Security analysis of a blockchain-based protocol for the certification of academic credentials

TL;DR

This paper analyzes the security of the Blockcerts blockchain protocol for academic credential certification, revealing impersonation vulnerabilities and proposing countermeasures involving PKI or decentralized identity systems.

Contribution

It identifies specific impersonation vulnerabilities in Blockcerts and suggests integrating PKI or decentralized identity solutions to enhance security.

Findings

Vulnerable to impersonation attacks due to issuer profile retrieval method

Fabrication of fake issuer profiles enables impersonation of legitimate issuers

Countermeasures include using PKI or decentralized identity systems

Abstract

We consider a blockchain-based protocol for the certification of academic credentials named Blockcerts, which is currently used worldwide for validating digital certificates of competence compliant with the Open Badges standard. We study the certification steps that are performed by the Blockcerts protocol to validate a certificate, and find that they are vulnerable to a certain type of impersonation attacks. More in detail, authentication of the issuing institution is performed by retrieving an unauthenticated issuer profile online, and comparing some data reported there with those included in the issued certificate. We show that, by fabricating a fake issuer profile and generating a suitably altered certificate, an attacker is able to impersonate a legitimate issuer and can produce certificates that cannot be distinguished from originals by the Blockcerts validation procedure. We also propose some possible countermeasures against an attack of this type, which require the use of a classic public key infrastructure or a decentralized identity system integrated with the Blockcerts protocol.