TwinPeaks: An Approach for Certificateless Public Key Distribution for the Internet and Internet of Things

Abstract The current public key infrastructure (PKI) has thorny issues like the overhead of certificate revocations and the consequence of fraudulent certificates. To address such issues, we propose TwinPeaks, which is an infrastructure to distribute public keys of named entities on the Internet and the Internet of Things (IoT). TwinPeaks leverages certificateless public key cryptography (CL-PKC), where a key generation center (KGC) cannot know the private key of its member, and hence its compromise will not result in member key leakage. By extending CL-PKC, the public key of an entity becomes dependent on any combination of its networking parameters; thus TwinPeaks can thwart spoofing attacks systematically. With TwinPeaks, the public key of every named entity is distributed online while addressing the PKI’s vulnerabilities. TwinPeaks has public key servers, which constitute the domain name system (DNS)-like hierarchical tree structure. For each parent-child link in the tree, the parent node serves as a key generation center (KGC), and its child nodes set up their own public/secret key pairs by interacting with the KGC as proposed in CL-PKC. In this way, every named entity (e.g., a domain name) has its own public/secret key pair. Thus, a public key of an entity will be provided to a user by its key server as the DNS response is returned to the user by its DNS server. TwinPeaks removes certificates and hence has no revocation overhead. Instead, each named entity should keep/update its networking parameters and public key up-to-date in its DNS server and key server, respectively. By making its public key depend on both its Internet protocol (IP) address and domain name, the compromise of a single entity (e.g., a DNS or key server) cannot lead to successful impersonation. TwinPeaks achieves scalable distribution of public keys since public keys can be cached long term. We also show that TwinPeaks can be applied to the IoT environments by extending the naming scheme.