BPKI: A secure and scalable blockchain-based public key infrastructure system for web services

Frequent attacks on the certificate authority (CA) have exposed the trust problem of the traditional public key infrastructure (PKI) for the web service. For example, malicious certificates issued by compromised CAs are used to impersonate the existing domain, and revoked certificate are still trusted by clients. Blockchain is considered as one of the most potential technologies to enable a more secure and trustworthy PKI. Although a lot of blockchain-based solutions have been proposed to improve or even replace the traditional PKI, there are still some critical issues unsolved. On the one hand, all of existing blockchain-based solutions are still vulnerable to the domain name preemption attack if a malicious or compromised CA registers a certificate for a domain before the rightful domain owner applies for a certificate for the domain. On the other hand, almost all blockchain-based solutions ignore the scalability problem and can hardly satisfy the current requirement (46 tX/s) of only certificate registrations for global web services. In this paper, we propose a secure and scalable blockchain-based PKI solution, which is called BPKI. In BPKI, we introduce new entities called auditors to supervise CA’s certificate registration operations to eliminate the domain name preemption attack. Furthermore, we design a new delegated PBFT (DPBFT) consensus using the verifiable pseudo-random functions (VRFs) and a double blockchain structure to solve the scalability problem. It is theoretically proved that BPKI is secure. The simulation and experiment demonstrate that BPKI is superior to the existing blockchain-based PKI solutions in scalability. •This is the first blockchain-based PKI solution that can resist the domain name preemption attack. New entities called auditors are introduced to disperse the right of a single CA.•To solve the scalability problem when introducing the blockchain to the PKI, we design a new delegated PBFT consensus protocol using the verifiable pseudo-random functions (VRFs) and a double blockchain structure in the extension layer.•BPKI is theoretically proved secure, and the simulation and experiment demonstrate that BPKI is superior to the existing blockchain-based PKI work in scalability.