Pistis: Issuing Trusted and Authorized Certificates with Distributed Ledger and TEE

Zecheng Li, Haotian Wu, Lap Hou Lao, Songtao Guo, Yuanyuan Yang, Bin Xiao

Research output: Journal article publicationJournal articleAcademic researchpeer-review

1 Citation (Scopus)

Abstract

The security of HTTPS fundamentally relies on SSL/TLS certificates issued by Certificate Authorities (CAs), which, however, are vulnerable to be compromised to issue unauthorized certificates (i.e., certificates issued without domains' permission). Current countermeasures such as Certificate Transparency (CT) can only detect unauthorized certificates rather than preventing them. In this article, we present Pistis, a framework for issuing authorized and trusted certificates with the distributed ledger and Trusted Execution Environment (TEE) technology. In Pistis, TEE nodes validate whether the domain in a requested certificate passes the domain ownership validation (i.e., under corresponding applicants' control) and submit attested results to a smart contract in the distributed ledger. The smart contract issues a certificate to the applicant when an attested result shows a pass. Therefore, Pistis can ensure its issued certificates are authorized due to the domain ownership validation mechanism in the TEE. Furthermore, as the issued certificates are stored in a Merkle Patricia Tree (MPT) in Pistis, they are trusted and can be verified by a normal user easily. The security of Pistis is formally proved in the Universally Composable (UC) framework. Compared with state-of-the-art, Pistis avoids potential damages by preventing unauthorized certificates from issuing.

Original languageEnglish
Pages (from-to)1636-1649
Number of pages14
JournalIEEE Transactions on Parallel and Distributed Systems
Volume33
Issue number7
DOIs
Publication statusPublished - 1 Jul 2022

Keywords

  • blockchain
  • certificate issuance
  • Distributed ledger
  • smart contract
  • trusted execution environment (TEE)

ASJC Scopus subject areas

  • Signal Processing
  • Hardware and Architecture
  • Computational Theory and Mathematics

Cite this