Inspiration

We wanted to use blockchain technology as a way to remove unnecessary third parties. After a member learned about TLS and certificate authorities in a cyber security class, the connection was made.

What it does

(CertChain-01.jpg)

CertChain holds companies' certificate information and provides an interface for the browser to verify the certificate. This cuts out the need for a certificate authority's signature, as the blockchain technology provides a man-in-the-middle proof way to verify a certificate.

How We built it

Our implementation is split into three parts:

Blockchain Interface

This provides a key/value store type layer of abstraction on top of the blockchain. This allows us to insert and get values as if the blockchain was just a database.

Certificate Generation

This is a tool that generates the required certificates, places the what is needed on the blockchain, and downloads a certificate for the user to place on their server.

Blockchain-Browser Sync

Due to the limitations of current browser security (discussed more below), we were forced to work within the certificate authority system. This piece periodically syncs the certificates with the trusted certificates in the browser (currently Firefox). This is the part that in a full implementation, we would like to see be swapped out for a simple key check.

Challenges We ran into

  1. NEO

NEO has sparse documentation, and we encountered challenges in accessing the API. Their custom build of Python (neo-python) lacked functionality common to regular Python (i.e.: appending to lists). We also did not have any experience deploying to or working with blockchains.

  1. Existing Browser Security

In modern browsers, there is not a lot of flexibility with SSL certificates. For example, front end JavaScript is unable to access details about the site's SSL certificate. This blocked an idea we had to use a chrome extension to act as an extra layer of security. In addition, we were unable to get a modern browser to trust a self signed certificate, even if the signing certificate was in the browser's trusted certificates. As a result, our implementation involves generating a temporary CA, signing a certificate, and throwing away the private key in order to prevent the kind of security vulnerabilities certificate authorities themselves present.

  1. Updating Firefox's Local Certificate Authority Database

Firefox stores its local certificate authority database in a user's local app data in a database file. The most supported way of reading from and writing to this database file is to use certutil. However, Firefox 58's certificate settings did not seem to match up with the database file; we were able to manually use Firefox's UI to add certificates, but updating the database file seemed to have no effect. In order to get something working, we used Firefox 48 instead, which did not seem to have this bug.

Accomplishments that we're proud of

-We managed to setup and interface with a private blockchain. -We managed to create a user-friendly interface to generate and deploy keys. -We managed to work with the security constraints that modern browsers impose on us. -We managed to deploy and integrate this group of applications efficiently.

What we learned

-We learned more about how blockchain operates. -We learned a lot about how certificates are distributed as well as how to generate and sign our own with OpenSSL.

What's next for CertChain

As CertChain is meant as a proof of concept, we would like to see an open source community take over and provide a more thorough analysis to using block chain as a

Built With

Share this project:

Updates