2.845

2023影响因子

(CJCR)

  • 中文核心
  • EI
  • 中国科技核心
  • Scopus
  • CSCD
  • 英国科学文摘

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种基于区块链的DNSSEC公钥验证机制

陈闻宇 李晓东 杨学 徐彦之

陈闻宇, 李晓东, 杨学, 徐彦之. 一种基于区块链的DNSSEC公钥验证机制. 自动化学报, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082
引用本文: 陈闻宇, 李晓东, 杨学, 徐彦之. 一种基于区块链的DNSSEC公钥验证机制. 自动化学报, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082
Chen Wen-Yu, Li Xiao-Dong, Yang Xue, Xu Yan-Zhi. A blockchain-based DNSSEC public key verification scheme. Acta Automatica Sinica, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082
Citation: Chen Wen-Yu, Li Xiao-Dong, Yang Xue, Xu Yan-Zhi. A blockchain-based DNSSEC public key verification scheme. Acta Automatica Sinica, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082

一种基于区块链的DNSSEC公钥验证机制

doi: 10.16383/j.aas.c201082
基金项目: 国家重点研发计划专项基金(2019YFB1804500)资助
详细信息
    作者简介:

    陈闻宇:高级工程师, 中国科学院计算技术研究所网络技术研究中心博士研究生. 主要研究方向为互联网基础资源, 网络安全和区块链技术. E-mail: chenwy2000@163.com

    李晓东:中国科学院计算技术研究所研究员, 清华大学公共管理学院兼职教授. 主要研究方向为互联网基础资源, 大数据分析, 网络安全和互联网治理. E-mail: xl@ict.ac.cn

    杨学:中国互联网络信息中心高级工程师. 主要研究方向为互联网基础资源, 大数据和区块链技术. 本文通信作者. E-mail: yangx@cnnic.cn

    徐彦之:广东粤港澳大湾区国家纳米科技创新研究院高级工程师. 主要研究方向为人工智能, 大数据和区块链技术. E-mail: xuyz@cannano.cn

A Blockchain-based DNSSEC Public Key Verification Scheme

Funds: Supported by National Key Research and Development Program of China (2019YFB1804500)
More Information
    Author Bio:

    CHEN Wen-Yu Senior engineer, Ph.D. candidate at the Network Technology Research Center, Institute of Computing Technology, Chinese Academy of Sciences. His research interest covers internet fundamental resources management, network security, and blockchain technology

    LI Xiao-Dong  Professor at the Institute of Computing Technology, Chinese Academy of Sciences, and adjunct professor of the School of Public Policy and Management, Tsinghua University. His research interest covers internet fundamental resources management, big data analysis, network security, and internet governance

    YANG Xue Senior engineer at China Internet Network Information Center. His research interest covers internet fundamental resources management, big data, and blockchain technology. Corresponding author of this paper

    XU Yan-Zhi Senior engineer at Guangdong-Hong Kong-Macao Greater Bay Area (GBA) Research Innovation Institute for Nanotechnology. Her research interest covers artificial intelligence, big data, and blockchain technology

  • 摘要: 针对中心化域名安全扩展(Domain name system security extensions, DNSSEC)架构所导致的信任链复杂性和单边控制模式, 提出了一种去中心化的DNSSEC公钥验证机制. 该机制结合区块链结构、密码学累加器和共识算法设计, 创新性地实现使用区块链技术的密钥绑定、轮转和验证操作, 无需中心化权威节点即可使用可信公钥验证域名记录. 进一步分析和实验表明, 所提出的机制在保证密钥管理安全性的同时, 提高了密钥验证的效率.
    1)  1 https://www.isi.edu/nsnam/ns/ns-topogen.html
  • 图  1  整体结构图

    Fig.  1  Overall system structure

    图  2  区块结构图

    Fig.  2  Block structure

    图  3  基于智能合约的公钥绑定对注册操作

    Fig.  3  A public key binding pair registration process based on intelligent contract

    图  4  基于密码学累加器的公钥绑定验证

    Fig.  4  Public key binding verification based on cryptography accumulator

    图  5  采用分组的PBFT共识

    Fig.  5  Leveraging grouping mechanism in PBFT consensus

    图  6  运行dig命令查看SOA记录的结果

    Fig.  6  Running dig command to view the results of SOA records

    图  7  各PBFT算法交易处理速度对比

    Fig.  7  Comparison of transaction processing latency of different PBFT algorithms

    图  8  对比以太坊实现的公钥验证时间

    Fig.  8  Public key verification time compared with Ethernet implementation

    图  9  对比DNSSEC的公钥验证时间

    Fig.  9  Public key verification time compared with DNSSEC implementation

    图  10  密钥注册时间对比

    Fig.  10  Key registration time comparison

    图  11  基于区块链的KSK公钥轮转响应示意图

    Fig.  11  Schematic diagram of KSK public key rotation response based on block chain

    表  1  近期相关研究对比

    Table  1  Comparison of most recent related works

    研究研究对象提出时间基本方法针对问题
    Hari等[9]DNS2016年首次提出使用区块链而非PKI验证DNS记录功能性
    Namecoin[10]DNS2011年首个基于区块链的开源DNS系统功能性
    Blockstack[11]DNS2016年提出将域名数据和控制分层的方案, 通过外部存储降低区块链管理域名记录的复杂性功能性
    Liu等[12]DNS2018年进一步提出使用去中心化文件管理实现区块链外部存储DNS记录 功能性
    Blockzone[13]DNS2019年整体提出了一种基于PBFT的DNS记录管理机制 安全性
    IKP[14]PKI2017年使用区块链改进PKI/CA对异常操作的处理 安全性
    CertLedger[15]PKI2019年引入区块链提高PKI的安全性 安全性
    Wang等[16]PKI2022年设计区块链交易实现CA验证功能功能性
    Gourley等[17]DNSSEC2018年提出使用特定区块链网络存储X.509格式DNSSEC证书 安全性
    AuthLedger[18]DNSSEC2019年提出一种使用区块链实现PKI签名验证的设计 功能性
    下载: 导出CSV

    表  2  各方式PBFT算法容错能力比较(%)

    Table  2  Comparison of fault toleration capability of different PBFT algorithms (%)

    PBFT类型注1无分组注2聚类分组域名分组
    2/0212
    4/0525
    10/01001732
    1/2349
    4/41310023
    10/410010047
    注1: 表示30个节点委员会中“恶意非权威节点个数/恶意权威节点个数”.
    注2: 列2 ~ 4给出未达成共识交易次数所占百分比.
    下载: 导出CSV
  • [1] Mockapetris P V. Domain names — Concepts and facilities, STD 13, RFC 1034 [Online], available: https://www.rfc-editor.org/info/rfc1034, November 1, 1987
    [2] Mockapetris P V. Domain names — Implementation and spe-cification, STD 13, RFC 1035 [Online], available: https://www.rfc-editor.org/info/rfc1035, November 1, 1987
    [3] Shulman H, Waidner M. One key to sign them all considered vulnerable: Evaluation of DNSSEC in the internet. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation. Boston, USA: USENIX Association, 2017. 131−144
    [4] Arends R, Austein R, Larson M, Massey D, Rose S. Resource records for the DNS security extensions [Online], available: https://www.rfc-editor.org/info/rfc4034, March 1, 2005
    [5] Yang H, Osterweil E, Massey D, Lu S W, Zhang L X. Deploying cryptography in Internet-scale systems: A case study on DNSSEC. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 656-669 doi: 10.1109/TDSC.2010.10
    [6] DNSSEC deployment report [Online], available: http://rick.eng.br/dnssecstat/, April 13, 2022
    [7] Chung T, Van Rijswijk-Deij R, Chandrasekaran B, Choffnes D, Levin D, Maggs B M, et al. A longitudinal, end-to-end view of the DNSSEC ecosystem. In: Proceedings of the 26th USENIX Conference on Security Symposium. Vancouver, Canada: USENIX Association, 2017. 1307−1322
    [8] 袁勇, 倪晓春, 曾帅, 王飞跃. 区块链共识算法的发展现状与展望. 自动化学报, 2018, 44(11): 2011-2022

    Yuan Yong, Ni Xiao-Chun, Zeng Shuai, Wang Fei-Yue. Blockchain consensus algorithms: The state of the art and future trends. Acta Automatica Sinica, 2018, 44(11): 2011-2022 (
    [9] Hari A, Lakshman T V. The Internet blockchain: A distributed, tamper-resistant transaction framework for the Internet. In: Proceedings of the 15th ACM Workshop on Hot Topics in Network. Atlanta, USA: ACM, 2016. 204−210
    [10] Namecoin [Online], available: https://namecoin.org/, April 13, 2022
    [11] Ali M, Nelson J, Shea R, Freedman M J. Blockstack: A global naming and storage system secured by blockchains. In: Proceedings of USENIX Conference on USENIX Annual Technical Conference. Denver, USA: USENIX Association, 2016. 181−194
    [12] Liu J Q, Li B, Chen L Z, Hou M, Xiang F R, Wang P J. A data storage method based on blockchain for decentralization DNS. In: Proceedings of the 3rd IEEE International Conference on Data Science in Cyberspace (DSC). Guangzhou, China: IEEE, 2018. 189−196
    [13] Wang W T, Hu N, Liu X. BlockZone: A blockchain-based DNS storage and retrieval scheme. In: Proceedings of the International Conference on Artificial Intelligence and Security. New York, USA: Springer, 2019. 155−166
    [14] Matsumoto S, Reischuk R M. IKP: Turning a PKI around with decentralized automated incentives. In: Proceedings of the IEEE Symposium on Security and Privacy (SP). San Jose, USA: IEEE, 2017. 410−426
    [15] Kubilay M Y, Kiraz M S, Mantar H A. CertLedger: A new PKI model with Certificate Transparency based on blockchain. Computers & Security, 2019, 85: 333-352
    [16] Wang Z, Lin J Q, Cai Q W, Wang Q X, Zha D R, Jing J W. Blockchain-based certificate transparency and revocation transparency. IEEE Transactions on Dependable and Secure Computing, 2022, 19(1): 681-697 doi: 10.1109/TDSC.2020.2983022
    [17] Gourley S, Tewari H. Blockchain backed DNSSEC. In: Proceeding of the International Conference on Business Information Systems. Berlin, Germany: Springer, 2018. 173−184
    [18] Guan Z, Garba A, Li A R, Chen Z, Kaaniche N. AuthLedger: A novel blockchain-based domain name authentication scheme. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy. Prague, Czech Republic: SciTePress, 2019. 345−352
    [19] Patsonakis C, Samari K, Roussopoulos M, Kiayias A. Towards a smart contract-based, decentralized, public-key infrastructure. In: Proceedings of the 16th International Conference on Cryptology and Network Security. Hong Kong, China: Springer, 2017. 299−321
    [20] Schaeffer Y, Overeinder B J, Mekking M. Flexible and robust key rollover in DNSSEC. In: Proceedings of the Workshop on Securing and Trusting Internet Names (SATIN 2012). 2012.
    [21] 刘懿中, 刘建伟, 张宗洋, 徐同阁, 喻辉. 区块链共识机制研究综述. 密码学报, 2019, 6(4): 395-432

    Liu Yi-Zhong, Liu Jian-Wei, Zhang Zong-Yang, Xu Tong-Ge, Yu Hui. Overview on blockchain consensus mechanisms. Journal of Cryptologic Research, 2019, 6(4): 395-432
    [22] 张超, 李强, 陈子豪, 黎祖睿, 张震. Medical Chain: 联盟式医疗区块链系统. 自动化学报, 2019, 45(8): 1495-1510)

    Zhang Chao, Li Qiang, Chen Zi-Hao, Li Zu-Rui, Zhang Zhen. Medical chain: Alliance medical blockchain system. Acta Automatica Sinica, 2019, 45(8): 1495-1510
    [23] Benaloh J, de Mare M. One-way accumulators: A decentralized alternative to digital signatures. In: Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques. Lofthus, Norway: Springer, 1993. 274−285
    [24] Camacho P, Hevia A, Kiwi M, Opazo R. Strong accumulators from collision-resistant hashing. International Journal of Information Security, 2012, 11(5): 349-363 doi: 10.1007/s10207-012-0169-2
    [25] 孙海锋, 张文芳, 王小敏, 马征, 黄路非, 李暄. 基于门限和环签名的抗自适应攻击拜占庭容错共识算法. 自动化学报, DOI: 10.16383/j.aas.c200694

    Sun Hai-Feng, Zhang Wen-Fang, Wang Xiao-Min, Ma Zheng, Huang Lu-Fei, Li Xuan. A robust Byzantine fault-tolerant consensus algorithm against adaptive attack based on ring signature and threshold signature. Acta Automatica Sinica, DOI: 10.16383/j.aas.c200694
  • 加载中
图(11) / 表(2)
计量
  • 文章访问数:  1164
  • HTML全文浏览量:  653
  • PDF下载量:  162
  • 被引次数: 0
出版历程
  • 收稿日期:  2020-12-29
  • 录用日期:  2021-04-21
  • 网络出版日期:  2021-06-12
  • 刊出日期:  2023-04-20

目录

    /

    返回文章
    返回