One of the areas I’d like to cover more often is the technology piece behind this space — too often important topics are glossed over because it’s already a pretty tech-heavy space and jargon-fatigue is a real thing.

So of course, when I mention decentralized public key infrastructure (DPKI), you might have just let out a big sigh.

But, as we’ll cover, this is one of blockchain’s brightest use cases and something that you should be loosely familiar with.

So let’s start by covering the obvious question you have right now: what is centralized public key infrastructure?

In today’s world, the most commonly employed approach to public key infrastructures (PKIs) is the Web PKI. It’s a Certificate Authority (CA) based system that adopts a centralized trust infrastructure. Communications over the internet are secured through the safe delivery of public keys and the corresponding private keys.

If my former job, this is part of what I did for banks. And let me tell you, it was as dry as it gets.

Essentially, what you need to know is that most web services are secured through the creation of the keys signed by CAs. It’s how websites stay secure for your secured information (banking info, personal info, health info, etc.).

So, here’s the problem

The centralized PKIs such as the CA-based system has its problems and limitations generally because it relies on a central trusted party.

This is a big problem because it leaves the door open for attackers to conduct MITM (Man-in-the-Middle) attacks.

There are different forms of MITM attacks — ARP spoofing, IP spoofing, DNS spoofing, HTTPS spoofing, and Man in the Browser (MITB), and more. Numerous incidents have already shown that you can increase the risk of MITM attacks when you place too much trust in CAs.

In practice, attackers can trick the CA into thinking they are someone else, or they can go so far as to compromise the CA to get it to issue a rogue certificate. For instance, the DigiNotar incident that happened in 2011 when fraudulent certificates from the Dutch certificate authority company were issued as a result of an attack.

Another incident happened in 2017 where hackers took control of Brazilian banks DNS server and tricked a CA into issuing a valid certificate to them.

The out-of-date PKI design poses high security risks because a single point of failure can be used to open any encrypted online communication. Centralized PKI systems are struggling to keep up with the evolving digital landscape; the modern world is desperate for a better designed, decentralized approach to PKIs.

The potential solution: Decentralized PKI (DPKI)

Decentralized Public Key Infrastructure, or DPKI, is an alternative approach to designing better PKI systems. Pretty Good Privacy (PGP), an encryption program developed by Phil Zimmermann, is a decentralized trust system that was created when blockchain didn’t exist.

It has issues with establishing trust relations between all parties. But today there is no need for the third-parties. Blockchain is a novel approach to build a more competent, secure PKI system.

But how blockchain is going to improve PKI? In decentralized PKI, blockchain acts as a decentralized key-value storage. It is capable of securing the data read to prevent MITM attacks, and to minimize the power of third parties. By bringing the power of blockchain technology to the systems, DPKI resolves the issues with traditional PKI systems.

The decentralized nature of the management framework can tackle the problems with the CA systems through certificate revocation, eliminating single points of failure, and reacting fast to misuses of CAs. Blockchain is able to make the process transparent, immutable, and prevent attackers from breaking in, thus effectively avoiding the MITM attacks.

In 2015, Allen et al. explored in a publication titled “Decentralized Public Key Infrastructure,” that unlike the traditional approach, DPKI ensures no single third-party can compromise the integrity and security of the system as a whole. In blockchain-powered DPKI, the new third parties become miners or validators.

The trust is established and maintained based on consensus protocols. Third-parties, the miners or validators, will have to follow the rules of the protocol, that would financially reward and punish these third-parties to effectively preventing misbehavior in the blockchain and limiting their roles.

“Trust is decentralized through the use of technologies that make it possible for geographically and politically disparate entities to reach consensus on the state of a shared database,” the authors wrote in the 2015 paper, “blockchains allow for the assignment of arbitrary data such as public keys to these identifiers and permit those values to be globally readable in a secure manner that is not vulnerable to the MITM attacks that are possible in PKIX.”

Furthermore, researchers argued that the logic of key management can be implemented on smart contract of blockchain, and “Privacy based decentralized Public Key Infrastructure (PKI) implementation using Smart contract in Blockchain,” a 2017 publication by Sivakumar P and Dr. Kunwar Singh had successfully implemented it.

Nevertheless, blockchain is not perfect yet because it requires a device to synchronize a full copy of consensus data. Today’s Geth (Go-Ethereum) client provides multiple types of sync mode: full sync, fast sync, light sync. Diode, a Taiwan-based and U.S.-based blockchain initiative, recently developed a light client protocol called BlockQuick that aims to establish decentralized trust at a low bandwidth.

The following table is a comparison of different types of sync mode, trust model, bandwidth, and duration for Geth, FlyClient, BlockQuick, traditional Web PKI client.

As the table shows, a standard sync of Geth client takes up to 400GB of your disk — that’s a huge user experience downgrade, compared to a traditional Web PKI client’s ~5kb size that is needed for a standard TLS certificate handshake. In addition, 400GB raises a bar too high for IoT devices that are generally resource-constrained with limited computing power.

The transformation of PKI is inevitable and it looks to be picking up speed. This is a good time to start increasing the efforts to create awareness of PKI, and to help more people to navigate the fast moving digital landscape.