Security analysis of a blockchain-based protocol for the certification of academic credentials
This identifies a security flaw in a widely used system for validating digital academic credentials, posing risks to institutions and individuals relying on its integrity.
The paper analyzed the Blockcerts protocol for academic credential certification and found it vulnerable to impersonation attacks, where attackers can forge certificates that pass validation by exploiting unauthenticated issuer profiles.
We consider a blockchain-based protocol for the certification of academic credentials named Blockcerts, which is currently used worldwide for validating digital certificates of competence compliant with the Open Badges standard. We study the certification steps that are performed by the Blockcerts protocol to validate a certificate, and find that they are vulnerable to a certain type of impersonation attacks. More in detail, authentication of the issuing institution is performed by retrieving an unauthenticated issuer profile online, and comparing some data reported there with those included in the issued certificate. We show that, by fabricating a fake issuer profile and generating a suitably altered certificate, an attacker is able to impersonate a legitimate issuer and can produce certificates that cannot be distinguished from originals by the Blockcerts validation procedure. We also propose some possible countermeasures against an attack of this type, which require the use of a classic public key infrastructure or a decentralized identity system integrated with the Blockcerts protocol.