The signing key protection of Certificate Authorities (CAs) had been a critical challenge in PKI. Traditional protections struggle to eliminate the risk of key exposure due to various unexpected human errors. This long-standing dilemma motivates us to propose Armored Core, a novel PKI security extension using the trusted binding of Physically Unclonable Function (PUF) for CAs. PUFs leverage manufacturing variations to generate unique and random responses. They physically bind CAs and thus can avoid using a digital private key. In Armored Core, we design a set of PUF-based X.509v3 certificate functions for CAs to generate physically trusted “signatures” without using a digital key. Moreover, we introduce a novel PUF transparency mechanism to effectively monitor the PUF operations in CAs. We integrate Armored Core into real PKI systems including Let’s Encrypt and Certbot. The evaluation results show that it achieves trusted certificate issuance while improving the computation performance by 4.9% \(\sim \) 73.7%. It only incurs small communication and storage overhead ( \(<4\) %).

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Now Let’s Make It Physical! Enabling Trusted Certificate Issuance in PKI via Physical Bindings

  • Xiaolin Zhang,
  • Chenghao Chen,
  • Kailun Qin,
  • Yuxuan Wang,
  • Shipei Qu,
  • Tengfei Wang,
  • Chi Zhang,
  • Dawu Gu

摘要

The signing key protection of Certificate Authorities (CAs) had been a critical challenge in PKI. Traditional protections struggle to eliminate the risk of key exposure due to various unexpected human errors. This long-standing dilemma motivates us to propose Armored Core, a novel PKI security extension using the trusted binding of Physically Unclonable Function (PUF) for CAs. PUFs leverage manufacturing variations to generate unique and random responses. They physically bind CAs and thus can avoid using a digital private key. In Armored Core, we design a set of PUF-based X.509v3 certificate functions for CAs to generate physically trusted “signatures” without using a digital key. Moreover, we introduce a novel PUF transparency mechanism to effectively monitor the PUF operations in CAs. We integrate Armored Core into real PKI systems including Let’s Encrypt and Certbot. The evaluation results show that it achieves trusted certificate issuance while improving the computation performance by 4.9% \(\sim \) 73.7%. It only incurs small communication and storage overhead ( \(<4\) %).