Next Article in Journal
Know Your Customer (KYC) Implementation with Smart Contracts on a Privacy-Oriented Decentralized Architecture
Next Article in Special Issue
Consensus Crash Testing: Exploring Ripple’s Decentralization Degree in Adversarial Environments
Previous Article in Journal
Hierarchical Gated Recurrent Unit with Semantic Attention for Event Prediction
Previous Article in Special Issue
Blockchain: Current Challenges and Future Prospects/Applications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 12
Issue 2
10.3390/fi12020040
Review Report
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

A Blockchain based PKI Validation System based on Rare Events Management

Future Internet 2020, 12(2), 40; https://doi.org/10.3390/fi12020040
by Maurizio Talamo 1, Franco Arcieri 1, Andrea Dimitri 1,* and Christian H. Schunck 1,2
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Future Internet 2020, 12(2), 40; https://doi.org/10.3390/fi12020040
Submission received: 19 December 2019 / Revised: 4 February 2020 / Accepted: 11 February 2020 / Published: 14 February 2020
(This article belongs to the Special Issue Blockchain: Current Challenges and Future Prospects/Applications)

Round 1

Reviewer 1 Report

The paper A blockchain based PKI validation system based on rare events management  deals with detection of PKI attacks using a blockchain system based on rare events.

The topic is very hot and the approach is interesting; from my point of view, maybe it will be useful if a statistical approach will be used in modelling the distribution of past attacks, in order to derive some patterns.

Author Response

We thank the reviewer for the positive review and the interesting suggestion. However, while we discuss past attacks in some detail we feel that the paper should mainly focus on the opportunities and challenges of blockchain supported PKI systems. We now explain more clearly how our solution addresses the identified weaknesses of standard solutions.

 

 

Reviewer 2 Report

Summary:

The authors presented a blockchain-based PKI validation mechanism that claimed to be the bottleneck of a pki-based certificates. They designed a blockchain-based validation algorithm and implemented it in a simulated and controlled environment.

 

Pros:

The validation of X509 certificates is a major bottleneck in TLS communication channels; thus, the authors recognized a problem correctly and presented solutions for it to prevent potential man in the middle attacks that could happen.

 

Cons:

Although I like the tackled problem, I am not impressed by the solution and its implementation. I have two suggestions for improvement:

1) I believe this solution is not the first in the literature (as mentioned incompletely by the authors) and there are many other papers that have not been cited here. I would like to know why these solutions does not work good enough from the authors point of view as a separate section on discussion and comparison. I know they have mentioned it briefly but I am still not sure why these are not enough for the detection of a malicious validation ecosystem. A simple search reveals a few good proposals in top conferences such as: 

- (This one is cited but has not been discussed in spite of its importance) Matsumoto, S. and Reischuk, R.M., 2017, May. IKP: Turning a PKI around with decentralized automated incentives. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 410-426). IEEE.

- Al-Bassam, Mustafa. "SCPKI: a smart contract-based PKI and identity system." In Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts, pp. 35-40. ACM, 2017.

- Garay, J.A., Kiayias, A., Leonardos, N. and Panagiotakos, G., 2018, March. Bootstrapping the blockchain, with applications to consensus and fast PKI setup. In IACR International Workshop on Public Key Cryptography (pp. 465-495). Springer, Cham.

2) My major problem is with the experiment section. The authors correctly pointed out the time delay that may be caused by such validation (6 seconds on average) which is a lot comparing to the regular validation of x509 (a few milli seconds). This delay is still in a simulated situation where a lot of unpredicted scenarios in a TLS handshake communication are neglected. In short, I would like to see a comparison between the current platform of X509 validation (i.e. regular TLS handshake preferably with the latest TLS version) and the authors proposal.

Then, I would like to see a comparison between other blockchain-based PKI platforms and the authors' one.

 

Thanks

Author Response

We thank the reviewer for the review and the helpful suggestions.

We now discuss all three suggested references in our work.

Here we add a few comments.

 

 

1) I believe this solution is not the first in the literature (as mentioned incompletely by the authors) and there are many other papers that have not been cited here. I would like to know why these solutions does not work good enough from the authors point of view as a separate section on discussion and comparison. I know they have mentioned it briefly but I am still not sure why these are not enough for the detection of a malicious validation ecosystem. A simple search reveals a few good proposals in top conferences such as: 

1.(This one is cited but has not been discussed in spite of its importance) Matsumoto, S. and Reischuk, R.M., 2017, May. IKP: Turning a PKI around with decentralized automated incentives. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 410-426). IEEE.

This paper essentially proposes a socio-economic model based on smart contracts for incentivizing and automating the reporting of unauthorized certificates. A prototype solution has been implemented on Ethereum. However, it does not deal with full X,509 certificate parsing because this is prohibitively expensive. The paper does not address or measure processing speeds.

 

2. Al-Bassam, Mustafa. "SCPKI: a smart contract-based PKI and identity system." In Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts, pp. 35-40. ACM, 2017.

This paper uses a web-of-trust based PKI Model. This is interesting but in many ways already outdone by the developments around distributed and self-sovereign identity management solutions, which do not have the privacy limitations of this approach. This paper does not address X.509 certificates as well as processing times.

3. Garay, J.A., Kiayias, A., Leonardos, N. and Panagiotakos, G., 2018, March. Bootstrapping the blockchain, with applications to consensus and fast PKI setup. In IACR International Workshop on Public Key Cryptography (pp. 465-495). Springer, Cham.

This paper presents a mainly theoretical exercise demonstrating a bootstrapped Bitcoin-like blockchain protocol relying on proofs of work. Authors show theoretically how this could be used to bind public keys to identities “while guaranteeing that the majority of them is assigned to honest parties” (fast PKI setup). Overall, this paper is theoretically considering a bare-bone PKI that does not provide most features of X.509 based PKIs. No practical implementation was realized or estimates of processing speeds were provided.

We note that our paper is the only one proposing and implementing a system that can handle X.509 certificates as they are currently issued and used.

 

2) My major problem is with the experiment section. The authors correctly pointed out the time delay that may be caused by such validation (6 seconds on average) which is a lot comparing to the regular validation of x509 (a few milliseconds). This delay is still in a simulated situation where a lot of unpredicted scenarios in a TLS handshake communication are neglected. In short, I would like to see a comparison between the current platform of X509 validation (i.e. regular TLS handshake preferably with the latest TLS version) and the authors proposal.

Then, I would like to see a comparison between other blockchain-based PKI platforms and the authors' one.

The reviewer’s suggestion is very interesting, but unfortunately cannot be realized at this point:

1) The prototype presented in paper 1) cannot handle full X.509 certificates

2) The prototype presented in paper 2) is not designed for handling X.509 certificates.

3) The solution discussed in paper 3) has not been implemented and does not appear to be compatible with X.509 .

In fact our paper is the first one where the handling of actual actual X,509 certificates in a Blockchain based PKI validation system is demonstrated.

 

 

Round 2

Reviewer 2 Report

Thanks for your response. However, I do not believe my concerns have been addressed in the revised version. My decision is still unchanged.

 

Back to TopTop