Skip to main content
SpringerLink
Log in

RAIAP: renewable authentication on isolated anonymous profiles

A GDPR compliant self-sovereign architecture for distributed systems

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

Implementing pseudonymity, key-management, non-repudiation and data minimisation features in isolated procedures is trivial. However, integrating all of them in one consistent architecture has several challenges to tackle. This work proposes data structures to represent Self-Sovereign Identities and to handle those features in a consolidated architecture. Key-management is constructed using secret sharing principles, capable of recovering from a lost or compromised key to a new one without losing track of the original account. Pseudonymity and data minimisation is established using anonymous profiles, showing different views of the same identity. Non-repudiation is contemplated in the profile disclosure process. Profiles are protected against tampering with the use of digital signatures and blockchain cryptographic constructions. All profiles and registries are controlled with a single asymmetric key pair that can be provided by a smart card. Flexible structures are defined that can be used to register claims, attestations, authorisation grants, user consents, or any other activities. All definitions take into consideration the rules of the General Data Protection Regulation (GDPR).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1. https://www.eugdpr.org/key-changes.html

  2. http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

  3. https://www.bitcoin.com

  4. https://vergecurrency.com

  5. https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce

  6. https://safecurves.cr.yp.to

  7. http://nearfieldcommunication.org

  8. https://www.yubico.com/solutions/fido-u2f

  9. https://www.techopedia.com/definition/29532/out-of-band-authentication-ooba

  10. https://blog.ethereum.org/2015/06/26/state-tree-pruning

  11. https://w3c-ccg.github.io/did-spec

  12. https://www.w3.org/TR/verifiable-claims-data-model

  13. https://www.cnet.com/news/google-confronts-more-site-certificate-problemshttps://www.cnet.com/news/google-confronts-more-site-certificate-problems

  14. http://identity.foundation

  15. https://sovrin.org

  16. https://www.civic.com

  17. https://www.uport.me

  18. https://www.ethereum.org

  19. https://github.com/ethereum/EIPs/issues/780

  20. https://www.rust-lang.org

  21. https://github.com/shumy-tools/raiap-test

References

  1. Kermi A, Marniche-Kermi S, Laskri MT (2010) 3D-computerized facial reconstructions from 3d-mri of human heads using deformable model approach. In: 2010 International Conference on Machine and Web Intelligence (ICMWI). IEEE, pp 276–282

  2. Silva JM, Pinho E, Monteiro E, Silva JF, Costa C (2018) Controlled searching in reversibly de-identified medical imaging archives. J Biomed Inform 77:81–90

    Article  Google Scholar 

  3. Sweeney L, Abu A, Winn J (2013) Identifying participants in the personal genome project by name (a re-identification experiment). arXiv:https://arxiv.org/abs/1304.7605

  4. Narayanan A, Shmatikov V (2008) Robust de-anonymization of large sparse datasets. In: 2008 IEEE Symposium on Security and Privacy (SP). IEEE, pp 111–125

  5. Han W, Li Z, Ni M, Gu G, Xu W (2018) Shadow attacks based on password reuses: a quantitative empirical analysis. IEEE Trans Dependable Secure Comput 15(2):309–320

    Article  Google Scholar 

  6. Morse E, Theofanos M, Choong Y-Y, Paul C, Zhang A, Wald H (2012) Usability of piv smartcards for logical access, US Department Commerce, NIST, Gaithersburg, MD, USA, Tech. Rep NIST-IR-7867

  7. Liu J, Yu Y, Standaert FX, Guo Z, Gu D, Sun W, Ge Y, Xie X (2015) Small tweaks do not help: differential power analysis of milenage implementations in 3g/4g usim cards. In: European Symposium on Research in Computer Security. Springer, pp 468–480

  8. Mesbah A, Lanet J-L, Mezghiche M (2018) Reverse engineering java card and vulnerability exploitation: a shortcut to rom. International Journal of Information Security, 1–16

  9. Dacosta I, Ahamad M, Traynor P (2012) Trust no one else: Detecting mitm attacks against ssl/tls without third-parties. In: European Symposium on Research in Computer Security. Springer, pp 199–216

  10. Kim T. H-J, Huang L-S, Perrig A, Jackson C, Gligor V (2013) Accountable key infrastructure (aki): a proposal for a public-key validation infrastructure. In: Proceedings of the 22nd international conference on World Wide Web. ACM, pp 679–690

  11. Basin D, Cremers C, Kim TH-J, Perrig A, Sasse R, Szalachowski P (2018) Design, analysis, and implementation of arpki: an attack-resilient public-key infrastructure. IEEE Trans Dependable Secure Comput 15 (3):393–408

    Article  Google Scholar 

  12. Ren Y, Wang S, Zhang X, Qian Z (2010) Fully secure anonymous identity-based encryption under simple assumptions. In: 2010 IEEE International Conference on Multimedia Information Networking and Security (MINES), pp 428–432

  13. Baars D (2016) Towards self-sovereign identity using blockchain technology. Master’s thesis, University of Twente

  14. Abbasi AG, Khan Z (2017) Veidblock: verifiable identity using blockchain and ledger in a software defined network. In: Companion Proceedings of the 10th International Conference on Utility and Cloud Computing. ACM, pp 173–179

  15. Moyano JP, Ross O (2017) Kyc optimization using distributed ledger technology. Business Inform Syst Eng 59(6):411–423

    Article  Google Scholar 

  16. Kontaxis G, Polychronakis M, Markatos EP (2012) Minimizing information disclosure to third parties in social login platforms. Int J Inform Secur 11(5):321–332

    Article  Google Scholar 

  17. Gulyás GG, Imre S (2018) Hiding information against structural re-identification, International Journal of Information Security, 1–15

  18. Casassa-Mont M, Matteucci I, Petrocchi M, Sbodio ML (2015) Towards safer information sharing in the cloud. Int J Inform Secur 14(4):319–334

    Article  Google Scholar 

  19. Lamport L et al (2001) Paxos made simple. ACM Sigact News 32(4):18–25

    Google Scholar 

  20. Ongaro D, Ousterhout JK (2014) In search of an understandable consensus algorithm. In: USENIX Annual Technical Conference, pp 305–319

  21. Temkow B, Bosneag A-M, Li X, Brockmeyer M (2006) Paxondht: Achieving consensus in distributed hash tables. In: 2006 International Symposium on Applications and the Internet. SAINT. IEEE, pp 9–pp

  22. Chandra TD, Griesemer R, Redstone J (2007) Paxos made live: an engineering perspective. In: Proceedings of the twenty-sixth annual ACM symposium on Principles of distributed computing. ACM, pp 398–407

  23. Lamport L, Shostak R, Pease M (1982) The byzantine generals problem. ACM Trans Program Languages Syst (TOPLAS) 4(3):382–401

    Article  Google Scholar 

  24. Fischer MJ, Lynch NA, Paterson MS (1985) Impossibility of distributed consensus with one faulty process. J ACM (JACM) 32(2):374–382

    Article  MathSciNet  Google Scholar 

  25. Douceur JR (2002) The sybil attack. In: International workshop on peer-to-peer systems. Springer, pp 251–260

  26. Shamir A (1979) How to share a secret. Communications of the ACM 22(11):612–613

    Article  MathSciNet  Google Scholar 

  27. Maymounkov P, Mazieres D (2002) Kademlia: A peer-to-peer information system based on the xor metric. In: International Workshop on Peer-to-Peer Systems. Springer, pp 53–65

  28. McCoy D, Bauer K, Grunwald D, Kohno T, Sicker D (2008) Shining light in dark places: Understanding the tor network. In: International Symposium on Privacy Enhancing Technologies Symposium. Springer, pp 63–76

  29. Luu L, Velner Y, Teutsch J, Saxena P (2017) Smart pool: practical decentralized pooled mining. IACR Cryptology ePrint Archive 2017:19

    Google Scholar 

  30. Swanson T (2015) Consensus-as-a-service: a brief report on the emergence of permissioned, distributed ledger systems, Report, available online

  31. Dwork C, Smith A, Steinke T, Ullman J (2017) Exposed! a survey of attacks on private data. Annual Rev Stat Appl 4:61–84

    Article  Google Scholar 

  32. Bernstein DJ, Duif N, Lange T, Schwabe P, Yang B-Y (2012) High-speed high-security signatures. J Cryptographic Eng 2(2):77–89

    Article  Google Scholar 

  33. Percival C, Josefsson S (2016) The scrypt password-based key derivation function, Tech Rep.

  34. Chong F, Carraro G, Wolter R (2006) Multi-tenant data architecture, MSDN Library, Microsoft Corporation, 14–30

  35. Mislove A, Viswanath B, Gummadi KP, Druschel P (2010) You are who you know: inferring user profiles in online social networks. In: Proceedings of the third ACM international conference on Web search and data mining, pp 251–260

  36. Cai Z, He Z, Guan X, Li Y (2018) Collective data-sanitization for preventing sensitive information inference attacks in social networks. IEEE Trans Dependable Secure Comput 15(4):577–590

    Google Scholar 

  37. Kainda R, Flechais I, Roscoe A (2009) Usability and security of out-of-band channels in secure device pairing protocols. In: Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, p 11

  38. Huang C-T, Zhang Y-H, Lin L-C, Wang W-J, Wang S-J (2017) Mutual authentications to parties with qr-code applications in mobile systems. Int J Inform Secur 16(5):525–540

    Article  Google Scholar 

  39. Damgård I. (1998) Commitment schemes and zero-knowledge protocols. In: School organized by the European Educational Forum. Springer, pp 63–86

  40. Liao K-C, Lee W-H (2010) A novel user authentication scheme based on qr-code. J Netw 5(8):937

    Google Scholar 

  41. Proos J, Zalka C (2003) Shor’s discrete logarithm quantum algorithm for elliptic curves. arXiv:https://arxiv.org/quant-ph/0301141

  42. Amy M, Di Matteo O, Gheorghiu V, Mosca M, Parent A, Schanck J (2016) Estimating the cost of generic quantum pre-image attacks on sha-2 and sha-3. In: International Conference on Selected Areas in Cryptography. Springer, pp 317–337

  43. Bernstein DJ, Hopwood D, Hülsing A., Lange T, Niederhagen R, Papachristodoulou L, Schneider M, Schwabe P, Wilcox-O’Hearn Z (2015) Sphincs: practical stateless hash-based signatures. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, pp 368–397

  44. Back A (2002) Others Hashcash-a denial of service counter-measure

  45. Laurie B, Clayton R (2004) Proof-of-work proves not to work; version 0.2. In: Workshop on Economics and Information Security

  46. Liu D, Camp LJ (2006) Proof of work can work in WEIS

  47. Van De Zande P (2001) The day des died SANS Institute

  48. Abelson H, Anderson RJ, Bellovin SM, Benaloh J, Blaze M, Diffie W, Gilmore J, Neumann PG, Rivest RL, Schiller JI et al (1997) The risks of key recovery, key escrow, and trusted third-party encryption. World Wide Web J 2(3):241–257

    Google Scholar 

  49. Chang Y-J, Zhang W, Chen T (2004) Biometrics-based cryptographic key generation. In: IEEE International Conference on Multimedia and Expo, 2004. ICME’04, vol 3. IEEE, pp 2203–2206

  50. Ruiz-Albacete V, Tome-Gonzalez P, Alonso-Fernandez F, Galbally J, Fierrez J, Ortega-Garcia J (2008) Direct attacks using fake images in iris verification. In: European Workshop on Biometrics and Identity Management. Springer, pp 181–190

  51. Hadid A (2014) Face biometrics under spoofing attacks: Vulnerabilities, countermeasures, open issues, and research directions. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pp 113–118

  52. Anjos A, Marcel S (2011) Counter-measures to photo attacks in face recognition: a public database and a baseline. In: 2011 international joint conference on Biometrics (IJCB). IEEE, pp 1–7

  53. Wang D, He D, Wang P, Chu C-H (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 1:1–1

    Google Scholar 

  54. Maurer U (1996) Modelling a public-key infrastructure. In: European Symposium on Research in Computer Security. Springer, pp 325–350

  55. Ruoti S, Andersen J, Zappala D, Seamons K (2015) Why johnny still, still can’t encrypt:, Evaluating the usability of a modern pgp client. arXiv:https://arxiv.org/1510.08555

  56. Zeng K (2006) Pseudonymous pki for ubiquitous computing. In: European Public Key Infrastructure Workshop. Springer, pp 207–222

  57. Axon L, Goldsmith M (2016) Pb-pki: a privacy-aware blockchain-based pki

  58. Nuñez D., Agudo I (2014) Blindidm: a privacy-preserving approach for identity management as a service. Int J Inform Secur 13(2):199–215

    Article  Google Scholar 

  59. Caronni G (2000) Walking the web of trust, in Enabling Technologies: Infrastructure for Collaborative Enterprises. In: 2000 Proceedings IEEE 9th International Workshops on (WET ICE). IEEE, pp 153–158

  60. Morselli R, Bhattacharjee B, Katz J, Marsh M (2006) Keychains: A decentralized public-key infrastructure, University of Maryland, College Park College Park United States, Tech. Rep.

  61. Stinson DR (1992) An explication of secret sharing schemes. Designs, Codes Cryptography 2(4):357–390

    Article  MathSciNet  Google Scholar 

  62. Rivest RL, Shamir A, Tauman Y (2001) How to leak a secret. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, pp 552–565

  63. Ren J, Harn L (2008) Generalized ring signatures. IEEE Trans Dependable Secure Comput 5(3):155–163

    Article  Google Scholar 

  64. Sánchez-Guerrero R, Mendoza FA, Díaz-Sánchez D, Cabarcos PA, López A. M. (2017) Collaborative ehealth meets security: Privacy-enhancing patient profile management. IEEE J Biomed Health Inform 21(6):1741–1749

    Article  Google Scholar 

  65. Technologies C (2017) Civic white paper. [Online]. Available: https://tokensale.civic.com/CivicTokenSaleWhitePaper.pdf

  66. He Y, Li H, Cheng X, Liu Y, Yang C, Sun L (2018) A blockchain based truthful incentive mechanism for distributed p2p applications. IEEE Access 6:27324–27335

    Article  Google Scholar 

  67. Baird L (2016) The swirlds hashgraph consensus algorithm: Fair, fast, byzantine fault tolerance, Swirlds, Inc, Technical Report SWIRLDS-TR-2016, vol. 1

Download references

Acknowledgements

This work is financed by the ERDF - European Regional Development Fund through the Operational Programme for Competitiveness and Internationalization - COMPETE 2020 Programme, and by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project CMUP-ERI/TIC/0028/2014.

Funding

This study was funded by the ERDF - European Regional Development Fund through the Operational Programme for Competitiveness and Internationalization - COMPETE 2020 Programme, and by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project CMUP-ERI/TIC/0028/2014 and individual grant ref. BI/UI62/4091/2016.

Author information

Authors and Affiliations

  1. DETI/IEETA, University of Aveiro, Aveiro, Portugal

    Micael Pedrosa, André Zúquete & Carlos Costa

  2. UDC, University of A Coruña, A Coruña, Spain

    Micael Pedrosa

Authors
  1. Micael Pedrosa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. André Zúquete
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carlos Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Micael Pedrosa.

Ethics declarations

Conflict of interests

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pedrosa, M., Zúquete, A. & Costa, C. RAIAP: renewable authentication on isolated anonymous profiles. Peer-to-Peer Netw. Appl. 13, 1577–1599 (2020). https://doi.org/10.1007/s12083-020-00914-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-020-00914-5

Keywords

Search

Navigation