Tuesday, May 17, 2016

Public Key Infrastructure and Blockchain

When two hosts want to transfer sensitive data between them, they use an encrypted communication. Both the hosts first connect to each other, authenticate themselves and after that an encrypted connection is established, using which sensitive data are transferred.

If a host wants to authenticate itself to the other host, it needs to prove its identity. Normally, public key cryptography is used for that purpose. Each host possesses a private-public key pair. And, to establish an encrypted connection, they share their public keys to each other.

But, one has to confirm that the shared public key indeed belongs to the sender. Public Key Infrastructure or PKI is an arrangement which is used for that purpose. It binds public keys with corresponding identities through registration and issuance of certificates and using centralized authority called Certificate Authority or CA. PKI consists of set of roles, policies and procedures to create, manage, distribute or revoke digital certificates.

Certification using Public Key Infrastructure

PKI consists of the following components :

  • Certificate Authority
  • Registration Authority
  • Central Directory
  • Certificate Management System
  • Certificate Policy

Certificate Authority

A Certificate Authority issues a digital certificate to an entity. The issued digital certificate is signed with the private key of the CA, so that it is not tampered with. When a host gets a digital certificate of another host, it checks with the corresponding CA to make sure it is an authentic one.

Registration Authority

When an entity requests for a digital certificate, the Registration Authority verifies the identity of the entity to make sure the digital certificate is not misissued.

Central Directory

A Central Directory is a central location where public keys are stored and indexed, so that they can be retrieved at the time of verification of digital certificates.

Certificate Management System

A Certificate Management System manages access to stored certificates and the delivery of the certificates to be issued.

Certificate Policy

It consists of policies of digital certificates.

Blockchain in Decentralized Public Key Infrastructure

There are several disadvantages of relying on a centralized authority in a PKI. A digital certificate can be misissued by a CA for a number of reasons and when that happens, security gets heavily compromised.

To counter the disadvantages of using a centralized authority, a Decentralized Public Key Infrastructure can be used with Blockchain.

What is a Blockchain ?

A blockchain is a distributed database that maintains a continuously growing list of data records that cannot be tampered.

The blockchain was the main technical innovation behind Bitcoin. There a blockchain is used as a public ledger of all transactions made with Bitcoins.

A blockchain consists of a number of blocks that are linked with each other with each block linked with its previous block. And, each block consists of a batch of timestamped transactions and a hash of previous block. As the blocks are linked with each other forming a chain, hence the name of the database.

When new transactions are broadcast to all nodes, each node collect the transactions in a block. All the nodes verify the transactions present in the block and notify one another about their acceptance. When the majority of the nodes agree, the next block is created, linking it with the previous one.

How can a Blockchain be used in a Decentralized Public Key Infrastructure ?


Blockchain can be used in a Decentralized PKI where each block may contain a number of digitally signed transactions. When an entity is registered with a public key, it can sign it with its secret key and submit it to the blockchain. All the nodes in the blockchain can participate in registration, issuance and validation of a public key of an entity. And, when most of the nodes in the blockchain approves a transaction, it can get added in the next block created.

Registration of a Public Key

When an entity wants to register its public key, it signs the key with its secret key and submits it to the blockchain. All the nodes of the blockchain are notified. Each of them then iterates through the blockchain and verifies the key is not previously registered and the transaction is valid. When a majority of the nodes verifies the transaction successfully, it is approved and a blockminer can then add it to the next block created.

Verification of a Public Key

When a user wants to verify whether a public key belongs to the identity, it traverses through the blockchain and looks up for id and public key pair of each transaction. As each transaction is digitally signed and registered after successful verification, it is very difficult to tamper with a public key of an entity and thus, it ensures security.

Update of a Public Key

When an entity wants to update its public key, it submits its id and the old key and the new key to the blockchain. All the nodes of the blockchain verifies that the old public key corresponds to the entity and notifies their approval. When the majority of the nodes approve, a new block is created with the updated value of the public key.


  1. How can we validate that I did not register a key in the name of another person?

  2. Regarding "Registration of a Public Key", does not the 'entity' have to be authenticated as a prerequisite for the registration to work? How? It is related to Rafael's question.

  3. If I understand the question right, then the question is whether I can sign someone else's public key with my secret key and submit it to the blockchain. Please note that, public key and a corresponding private key form a keypair. So, if I sign a someone else's public key with my secret key, then the encrypted key cannot be decrypted with someone else's public key. It would need my public key only. And, if someone decrypts it with my public key, he would know the public key that he has used in the decryption and the decrypted public key that he has got does not match.