| 一种基于区块链的DNSSEC公钥验证机制 |
| |
| 引用本文: | 陈闻宇, 李晓东, 杨学, 徐彦之. 一种基于区块链的DNSSEC公钥验证机制. 自动化学报, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082 |
| |
| 作者姓名: | 陈闻宇 李晓东 杨学 徐彦之 |
| |
| 作者单位: | 1.中国科学院计算技术研究所 北京 100190;;2.中国科学院大学 北京 100049;;3.中国互联网络信息中心 北京 100190;;4.广东粤港澳大湾区国家纳米科技创新研究院 广州 510770 |
| |
| 基金项目: | 国家重点研发计划专项基金(2019YFB1804500)资助 |
| |
| 摘 要: | 针对中心化域名安全扩展(Domain name system security extensions, DNSSEC)架构所导致的信任链复杂性和单边控制模式, 提出了一种去中心化的DNSSEC公钥验证机制. 该机制结合区块链结构、密码学累加器和共识算法设计, 创新性地实现使用区块链技术的密钥绑定、轮转和验证操作, 无需中心化权威节点即可使用可信公钥验证域名记录. 进一步分析和实验表明, 所提出的机制在保证密钥管理安全性的同时, 提高了密钥验证的效率.
|
| 关 键 词: | 域名安全扩展 公钥基础设施 区块链 密码学累加器 |
| 收稿时间: | 2020-12-29 |
A Blockchain-based DNSSEC Public Key Verification Scheme |
| |
| Chen Wen-Yu, Li Xiao-Dong, Yang Xue, Xu Yan-Zhi. A blockchain-based DNSSEC public key verification scheme. Acta Automatica Sinica, 2023, 49(4): 731−743 doi: 10.16383/j.aas.c201082 |
| |
| Authors: | CHEN Wen-Yu LI Xiao-Dong YANG Xue XU Yan-Zhi |
| |
| Affiliation: | 1. Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190;;2. University of Chinese Academy of Sciences, Beijing 100049;;3. China Internet Network Information Center, Beijing 100190;;4. Guangdong-Hong Kong-Macao Greater Bay Area (GBA) Research Innovation Institute for Nanotechnology, Guangzhou 510770 |
| |
| Abstract: | To solve the problem of the complexity of chain-of-trust and the unilateral governance caused by the centralized domain name system security extensions (DNSSEC) architecture, a decentralized DNSSEC public key verification mechanism is proposed. By introducing blockchain structure design, cryptographic accumulator, and consensus algorithm, the proposed mechanism gives radical new key binding, rotation, and verification operations leveraging blockchain technologies enables the use of trustful public key verification without any centralized authorities. Further analysis and experiments show that the proposed mechanism consistently perform the order of magnitude better key verification performance, as well as achieve a good trade-off between key management complexity and security. |
| |
| Keywords: | Domain name system security extensions (DNSSEC) public key infrastructure (PKI) blockchain cryptographic accumulator |
|
| 点击此处可从《自动化学报》浏览原始摘要信息 |
|
点击此处可从《自动化学报》下载全文 |
|
