system in their respective trust domains,we propose a blockchain-based certificate cross-domain authentication scheme(BCCAS).In BCCAS,all levels of CAs in each trust domain are added to the blockchain network as nodes,which are compatible with BCMS.Then,the specific processes of first,second cross domain authentication and fast revocation of cross-domain certificate are given.Security analysis shows that BCCAS can resist replay attack,forged certificate and DDoS attack.Compared with related schemes,BCCAS has the best theoretical performance.