PKI and dPKI

Public Key Infrastructure (PKI) can be traced back to the 1970s when major encryption breakthroughs from a pair of British intelligence agency developers shaped the future of key distribution. The tech world has changed immensely since the 70s, and yet PKI has scarcely evolved. While the underlying algorithms pioneered by the UK Government Communications Headquarters James Ellis and Clifford Cocks remain as precious as ever, the way in which public keys are stored and accessed is no longer fit for purpose. In today’s hyper-connected, hyper-adversarial environment, enterprises face a barrage of web-borne threats from attackers intent on penetrating their systems and exfiltrating their data. Your Public Key Infrastructure holds the keys to your entire digital kingdom and as such must be protected at all costs. The exponential increases in computing power over the last 30 years have mandated a transition to more secure algorithms, such as from 160 to 512 bits, but they have not succeeded in invalidating encryption itself. Cryptography today is as robust as ever, and yet that hasn’t prevented PKI from being fundamentally undermined.

The greatest threat that PKI solutions face stems from an inherent flaw in the ecosystem that houses them. Certificate authorities (CA) are responsible for digitally signing and publishing the public keys, which is generally performed using the CA’s key. This presents a single, centralized point of attack. The security problems that are associated with CAs don’t end there. Other issues include:

• The need to trust multiple certification centers
• Certificate revocation is cumbersome and not instant
• Revocation lists are not immutable and can be recreated with different content
• Any CA may issue a certificate for a domain against the will of the owner
• Once a CA is compromised and its keys misused, there is a very limited scope of preventive actions that end users can perform to mitigate the consequences

PKI is in desperate need of an overhaul to eliminate the security holes that threaten an otherwise sound means of securing enterprise systems. Our proposal for achieving this is through a dPKI solution – a decentralized Public Key Infrastructure Remme Protocol is a distributed and decentralized solution in which public keys are stored on a blockchain, eliminating the centralization problem that is inherent to certificate authorities. Blockchain refers to the distribution of data held and updated individually by each participating system or node in a network. The data is replicated, shared, and synchronized across these systems. The way blockchain differs from a usual server-client system is the absence of a centralized server or system to process and store the data.

What's next: Advantages of blockchain in the context of PKI and IAM