Abstract: The design idea of emphasizing application and neglecting defense leads to the lack of endogenous security attributes at the beginning of the design of transmission control protocol/Internet protocol (TCP/IP) architecture. Public key infrastructure (PKI), as an authoritative security governance framework to realize the authenticity, integrity, confidentiality and non-repudiation of communication between different entities on the Internet, has attracted much attention since it was proposed, which has also become the focus of researchers in recent years because of single point of failure and single trust and other security threats caused by the centralized mechanism of PKI. With the gradual application of blockchain technology in the field of information security, it has become a research direction and focus to use the characteristics of decentralization, distributed ledger, tamper-proof, openness and transparency of blockchain to solve various security problems arising in the native PKI and its evolution. According to the application and development of PKI and blockchain, the methods to solve PKI security are divided into the solutions based on web of trust (WoT) technology and certificate transparency (CT) mechanism that do not rely on blockchain, the centralized PKI solutions integrated with blockchain technology that retains the core function of certificate authority (CA), and the decentralized PKI schemes based on blockchain that completely replaces the CA function with blockchain. Firstly, the security status of the original PKI is introduced, and the methods using WoT technology and CT mechanism to transform the security of the original PKI are discussed respectively. Then, the design ideas of centralized PKI integrated with blockchain technology and decentralized PKI based on blockchain are analyzed. Some typical application scenarios are selected to analyze their implementation methods and application characteristics. Finally, the application research of blockchain in PKI security is prospected.

Key words: blockchain, public key infrastructure, cybersecurity, certificate management, certificate authority

摘要： 重应用、轻防御的设计思想致使TCP/IP（transmission control protocol/Internet protocol，传输控制协议/网际协议）体系结构设计之初就缺乏内生安全属性，使得PKI（public key infrastructure，公钥基础设施）作为实现互联网不同实体之间通信真实性、完整性、机密性和不可抵赖性的安全治理权威架构自提出以来就备受关注，同时PKI自身因其中心化机制带来的单点故障和单一信任等安全威胁也成为近年来研究者关注的热点。随着区块链技术逐渐应用于信息安全领域，利用区块链的去中心化、分布式账本、防篡改、公开透明等特点来解决原生PKI及其演进过程中出现的各类安全问题成为一个研究方向和重点。根据PKI技术的发展及区块链技术的应用，将解决原生PKI安全的方法分为以WoT（Web of trust，信任网络）技术和CT（certificate transparency，证书透明度）机制为主的不依赖区块链的解决方案，保留CA（certificate authority，认证机构）核心功能的融入区块链技术的中心化PKI方案，以及用区块链完全替代CA功能的基于区块链的去中心化PKI方案。首先介绍了原生PKI的安全现状，然后讨论了分别利用WoT技术和CT机制对原生PKI的安全性进行改造的具体方法，随后重点分析了融入区块链技术的中心化PKI以及基于区块链的去中心化PKI的设计思想，并分别选择了部分典型应用场景就其实现方法和应用特点进行了有针对性的剖析，最后对区块链在PKI安全中的应用研究进行了展望。

关键词: 区块链, 公钥基础设施, 网络安全, 证书管理, 认证机构