Now Let’s Make It Physical! Enabling Trusted Certificate Issuance in PKI via Physical Bindings
摘要
The signing key protection of Certificate Authorities (CAs) had been a critical challenge in PKI. Traditional protections struggle to eliminate the risk of key exposure due to various unexpected human errors. This long-standing dilemma motivates us to propose Armored Core, a novel PKI security extension using the trusted binding of Physically Unclonable Function (PUF) for CAs. PUFs leverage manufacturing variations to generate unique and random responses. They physically bind CAs and thus can avoid using a digital private key. In Armored Core, we design a set of PUF-based X.509v3 certificate functions for CAs to generate physically trusted “signatures” without using a digital key. Moreover, we introduce a novel PUF transparency mechanism to effectively monitor the PUF operations in CAs. We integrate Armored Core into real PKI systems including Let’s Encrypt and Certbot. The evaluation results show that it achieves trusted certificate issuance while improving the computation performance by 4.9% \(\sim \) 73.7%. It only incurs small communication and storage overhead ( \(<4\) %).