Security analysis of a blockchain-based protocol for the certification of academic credentials

Abstract: We consider a blockchain-based protocol for the certification of academic credentials named Blockcerts, which is currently used worldwide for validating digital certificates of competence compliant with the Open Badges standard. We study the certification steps that are performed by the Blockcerts protocol to validate a certificate, and find that they are vulnerable to a certain type of impersonation attacks. More in detail, authentication of the issuing institution is performed by retrieving an unauthenticated issuer profile online, and comparing some data reported there with those included in the issued certificate. We show that, by fabricating a fake issuer profile and generating a suitably altered certificate, an attacker is able to impersonate a legitimate issuer and can produce certificates that cannot be distinguished from originals by the Blockcerts validation procedure. We also propose some possible countermeasures against an attack of this type, which require the use of a classic public key infrastructure or a decentralized identity system integrated with the Blockcerts protocol.