2.793

2018影响因子

(CJCR)

  • 中文核心
  • EI
  • 中国科技核心
  • Scopus
  • CSCD
  • 英国科学文摘

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种基于区块链的DNSSEC公钥验证机制

陈闻宇 李晓东 杨学 徐彦之

陈闻宇, 李晓东, 杨学, 徐彦之. 一种基于区块链的DNSSEC公钥验证机制. 自动化学报, 2021, x(x): 1−13 doi: 10.16383/j.aas.c201082
引用本文: 陈闻宇, 李晓东, 杨学, 徐彦之. 一种基于区块链的DNSSEC公钥验证机制. 自动化学报, 2021, x(x): 1−13 doi: 10.16383/j.aas.c201082
Chen Wen-Yu, Li Xiao-Dong, Yang Xue, Xu Yan-Zhi. A blockchain-based DNSSEC public key verification scheme. Acta Automatica Sinica, 2021, x(x): 1−13 doi: 10.16383/j.aas.c201082
Citation: Chen Wen-Yu, Li Xiao-Dong, Yang Xue, Xu Yan-Zhi. A blockchain-based DNSSEC public key verification scheme. Acta Automatica Sinica, 2021, x(x): 1−13 doi: 10.16383/j.aas.c201082

一种基于区块链的DNSSEC公钥验证机制

doi: 10.16383/j.aas.c201082
基金项目: 国家重点计划研发专项(2019YFB1804500)资助
详细信息
    作者简介:

    陈闻宇:中国科学院计算技术研究所网络技术研究中心博士研究生, 高级工程师, CCF会员(73109M)研究方向为互联网基础资源, 网络安全, 区块链技术. E-mail: chenwy2000@163.com

    李晓东:伏羲智库创始人、主任, 中国互联网协会副理事长, 中科院计算所研究员、博士生导师, 清华大学互联网治理研究中心主任、公共管理学院兼职教授. 国务院特殊津贴专家、中国青年五四奖章获得者. 世界经济论坛全球未来理事会成员, 全球青年领袖入选者. 国际互联网名称与数字地址分配机构(ICANN)原副总裁、中国互联网络信息中心(CNNIC)原主任. 研究方向为互联网基础资源, 大数据分析, 网络安全, 互联网治理. E-mail: XL@ict.ac.cn

    杨学:中国互联网络信息中心, 高级工程师, 研究方向为互联网基础资源, 大数据, 区块链技术. 本文通信作者. E-mail: yangx@cnnic.cn

    徐彦之:国家纳米科技创新研究院, 主要研究方向是人工智能, 大数据, 区块链技术. E-mail: xuyz@cannano.cn

A Blockchain-based DNSSEC Public Key Verification Scheme

Funds: Supported by National key research and development program (2019YFB1804500)
More Information
    Author Bio:

    CHEN Wen-Yu Ph.D. candidate at the Network Technology Research Center, The Institute of Computing Technology, Chinese Academy of Sciences. Senior Engineer, CCF member (73109M). His research interest covers internet fundamental resources management, network security, blockchain technology

    Dr.Xiaodong Lee Founder and CEO of Fuxi Institution, Vice Chairman of Internet Society of China, YGL and Member of Global Future Council of World Economic Forum (WEF), Commissioner of the Global Commission on the Stability of Cyberspace (GCSC), Commissioner of Global Information Infrastructure Commission (GIIC), Professor and Director, ICT Laboratory for Internet Infrastructure, Chinese Academy of Sciences; Director of Center for Internet Governance and adjunct Professor of School of Public Policy and Management, Tsinghua University. Former CEO of CNNIC, former Vice President of ICANN. His research interest covers internet fundamental resources management, big data analysis, network security, internet governance

    YANG Xue Senior Engineer at China Internet Network Information Center. His research interest covers internet fundamental resources management, big data, blockchain technology. Corresponding author of this paper

    XU Yan-Zhi GBA Research Innovation Institute for Nanotechnology. Her research interest covers artificial Intelligence, big data, blockchain technology

  • 摘要: 针对中心化DNSSEC架构所导致的信任链复杂性和单边控制模式, 提出了一种去中心化的DNSSEC公钥验证机制. 该机制结合区块链结构、密码学累加器和共识算法设计, 创新性地实现使用区块链技术的密钥绑定、轮转和验证操作, 无需中心化权威节点即可使用可信公钥验证域名记录. 进一步的分析和实验表明, 所提出的机制在保证密钥管理安全性的同时, 提高了密钥验证的效率.
  • 图  1  整体结构图

    Fig.  1  Overall system structure

    图  2  区块结构图

    Fig.  2  Block structure

    图  3  基于智能合约的公钥绑定对注册操作

    Fig.  3  A public key binding pair registration process based on intelligent contract

    图  4  基于密码学累加器的公钥绑定验证

    Fig.  4  Public key binding Verification based on cryptography Accumulator

    图  5  采用分组的PBFT共识

    Fig.  5  Leveraging grouping mechanism in PBFT consensus.

    图  6  各PBFT算法交易处理速度对比

    Fig.  6  Comparison of transaction processing latency of different PBFT algorithms.

    图  7  对比以太坊实现的公钥验证时间

    Fig.  7  Public key verification time compared with Ethernet implementation.

    图  8  对比DNSSEC的公钥验证时间

    Fig.  8  Public key verification time compared with DNNSEC implementation

    图  9  密钥注册时间对比

    Fig.  9  Key registration time comparison

    图  10  基于区块链的KSK公钥轮转响应示意图

    Fig.  10  Schematic diagram of KSK public key rotation Response based on block chain

    表  1  近期相关研究对比

    Table  1  Comparison of most recent related works

    研究研究对象提出时间基本方法针对问题
    Hari等[9]DNS2016年首次提出使用区块链而非PKI验证DNS记录功能性
    Namecoin[10]DNS2011年首个基于区块链的开源DNS系统功能性
    Blockstack[11]DNS2016年提出了将域名数据和控制分层的方案, 通过外部存储降低了区块链管理域名记录的复杂性. 功能性
    Liu等[12]DNS2018年进一步提出使用去中心化文件管理实现区块链外部存储DNS记录. 功能性
    Blockzone[13]DNS2019年整体提出了一种基于PBFT的DNS记录管理机制. 安全性
    IKP[16]PKI2017年使用区块链改进PKI/CA对异常操作的处理. 安全性
    CertLedger[17]PKI2019年引入区块链提高PKI的安全性. 安全性
    Liu等[18]PKI2020年设计区块链交易实现CA验证功能功能性
    Gourley等[14]DNSSEC2018年提出使用特定区块链网络存储X.509格式DNSSEC证书. 安全性
    AuthLedger[15]DNSSEC2019年提出一种使用区块链实现PKI签名验证的设计. 功能性
    下载: 导出CSV

    表  2  各方式PBFT算法容错能力比较

    Table  2  Comparison of fault toleration capability of different PBFT algorithms

    PBFT类型注1无分组注2聚类分组域名分组
    2/02%1%2%
    4/05%2%5%
    10/0100%17%32%
    1/23%4%9%
    4/413%100%23%
    10/4100%100%47%
    注1: 表示30个节点委员会中“恶意非权威节点个数/恶意权威节点个数”
    注2: 列2、3、4给出未达成共识交易次数所占百分比.
    下载: 导出CSV
  • [1] Mockapetris P., Domain names - concepts and facilities, STD 13, RFC 1034, DOI10.17487/RFC1034, November 1987, [Online], Available: https://www.rfc-editor.org/info/rfc1034
    [2] Mockapetris P., Domain names - implementation and specification, STD 13, RFC 1035, DOI10.17487/RFC1035, November 1987, [Online], Available: https://www.rfc-editor.org/info/rfc1035.
    [3] Shulman, H., Waidner, M. One key to sign them all considered vulnerable: evaluation of DNSSEC in the Internet. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, Boston, USA. 2017: 131−144.
    [4] Arends R., Austein, R., Larson M., Massey D., et al. Resource Records for the DNS Security Extensions, RFC 4034, DOI10.17487/RFC4034, March 2005, [Online], Available: https://www.rfc-editor.org/info/rfc4034.
    [5] Yang H, Osterweil E, Massey D, et al. Deploying cryptography in Internet-scale systems: A case study on DNSSEC. In: Proceeding of IEEE Transactions on Dependable and Secure Computing, 2010, 8(5): 656−669
    [6] DNSSEC deployment Report.[Online], Available: http://rick.eng.br/dnssecstat/
    [7] Chung T, Roland van R, et al. A Longitudinal, end-to-end view of the DNSSEC ecosystem. In: Proceedings of the 26th USENIX Conference on Security Symposium, Vancouver, BC, Canada. 2017: 1307--1322.
    [8] 袁勇, 倪晓春, 曾帅, 王飞跃. 区块链共识算法的发展现状与展望. 自动化学报, 2018, 44(11): 2011−2022 doi: 10.16383/j.aas.2018.c180268

    YUAN Yong, NI Xiao-Chun, ZENG Shuai, WANG Fei-Yue. Blockchain Consensus Algorithms: The State of the Art and Future Trends. ACTA AUTOMATICA SINICA, 2018, 44(11): 2011−2022 doi: 10.16383/j.aas.2018.c180268
    [9] Adiseshu H, Lakshman T. V.. The Internet blockchain: a distributed, tamper-resistant transaction framework for the Internet. In: Proceedings of the 15th ACM Workshop Hot Topics Network, New York, USA. 2016: 204−210.
    [10] Namecoin.[Online], Available: https://namecoin.org/.
    [11] Ali M., Nelson J., Shea R., Freedman M. J. Blockstack: A global naming and storage system secured by blockchains. In: Proceedings of the 2016 USENIX Conference on Usenix Annual Technical Conference, Denver, USA. 2016: 181−194.
    [12] Liu J, Li B, et al. A data storage method based on blockchain for decentralization DNS. In: Proceedings of the 2018 IEEE Third International Conference on Data Science in Cyberspace. Guangzhou, China. Jun. 2018: 189−96.
    [13] Wang W, Hu N, Liu X. Blockzone: A blockchain-based DNS storage and retrieval scheme. In: Proceedings of the 2019 International Conference on Artificial Intelligence and Security. Cham, Switzerland. 2019: 155−166.
    [14] S Matsumoto, RM Reischuk. IKP: Turning a PKI around with decentralized automated incentives. In: 2017 IEEE Symposium on Security and Privacy (SP), 2017: 410−426
    [15] Guan Z., . Garba A, Li A., . Chen Z, Kaaniche N. AuthLedger: a novel blockchain-based domain name authentication scheme. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy, Prague, Czech Republic. 2019: 345−352.
    [16] Wang Z, Lin J, Cai Q, Wang Q, et al. Blockchain-based certificate transparency and revocation transparency. In: Proceeding of IEEE Transactions on Dependable and Secure Computing (early access). 2020.
    [17] Gourley S, Tewari H, Blockchain backed DNSSEC. In: Proceeding of International Conference on Business Information Systems, Berlin, Germany. 2018: 173−184.
    [18] Murat Y K, Mehmet S K, Haci Ali M. CertLedger: A new PKI model with Certificate Transparency based on blockchain. In: proceeding of Computers & Security, 2019, 85(80): 333−352
    [19] Patsonakis C, et al. Towards a smart contract-based, decentralized, public-key infrastructure. In: Proceedings of the 2017 International Conference on Cryptology and Network Security, Fuzhou, China, 2017: 299−321
    [20] Schaeffer Y, Benno O, Matthijs M. Flexible and robust key rollover in DNSSEC. In: Proceedings of the Workshop on Securing and Trusting Internet Names. 2012.
    [21] 刘懿中, 刘建伟, 张宗洋, 徐同阁, 喻辉. 区块链共识机制研究综述. 密码学报, 2019, 6(4): 395−432

    LIU Y Z, LIU J W, ZHANG Z Y, XU T G, YU H. Overview on Blockchain consensusmechanisms. Journal of Cryptologic Research, 2019, 6(4): 395−432
    [22] 张超, 李强, 陈子豪, 黎祖睿, 张震. Medical Chain:联盟式医疗区块链系统. 自动化学报, 2019, 45(8): 1495−1510 doi: 10.16383/j.aas.c180131

    ZHANG Chao, LI Qiang, CHEN Zi-Hao, LI Zu-Rui, ZHANG Zhen. Medical Chain: Alliance Medical Blockchain System. ACTA AUTOMATICA SINICA, 2019, 45(8): 1495−1510 doi: 10.16383/j.aas.c180131
    [23] Josh C B, Michael de Mare. One-way accumulators: a decentralized alternative to digital signatures (Extended Abstract). In: Proceedings of Workshop on the Theory and Application of of Cryptographic Techniques, Zagreb, Croatia. 1993: 274−285
    [24] Camacho P, Hevia., Kiwi M. A., Opazo R. Strong accumulators from collision-resistant hashing. International Journal of Information Security, 2012, (11): 349−363
    [25] 孙海锋, 张文芳, 王小敏, 马征, 黄路非, 李暄. 基于门限和环签名的抗自适应攻击拜占庭容错共识算法. 自动化学报, 2021, x(x): 1−12 doi: 10.16383/j.aas.c200694

    Sun Hai-Feng, Zhang Wen-Fang, Wang Xiao-Min, Ma Zheng, Huang Lu-Fei, Li Xuan. A robust byzantine fault-tolerant consensus algorithm against adaptive attack based on ring signature and threshold signature. Acta Automatica Sinica, 2021, x(x): 1−12 doi: 10.16383/j.aas.c200694
  • 加载中
计量
  • 文章访问数:  92
  • HTML全文浏览量:  67
  • 被引次数: 0
出版历程
  • 收稿日期:  2020-12-29
  • 录用日期:  2021-04-21
  • 网络出版日期:  2021-06-12

目录

    /

    返回文章
    返回