基于区块链的隐私保护和数字认证研究

doi:10.3969/j.issn.1671-1122.2025.04.012

摘要/Abstract

摘要：

公钥基础设施-证书颁发机构（PKI-CA）是一种用于管理数字证书和公私钥对的技术框架，传统PKI-CA系统由于集中化管理的特性，存在单点故障和安全风险。为解决这些问题，文章设计了一种基于区块链智能合约的去中心化PKI-CA系统，通过智能合约实现证书的增删改查，各节点扮演证书颁发机构或注册机构的角色。为提高效率，系统采用了基于星际文件系统的数字证书索引算法，使用内容标识符（CID）快速检索证书。考虑到区块链的透明性问题，系统结合国密算法和全同态加密算法，加密敏感数据，确保证书持有者的身份和隐私安全。实验结果表明，系统每秒可处理50次操作，颁发100张证书仅需2.39 s，相较于传统PKI-CA系统具有更高的性能和安全性。安全性分析结果表明，系统采用的国密算法和全同态加密技术有效实现了对系统关键数据和敏感数据的保护，区块链的去中心化与共识机制增强了系统的抗攻击能力，有效防止了恶意生成和伪造证书。

关键词: 区块链, 智能合约, 证书权威, 星际文件系统

Abstract:

Public Key Infrastructure Certificate Authority (PKI-CA) is a framework used to manage digital certificates and public-private key pairs. Traditional PKI-CA systems, due to their centralized management nature, faced risks of single points of failure and security vulnerabilities. To address these issues, this paper designed a decentralized PKI-CA system based on blockchain smart contracts, where certificate addition, deletion, modification and querying were achieved through smart contracts. Each node assumed the role of a Certificate Authority (CA) or Registration Authority (RA). To improve efficiency, the system adopted a certificate indexing algorithm based on IPFS, using Content Identifiers (CID) for fast certificate retrieval. Considering the transparency of blockchain, the system incorporated China’s cryptographic algorithm and fully homomorphic encryption to encrypt sensitive data, ensuring the identity and privacy of certificate holders. Testing results showed that the system could handle 50 operations per second, with the issuance of 100 certificates taking only 2.39 seconds, demonstrating better performance and security compared to traditional PKI-CA systems. Security analysis results showed that the China commercial cryptographic algorithm and full homomorphic encryption technology adopted by the system effectively protect the system’s key data and sensitive information. The decentralization and consensus mechanism in the blockchain enhance the system’s anti-attack capability and effectively prevent the malicious generation and forgery of certificates.

Key words: blockchain, smart contracts, certificate authority, IPFS

中图分类号:

TP309

杨亚涛, 丁渝诚, 刘培鹤, 桑鹏. 基于区块链的隐私保护和数字认证研究[J]. 信息网络安全, 2025, 25(4): 640-653.

YANG Yatao, DING Yucheng, LIU Peihe, SANG Peng. Research on Blockchain-Based Privacy Preservation and Digital Authentication[J]. Netinfo Security, 2025, 25(4): 640-653.

图/表 11

图1

图2

表1

图3

图4

图5

图6

图7

表2

表3

表4

参考文献 35

[1]	NAKAMOTO S. Bitcoin: A Peer-To-Peer Electronic Cash System[EB/OL]. (2008-10-31)[2024-09-06]. https://bitcoin.org/bitcoin.pdf.
[2]	TEWARI H. Blockchain Research Beyond Cryptocurrencies[J]. IEEE Communications Standards Magazine, 2019, 3(4): 21-25.
[3]	XIAO Ling, LI Zhitang. Public Key Infrastructure (PKI) Architecture[J]. Computer Engineering and Applications, 2002, 38(10): 137-139.
	肖凌, 李之棠. 公开密钥基础设施(PKI)结构[J]. 计算机工程与应用, 2002, 38(10):137-139.
[4]	LIN Jingqiang, JIN Jiwu, ZHANG Qionglu, et al. Recent Research on PKI Technology: A Review[J]. Journal of Cryptography, 2015, 2(6): 487-496.
	林璟锵, 荆继武, 张琼露, 等. PKI技术的近年研究综述[J]. 密码学报, 2015, 2(6):487-496. doi: 10.13868/j.cnki.jcr.000095
[5]	YANG Yatao, LIU Deli, LIU Peihe, et al. BFV-Blockchainvoting: A Blockchain-Based Electronic Voting System Supporting BFV Fully Homomorphic Encryption[J]. Journal on Communications, 2022, 43(9): 100-111. doi: 10.11959/j.issn.1000-436x.2022172
	杨亚涛, 刘德莉, 刘培鹤, 等. BFV-Blockchainvoting:支持BFV全同态加密的区块链电子投票系统[J]. 通信学报, 2022, 43(9):100-111. doi: 10.11959/j.issn.1000-436x.2022172
[6]	YANG Yatao, LIN Tianxiang, CHENG Jianyuan. Design of Fully Homomorphic Encryption Smart Contracts Under Edge Computing Model[J]. Journal of Information Security, 2022, 7(2): 150-162.
	杨亚涛, 林天祥, 陈剑源. 边缘计算模式下全同态加密智能合约设计[J]. 信息安全学报, 2022, 7(2):150-162.
[7]	NASRULIN B, DE V M, ISHMAEV G, et al. Gromit: Benchmarking the Performance and Scalability of Blockchain Systems[C]// IEEE. 2022 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS). New York: IEEE, 2022: 56-63.
[8]	CHIU W Y, MENG Weizhi, JENSEN C D. ChainPKI-Towards Ethash-Based Decentralized PKI with Privacy Enhancement[C]// IEEE. 2021 IEEE Conference on Dependable and Secure Computing(DSC). New York: IEEE, 2021: 1-8.
[9]	BERBECARU D G, LIOY A. An Evaluation of X. 509 Certificate Revocation and Related Privacy Issues in the Web PKI Ecosystem[J]. IEEE Access, 2023, 11: 79156-79175.
[10]	FROMKNECHT C, VELICANU D, YAKOUBOV S. Certcoin: A Namecoin Based Decentralized Authentication System[EB/OL]. (2014-05-14)[2024-09-06]. https://courses.csail.mit.edu/6.857/2014/files/19-fromknecht-velicann-yakoubov-certcoin.pdf?source=post_page.
[11]	ZOU Bangqi, ZHAO Gansen, TANG Hua, et al. Archiveschain: Distributed PKI Archives System[C]// IEEE. 2021 4th International Conference on Advanced Electronic Materials, Computers and Software Engineering (AEMCSE). New York: IEEE, 2021: 1009-1013.
[12]	FAN Wenjun, CHANG S, KUMAR S, et al. Blockchain-Based Secure Coordination for Distributed SDN Control Plane[C]// IEEE. 2021 IEEE 7th International Conference on Network Softwarization (NetSoft). New York: IEEE, 2021: 253-257.
[13]	OBIRI I A, YANG Jian, GAO Jun, et al. A Sovereign PKI for IoT Devices Based on the Blockchain Technology[C]// IEEE. 2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP). New York: IEEE, 2021: 110-115.
[14]	SUZUKI N, YOSHIOKA T, HASEGAWA A, et al. Implementation and Evaluation of Spectrum Sharing Technology Using Smart Contracts[C]// IEEE. 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). New York: IEEE, 2022: 922-928.
[15]	GUPTA N, NEGI S, RAWAT K, et al. Decentralized and Permission-Aware Blockchain for Certificate Security: An Exploratory Analysis[C]// IEEE. 2024 2nd International Conference on Sustainable Computing and Smart Systems (ICSCSS). New York: IEEE, 2024: 558-562.
[16]	DASH S P, JENA A K. An Efficient Approach for Optimizing the CA Selection Search Space in a Blockchain Network[C]// IEEE. 2024 International Conference on Emerging Systems and Intelligent Computing (ESIC). New York: IEEE, 2024: 685-690.
[17]	WANG Miaomiao, RUI Lanlan, YANG Yang, et al. A Blockchain-Based Multi-CA Cross-Domain Authentication Scheme in Decentralized Autonomous Network[J]. IEEE Transactions on Network and Service Management, 2022, 19(3): 2664-2676.
[18]	MOUSSAOUI D, KADRI B, FEHAM M, et al. A Distributed Blockchain Based PKI (BCPKI)Architecture to Enhance Privacy in VANET[C]// IEEE. 2020 2nd International Workshop on Human-Centric Smart Environments for Health and Well-Being (IHSH). New York: IEEE, 2021: 75-79.
[19]	AGURU A D, ERUKALA S B, KAVATI I. Smart Contract Based Next-Generation Public KeyInfrastructure (PKI) Using Permissionless Blockchain[C]// Springer. Hybrid Intelligent Systems (HIS). International Conference on Hybrid Intelligent Systems(HIS). Heidelberg: Springer, 2022: 625-635.
[20]	TRAN E, SEN S, ERGUN T. A Semi-Decentralized PKI Based on Blockchain with a Stake-Based Reward-Punishment Mechanism[J]. IEEE Access, 2024, 12: 60705-60721.
[21]	GARBA A, HU Qinwen, CHEN Zhong, et al. BB-PKI: Blockchain-Based Public Key Infrastructure Certificate Management[C]// IEEE. 2020 IEEE 22nd International Conference on High Performance Computing and Communications; IEEE 18th International Conference on Smart City(HPCC/SmartCity/DSS). New York: IEEE, 2020: 824-829.
[22]	GARBA A, CHEN Zhong, GUAN Zhi, et al. Lightledger: A Novel Blockchain-Based Domain Certificate Authentication and Validation Scheme[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(2): 1698-1710.
[23]	RASHID A, MASOOD A, ABBAS H, et al. Blockchain-Based Public Key Infrastructure: A Transparent Digital Certification Mechanism for Secure Communication[J]. IEEE Network, 2021, 35(5): 220-225.
[24]	WANG Ze, LIN Jinqiang, CAI Quanwei, et al. Blockchain-Based Certificate Transparency and Revocation Transparency[J]. IEEE Transactions on Dependable and Secure Computing, 2020, 19(1): 681-697.
[25]	PENNINO D, PIZZONIA M, VITALETTI A, et al. Efficient Certification of Endpoint Control on Blockchain[J]. IEEE Access, 2021, 9(1): 133309-133334.
[26]	KUBILAY M, KIRAZ M S, MANTAR H. CERTLEDGER: A New PKI Model With Certificate Transparency Based on Blockchain[J]. Computers & Security, 2019, 85(1): 333-352.
[27]	CHEN Jing, YAO Shixiong, YUAN Quan, et al. CertChain: Public and Efficient Certificate Audit Based on Blockchain for TLS Connections[C]// IEEE. IEEE INFOCOM 2018 - IEEE Conference on Computer Communications(IEEE INFOCOM 2018). New York: IEEE, 2018: 2060-2068.
[28]	KHAN S, ZHANG Zijian J, ZHU Liehuang, et al. SCM: Secure and Accountable TLS Certificate Management[EB/OL]. (2020-07-31)[2024-09-24]. https://onlinelibrary.wiley.com/doi/full/10.1002/dac.4503.
[29]	YE H, PARK S. Reliable Vehicle Data Storage Using Blockchain and IPFS[J]. Electronics, 2021, 10(10): 1130-1145.
[30]	CHEN Yongle, LI Hui, LI Kejiao, et al. An Improved P2P File System Scheme Based on IPFS and Blockchain[C]// IEEE. 2017 IEEE International Conference on Big Data (Big Data). New York: IEEE, 2017: 2652-2657.
[31]	FAN Junfeng, VERCAUTEREN F. Somewhat Practical Fully Homomorphic Encryption[EB/OL]. (2012-03-22) [2024-09-24]. https://eprint.iacr.org/2012/144.
[32]	BRAKERSKI Z, VAIKUNTANATHAN V. Efficient Fully Homomorphic Encryption from (Standard) LWE[EB/OL]. (2011-08-04) [2024-09-24]. https://eprint.iacr.org/2011/344.
[33]	QIN Bo, HUANG Jikun, WANG Qin, et al. Cecoin: A Decentralized PKI Mitigating MitM Attacks[J]. Future Generation Computer Systems, 2017,107:805-815.
[34]	DYKCIK L, CHUAT L, SZALACHOWSKI P, et al. BlockPKI:An Automated, Resilient, and Transparent Public-Key Infrastructure[C]// IEEE. 2018 IEEE International Conference on Data Mining Workshops (ICDMW). New York: IEEE, 2018:105-114.
[35]	WANG Rong, HE Juan, LIU Can, et al. A Privacy-Aware PKI System Based on Permissioned Blockchains[C]// IEEE. 2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS). New York: IEEE, 2018: 928-931.

区块链类型	应用	节能	智能合约执行环境	编程语言	货币	共识算法
比特币	加密货币	否	比特币虚拟机（BVM）	脚本语言	BTC	POW
以太坊	应用平台	否	比特币虚拟机（BVM）	Solidity	Ether	POW
超级账本	应用平台	是	Docker	Golang	无	Raft

PKI-CA系统	交易吞吐量/tps	是否消耗数字货币
基于比特币^[33]的PKI-CA	7	是
基于以太坊^[34]的PKI-CA	20	是
本文提出的PKI-CA	50	否

测试功能	测试次数/次	消耗时间/s	是否出现异常
证书创建	100	2.39	否
证书查询	100	1.27	否
证书延期	100	1.55	否
证书撤销	100	219.00	否

系统类型	功能
系统类型	证书注册	证书更新	证书延期	证书撤销	单点故障	证书透明
传统PKI-CA	√	√	√	√	×	×
Authcoin	√	×	√	×	×	√
IKP	√	×	√	×	√	√
本文方案	√	√	√	√	√	√