Armored Core of PKI: Remove Signing Keys for CA via Physically Unclonable Function

Abstract

The signing key protection for certificate authorities (CAs) is crucial in PKI. However, these keys can be exposed even in today’s infrastructure. Traditional protections fail to eliminate this risk since attackers can always capture digital leakage of the keys through various carefully designed attacks or accidental human errors. This dilemma motivates us to consider removing CA’s signing keys and propose Armored Core, a PKI security enhancement using the trusted binding of physically unclonable function (PUF) for CA.

In Armored Core, CAs issue PUF-based X.509v3 TLS certificates, where they use PUF to generate physically trusted “signatures” for domain public keys. The PUF transparency mechanism, deployed with certificate transparency (CT), ensures the monitoring for PUF calling behaviors of CA. We formally prove the existential unforgeability of PUF endorsements in the certificates. Armored Core is integrated into real-world PKI codebases like Let’s Encrypt Pebble and Certbot. The results show that it can remove the signing key for CA without bringing any extra overhead to the original systems, but instead improves computing efficiency by >4.9% and saves >11% of storage. It can be the first effective solution that makes key exposure impossible for CA in PKI.