Armored Core of PKI: Remove Signing Keys for CA via Efficient and Trusted Physical Certification
- URL: http://arxiv.org/abs/2404.15582v5
- Date: Sat, 26 Oct 2024 02:43:09 GMT
- Title: Armored Core of PKI: Remove Signing Keys for CA via Efficient and Trusted Physical Certification
- Authors: Xiaolin Zhang, Chenghao Chen, Kailun Qin, Yuxuan Wang, Shipei Qu, Tengfei Wang, Chi Zhang, Dawu Gu,
- Abstract summary: We propose Armored Core, the first PKI security extension using the trusted binding of Physically Unclonable Function (PUF) for certificate operations.
It makes key exposure impossible by eliminating the digital signing keys in CA.
We integrate Armored Core into real-world PKI systems including Let's Encrypt Pebble and Certbot.
- Score: 15.929562674471821
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: The signing key exposure of Certificate Authorities (CAs) remains a critical concern in PKI. These keys can be exposed by carefully designed attacks or operational errors even today. Traditional protections fail to eliminate such risk and one leaked key is enough to compromise the CA. This long-standing dilemma motivates us to consider removing CAs' signing keys and propose Armored Core, the first PKI security extension using the trusted binding of Physically Unclonable Function (PUF) for certificate operations. It makes key exposure impossible by eliminating the digital signing keys in CA. To achieve this, we design a set of PUF-based X.509v3 certificate functions for CAs to generate physically trusted "signatures" without using a digital key. Moreover, we introduce a novel PUF transparency mechanism to effectively monitor the PUF operations in CAs. We integrate Armored Core into real-world PKI systems including Let's Encrypt Pebble and Certbot. We also provide a PUF-embedded RISC-V CPU prototype. The evaluation results show that Armored Core can offer stronger security guarantees through signing key removal and without causing any extra overhead, but improves the overall performance by 11% on storage and 4.9%-73.7% on computation.
Related papers
- Secure authentication via Quantum Physical Unclonable Functions: a review [34.60544883743689]
Quantum Physical Unclonable Functions (QPUFs) offer a physically grounded approach to secure authentication.<n>This review covers their theoretical foundations and key implementation challenges.
arXiv Detail & Related papers (2025-08-12T19:16:40Z) - Performance and Storage Analysis of CRYSTALS Kyber as a Post Quantum Replacement for RSA and ECC [49.1574468325115]
CRYSTALS-Kyber is a post-quantum cryptographic solution standardized by NIST in 2022.<n>This study evaluates Kyber's practical viability through performance testing across various implementation schemes.
arXiv Detail & Related papers (2025-08-03T09:53:45Z) - A Scalable Framework for Post-Quantum Authentication in Public Key Infrastructures [0.0]
This work explores the performance and scalability of a hierarchical certificate authority framework with automated certificate issuance.
The system is designed for compatibility with both classical and PQC algorithms, promoting crypto-agility while ensuring robust security against quantum-based threats.
arXiv Detail & Related papers (2025-04-16T13:18:11Z) - Quantum digital signature based on single-qubit without a trusted third-party [45.41082277680607]
We propose a novel quantum digital signature protocol without a trusted third-party.<n>We prove that the protocol has information-theoretical unforgeability.
arXiv Detail & Related papers (2024-10-17T09:49:29Z) - A Simple Framework for Secure Key Leasing [10.04587045407742]
Key-revocable cryptography enables us to lease a cryptographic key as a quantum state in such a way that the key can be later revoked in a verifiable manner.
We propose a simple framework for constructing cryptographic primitives with secure key leasing via the certified deletion property of BB84 states.
arXiv Detail & Related papers (2024-10-04T13:24:03Z) - Decentralized PKI Framework for Data Integrity in Spatial Crowdsourcing Drone Services [0.6284464997330884]
The paper presents D2XChain, a blockchain-based PKI framework designed for the Internet of Drone Things (IoDT)
By decentralizing the CA infrastructure, D2XChain eliminates this single point of failure, thereby enhancing the security and reliability of drone communications.
This innovative approach not only strengthens the defense of drone services against various security threats but also showcases its practical application through deployment on a private testbed.
arXiv Detail & Related papers (2024-07-01T00:55:07Z) - Towards Credential-based Device Registration in DApps for DePINs with ZKPs [46.08150780379237]
We propose a credential-based device registration (CDR) mechanism that verifies device credentials on the blockchain.
We present a general system model, and technically evaluate CDR using zkSNARKs with Groth16 and Marlin.
arXiv Detail & Related papers (2024-06-27T09:50:10Z) - Tamper-Evident Pairing [55.2480439325792]
Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard.
TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent.
This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
arXiv Detail & Related papers (2023-11-24T18:54:00Z) - Establishing Dynamic Secure Sessions for ECQV Implicit Certificates in Embedded Systems [0.0]
We present a design that utilizes the Station to Station (STS) protocol with implicit certificates.
We show that with a slight computational increase of 20% compared to a static ECDSA key derivation, we are able to mitigate many session-related security vulnerabilities.
arXiv Detail & Related papers (2023-11-19T22:40:21Z) - Putting a Padlock on Lambda -- Integrating vTPMs into AWS Firecracker [49.1574468325115]
Software services place implicit trust in the cloud provider, without an explicit trust relationship.
There is currently no cloud provider that exposes Trusted Platform Module capabilities.
We improve trust by integrating a virtual TPM device into the Firecracker, originally developed by Amazon Web Services.
arXiv Detail & Related papers (2023-10-05T13:13:55Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - FedSOV: Federated Model Secure Ownership Verification with Unforgeable
Signature [60.99054146321459]
Federated learning allows multiple parties to collaborate in learning a global model without revealing private data.
We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
arXiv Detail & Related papers (2023-05-10T12:10:02Z) - PointCert: Point Cloud Classification with Deterministic Certified
Robustness Guarantees [63.85677512968049]
Point cloud classification is an essential component in many security-critical applications such as autonomous driving and augmented reality.
Existing certified defenses against adversarial point clouds suffer from a key limitation: their certified robustness guarantees are probabilistic.
We propose a general framework, namely PointCert, that can transform an arbitrary point cloud classifier to be certifiably robust against adversarial point clouds.
arXiv Detail & Related papers (2023-03-03T14:32:48Z) - Certified Everlasting Functional Encryption [10.973034520723957]
Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future.
A nice compromise (intrinsic to quantum) is certified everlasting security, which roughly means the following.
Although several cryptographic primitives, such as commitments and zero-knowledge, have been made certified everlasting secure, there are many other important primitives that are not known to be certified everlasting secure.
arXiv Detail & Related papers (2022-07-28T04:15:26Z) - Quantum Lock: A Provable Quantum Communication Advantage [2.9562795446317964]
This paper proposes a generic design of provably secure PUFs, called hybrid locked PUFs(HLPUFs)
An HLPUF uses a classical PUF, and encodes the output into non-orthogonal quantum states to hide the outcomes of the underlying CPUF from any adversary.
We show that by exploiting non-classical properties of quantum states, the HLPUF allows the server to reuse the challenge-response pairs for further client authentication.
arXiv Detail & Related papers (2021-10-18T17:01:46Z) - Experimental Authentication of Quantum Key Distribution with
Post-quantum Cryptography [3.627592297350721]
We experimentally verified the feasibility, efficiency and stability of the PQC algorithm in QKD authentication.
Using PQC authentication we only need to believe the CA is safe, rather than all trusted relays.
arXiv Detail & Related papers (2020-09-10T04:12:07Z) - Backflash Light as a Security Vulnerability in Quantum Key Distribution
Systems [77.34726150561087]
We review the security vulnerabilities of quantum key distribution (QKD) systems.
We mainly focus on a particular effect known as backflash light, which can be a source of eavesdropping attacks.
arXiv Detail & Related papers (2020-03-23T18:23:12Z) - (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size.
Our method is related to the broad class of randomized smoothing robustness schemes.
Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.