BlockPGP: A Blockchain-based Framework for PGP Key Servers

Alexander Yakubov, Wazen Shbair, Nida Khan, Radu State, Christophe Medinger, Jean Hilger
2020 International Journal of Networking and Computing  
Pretty Good Privacy (PGP) is one of the most prominent cryptographic standards offering end-to-end encryption for email messages and other sensitive information exchange. PGP allows to verify the identity of the correspondent in information exchange as well as the information integrity. PGP implements asymmetric encryption with certificates shared through a network of PGP key servers. In this paper, we propose a new PGP management framework with the key servers infrastructure implemented using
more » ... lockchain technology. Our approach offers fast propagation of certificate revocation among PGP key servers and elimination of man-in-the-middle risks. It also grants users the required access control to update their own PGP certificates, which is not the case with the current PGP key servers. A prototype has been implemented using Ethereum blockchain and an open source key server, named Hockeypuck. Finally, we evaluated the prototype with extensive experiments. Our results show that our solution is practical and it could be integrated with the existing public PGP key servers infrastructure. BlockPGP: A Blockchain-based Framework for PGP Key Servers certificate identity confirmation known as "Web of Trust". In PGP there is no central authority which everybody trusts, but instead, participants sign each other's keys and progressively build a web of individual public keys interconnected by links formed by these signatures. Despite popularity of SSL/TLS certificates we believe PGP is likely to benefit from the growth of its market share in coming years due to extensive introduction of private blockchains. Indeed, presently user identification is often supported by SSL-based PKI solutions like certificate authority membership services 1 at HyperLedger Fabric due to simplicity of traditional PKI. However, SSL-based PKI with its centralized client-server architecture contradicts distributed concept of blockchain. With the launch of private blockchain applications, identification services shall be provided based on decentralized solutions, and we do not see an alternative here to Web of Trust framework implemented in PGP. Hence, in our view PGP key infrastructure is overlooked by research community which presently focuses on more popular SSL-based PKI. Although PGP benefits from the absence of centralized CAs being the points of failure in PKI due to PGP's distributed architecture, the validity assessment of certification paths can become expensive with the growth of participant amount (graph vertices) [9] . As one of solutions to handle this issue extensive key management infrastructure was built based on PGP key servers supported by the community. Until recently PGP key infrastructure boasted some advantages compared to PKI suffering from its centralization and inefficient revocations. However, following the implementation of PKI log-based infrastructure solutions like Google's Certificate Transparency, the security challenges of PGP key servers became apparent, including MITM risks and delays with certificate revocation. According to description of OpenPGP HTTP Keyserver Protocol (HKP) 2 , PGP key servers presently are not considered as a secure means of public key distribution. In this paper we will discuss how to solve security challenges of PGP key servers using blockchain technology. The contribution and novelty of this paper is threefold: 1. We designed a blockchain-based framework (BlockPGP) providing reliable management for PGP certificates and key server infrastructure. Based on implementation of this framework, PGP key server security challenges, including MITM risks and insufficient revocation efficiency, can be solved. 2. We proposed a technique of blockchain-related data incorporation into PGP certificate in line with the current OpenPGP standard. Integration of blockchain-related information into PGP certificate is crucial for arrangement of user access control in certificate management infrastructure. 3. We developed a prototype that demonstrates the practical applicability of the proposed approach. The prototype is available at https://github.com/alyakubov/blockpgp as an open source project. It includes a stand-alone Unix application, providing the access to blockchainbased key infrastructure, as well as traditional PGP key server, based on open source Hockeypuck software 3 for synchronization of blockchain key storage with existing PGP key management infrastructure.
doi:10.15803/ijnc.10.1_1 fatcat:mfk4zeb5wzcfjeptquxevzrvnu