Armored Core of PKI: Remove Signing Keys for CA via Physically Unclonable Function
arxiv(2024)
摘要
The protection of CA's signing keys is one of the most crucial security
concerns in PKI. However, these keys can still be exposed today by human errors
or various carefully designed attacks. Traditional protections like TEE and HSM
fail to eliminate this risk since they can be bypassed by skilled attackers.
This dilemma motivates us to consider removing CA' signing keys and propose
Armored Core, a PKI security extension applying the physically trusted binding
provided by Physically Unclonable Function (PUF) for CA.
CAs in Armored Core issue PUF-based X509v3 TLS certificates, where they use
PUF instead of signing algorithms to generate endorsements for domain public
keys. The new transparency logging mechanism, built upon CT, will record the
PUF calling behaviors of CA, ensuring the monitoring of PUF usage. We provide a
formal cryptographic proof of Armored Core's main functions. We also implement
it on the real-world PKI codebase. The results show that the incorporation of
Armored Core into original systems do not cause any extra overhead, but instead
improves computing efficiency by >4.9
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要