Distributed PKI isn’t a new idea. There are a lot of articles and attempts to implement the concept in practice. PKI (d) is based on the assumption that there are critical vulnerabilities in the process of issuance and management of certificates by CAs, so there is a need to decentralize certificate authority and make the process more transparent and difficult to compromise.
The imperfections of centralized PKI rise to the surface once in a while, causing significant financial and reputational damage. One of the latest examples in mid-2018 describes researchers who found a brand new malware project using stolen digital certificates from several Taiwanese tech-companies, namely D-Link, to sign their malware and making them look like legitimate applications. What is baffling is that D-Link revoked certificates only after they had been notified by the researchers. This means that this type of malware is tough to detect since antivirus programs fail to check the certificate’s validity even when companies revoke the signatures of their certificates. Sadly, it’s not a single case of hackers stealing valid certificates for signing their malware.
What is PKI?
PKI encrypts and decrypts data exchange through a set of public and private keys, which are long strings of randomly generated digits. These long numerical strings are mathematically related through algorithms that generate the pairs.
PKI is widely used now, making the matter of safeguarding private keys critically important. Just consider these use cases:
- Server Identification: Every time anyone uses an HTTPS secured web server connection, they are using a PKI server identity certificate in the SSL handshake.
- Authentication and Authorization for Web Applications: This authentication is often accomplished using usernames and passwords, but PKI provides an attractive alternative. SSL has the optional ability to require a client-side certificate before establishing a secure and encrypted connection. So a web server needs a valid client certificate before allowing an HTTPS connection to be established to it. But it is rarely used because existing solutions are not suitable, making it a nightmare to manage.
- Electronic Document and Form Signing: The PKI-backed signature consists of computing a hash value of the document’s contents and attaching an encrypted signature which contains the hash value.
Besides the above-mentioned use cases, PKI can be applied for authentication of VPNs, S/MIME Email Signing and Encryption, Email List Server, Wireless Network Security, and Secure Instant Messaging, not to mention many other applications.
In the traditional PKI model, the CA issues and signs all certificates and acts as the top-level trust agent facilitating a third party trust model. Users trust each other because the CA vouches for the authenticity and integrity of the information.
But as recent incidents highlight, CAs get compromised.
Cryptography, the black box we believe can help
The REMME team came up with the open source PKI (d) protocol concept to secure communications, we were sure that the primary use case would be human authentication. A passwordless world was our siren song. Recently we’ve joined global alliances and communities committed to the same direction. Together with FIDO, W3C, and DIF, we are tracking new specs that describe passwordless principles and solutions.
However, after a year of R&D, we’ve understood that the primary challenge for us as a technological cybersecurity company will be secure communication with a broader impact. For now, the most popular data-protection technology is Public Key Infrastructure (PKI). It’s based on issuing and management X.509 client certificates that are widely used, in many scenarios, to authenticate a counterparty. We investigated this and incorporated the same functionality into our ideas. After all, there’s no point in re-inventing the wheel.
For example, in the case of web resources, the server authenticates its client with the help of the certificate and the associated private key. This scenario is pretty typical in banking, in governments and so on. It’s a technique appropriate to any scenario which calls for a high degree of security, and in which passwords are an unacceptable way to authenticate users (because they can easily be stolen via social engineering, or with malware and so on).
These certificates are also widely used in machine-to-machine interactions. This is a very intuitive way to authenticate one machine to another. For example, sensors could be sending data to a remote server; to authenticate the sensor, the server would request a client certificate from the sensor.
Another use case is security tokens. This is pretty similar to the first point, except that private keys are stored on particular hardware.
Inside look into distributed PKI protocol
The team has reconsidered the foundations of PKI by adding blockchain part to eliminate the single point of failure and the need for organizations to trust a CA. It is an open source solution that is developing a custom blockchain for PKI. It is all about storing public keys of certificates on the blockchain, storing their validity times and revocation statuses. Currently, we’re building the system for distributed verification of user data.
In this picture, we see a couple of nodes interconnected into a small network and some client applications. Here we can easily see why a decentralized system is preferable to a centralized one. If one node fails, we switch to another node, and that’s okay. Each node has the same data, the same logic, and the same API. These nodes also replicate all the data, all the transaction history, and all the certificates’ statuses. This redundancy makes our system very robust.
This is how we are solving centralization challenges with our solution.
Contribute to PKI (d) development
The digital future is coming fast. That’s why we also need to develop a common approach which can give the industry the secure space it needs to grow and innovate.
Join our open source project on GitHub to protect the community.