skip to main content
10.1145/3664476.3669930acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

DistIN: Analysis and Validation of a Concept and Protocol for Distributed Identity Information Networks

Published: 30 July 2024 Publication History

Abstract

Identity management enables users to access services around the globe. The user information is managed in some sort of identity management system. With the proposed shift to self-sovereign identities, self-sovereign control is shifted to the individual user. However, this also includes responsibilities, for example, in case of incidents. This is the case although they typically do not have the capability to do so. In order to provide users with more control and less responsibilities, we unite identity management systems with public key infrastructures. This consolidation allows more flexible and customized trust relationships to be created and validated. This paper explains, analyzes, and validates our novel design for a Distributed Identity Information Network (DistIN) that allows a high degree of decentralization while aiming for high security, privacy, usability, scalability, and sovereignty. The primary advantage of the system lies in its flexibility and ease of use, which also enables smaller organizations or even private individuals to participate in the network with a service. This work compiles categorized requirements from the literature and analyzes the verification and authentication data flows. On this basis, the security analysis and validation are following. This work is an essential step to reach the goal of the final web-based DistIN protocol and application.

References

[1]
Ritik Bavdekar, Eashan Jayant Chopde, Ankit Agrawal, Ashutosh Bhatia, and Kamlesh Tiwari. 2023. Post Quantum Cryptography: A Review of Techniques, Challenges and Standardizations. In 2023 International Conference on Information Networking (ICOIN). IEEE, Piscataway, NJ, USA, 146–151.
[2]
Rahime Belen-Saglam, Enes Altuncu, Yang Lu, and Shujun Li. 2023. A systematic literature review of the tension between the GDPR and public blockchain systems. Blockchain: Research and Applications 4 (2023), 100129. Issue 2.
[3]
Tim Berners-Lee, Roy Fielding, and Henrik Frystyk. 1996. RFC 2616: Hypertext Transfer Protocol – HTTP/1.0. Technical Report. IETF.
[4]
Clemens Brunner, Ulrich Gallersdörfer, Fabian Knirsch, Dominik Engel, and Florian Matthes. 2020. DID and VC: Untangling Decentralized Identifiers and Verifiable Credentials for the Web of Trust. In Proceedings of the 2020 3rd International Conference on Blockchain Technology and Applications. Association for Computing Machinery, New York, NY, USA, 61–66.
[5]
Franco Callegati, Walter Cerroni, and Marco Ramilli. 2009. Man-in-the-Middle Attack to the HTTPS Protocol. IEEE Security & Privacy 7, 1 (2009), 78–81.
[6]
Michael J Casey and Paul Vigna. 2018. In blockchain we trust. MIT Technology Review 121, 3 (2018), 10–16.
[7]
David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen, Russell Housley, and William Polk. 2008. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profil. Technical Report. IETF.
[8]
Hardeep Kaur Dhalla. 2020. A Performance Analysis of Native JSON Parsers in Java, Python, MS. NET Core, JavaScript, and PHP. In 2020 16th International Conference on Network and Service Management (CNSM). IEEE, Piscataway, NJ, USA, 1–5.
[9]
Ouissem Ben Fredj, Omar Cheikhrouhou, Moez Krichen, Habib Hamam, and Abdelouahid Derhab. 2021. An OWASP Top Ten Driven Survey on Web Application Protection Methods. In Risks and Security of Internet and Systems: 15th International Conference, CRiSIS 2020, Paris, France, November 4–6, 2020, Revised Selected Papers 15. Springer, Cham, Switzerland, 235–252.
[10]
Isabelle Fries, Maximilian Greiner, Manfred Hofmeier, Razvan Hrestic, Ulrike Lechner, and Thomas Wendeborn. 2022. Towards a Layer Model for Digital Sovereignty: A Holistic Approach. In International Conference on Critical Information Infrastructures Security. Springer, Cham, Switzerland, 119–139.
[11]
Alexandra Giannopoulou. 2020. Data Protection Compliance Challenges for Self-sovereign Identity. In International Congress on Blockchain and Applications. Springer, Cham, Switzerland, 91–100.
[12]
Andreas Grüner, Alexander Mühle, Niko Lockenvitz, and Christoph Meinel. 2023. Analyzing and comparing the security of self-sovereign identity management systems through threat modeling. International Journal of Information Security 22, 5 (01 Oct 2023), 1–18.
[13]
Hana Habib, Megan Li, Ellie Young, and Lorrie Cranor. 2022. “Okay, whatever”: An Evaluation of Cookie Consent Interfaces. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems(CHI ’22). Association for Computing Machinery, New York, NY, USA, Article 621, 27 pages. https://doi.org/10.1145/3491102.3501985
[14]
Brinda Hampiholi, Gergely Alpár, Fabian van den Broek, and Bart Jacobs. 2015. Towards Practical Attribute-Based Signatures. In Security, Privacy, and Applied Cryptography Engineering: 5th International Conference, SPACE 2015, Jaipur, India, October 3-7, 2015, Proceedings 5. Springer, Cham, Switzerland, 310–328.
[15]
AKM Bahalul Haque, AKM Najmul Islam, Sami Hyrynsalmi, Bilal Naqvi, and Kari Smolander. 2021. GDPR Compliant Blockchains – A Systematic Literature Review. IEEE Access 9 (2021), 50593–50606.
[16]
Anton Hasselgren, Jens-Andreas Hanssen Rensaa, Katina Kralevska, Danilo Gligoroski, and Arild Faxvaag. 2021. Blockchain for Increased Trust in Virtual Health Care: Proof-of-Concept Study. Journal of Medical Internet Research 23, 7 (2021), e28496.
[17]
Alan Hevner, Samir Chatterjee, Alan Hevner, and Samir Chatterjee. 2010. Design Science Research in Information Systems. Springer, Boston, MA, USA, 9–22.
[18]
Paul Hoffman and Jakob Schlyter. 2012. RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. Technical Report. IETF.
[19]
Michael Hofmeier and Wolfgang Hommel. 2023. Enabling the JSON Web Signature Format to Support Complex and Identity-Oriented Non-web Processes. In International Conference on Innovations for Community Services. Springer, Cham, Switzerland, 29–47.
[20]
Michael Hofmeier, Karl Seidenfad, and Wolfgang Hommel. 2023. Validating a Modified JSON Web Signature Format using the Scenario of Ammunition Issuance for Training Purposes. In MILCOM 2023-2023 IEEE Military Communications Conference (MILCOM). IEEE, Piscataway, NJ, USA, 237–238.
[21]
Michael Jones. 2015. RFC 7518: JSON Web Algorithms (JWA). Technical Report. IETF.
[22]
M Jones, J Bradley, and N Sakimura. 2015. RFC 7515: JSON Web Signature (JWS).
[23]
Emre Karabulut and Aydin Aysu. 2021. FALCON Down: Breaking FALCON Post-Quantum Signature Scheme through Side-Channel Attacks. In 2021 58th ACM/IEEE Design Automation Conference (DAC). IEEE, Piscataway, NJ, USA, 691–696.
[24]
Jaromír Karmazín and Pavel Očenášek. 2016. The State of Near-Field Communication (NFC) on the Android Platform. In Human Aspects of Information Security, Privacy, and Trust: 4th International Conference, HAS 2016, Held as Part of HCI International 2016, Toronto, ON, Canada, July 17-22, 2016, Proceedings 4. Springer International Publishing, Cham, 247–254.
[25]
Galia Kondova and Jörn Erbguth. 2020. Self-Sovereign Identity on Public Blockchains and the GDPR. In Proceedings of the 35th Annual ACM Symposium on Applied Computing (SAC). Association for Computing Machinery, New York, NY, USA, 342–345.
[26]
Michael Kubach, Christian H Schunck, Rachelle Sellung, and Heiko Roßnagel. 2020. Self-sovereign and Decentralized identity as the future of identity management? In Open Identity Summit 2020. Gesellschaft für Informatik eV, Bonn, 35–47.
[27]
Rajesh Kumar and Rewa Sharma. 2022. Leveraging blockchain for ensuring trust in IoT: A survey. Journal of King Saud University-Computer and Information Sciences 34, 10 (2022), 8599–8622.
[28]
Dave Lawrence and Soheyla Tavakol. 2007. Website Usability. Springer, London, UK. 37–58 pages.
[29]
Hyeonmin Lee, Md Ishtiaq Ashiq, Moritz Müller, Roland van Rijswijk-Deij, Taejoong Chung, 2022. Under the Hood of { DANE} Mismanagement in { SMTP}. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Berkeley, CA, USA, 1–16.
[30]
Jin Li, Man Ho Au, Willy Susilo, Dongqing Xie, and Kui Ren. 2010. Attribute-based signature and its applications. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 60–69.
[31]
Xin Li, Traci J Hess, and Joseph S Valacich. 2008. Why do we trust new technology? A study of initial trust formation with organizational information systems. The Journal of Strategic Information Systems 17, 1 (2008), 39–71.
[32]
Zoltán András Lux, Dirk Thatmann, Sebastian Zickau, and Felix Beierle. 2020. Distributed-Ledger-based Authentication with Decentralized Identifiers and Verifiable Credentials. In 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS). IEEE, Piscataway, NJ, USA, 71–78.
[33]
Umer Majeed, Latif U Khan, Ibrar Yaqoob, SM Ahsan Kazmi, Khaled Salah, and Choong Seon Hong. 2021. Blockchain for IoT-based smart cities: Recent advances, requirements, and future challenges. Journal of Network and Computer Applications 181 (2021), 103007.
[34]
Md Moniruzzaman, Farida Chowdhury, and Md Sadek Ferdous. 2020. Examining Usability Issues in Blockchain-Based Cryptocurrency Wallets. In Cyber Security and Computer Science: Second EAI International Conference, ICONCS 2020, Dhaka, Bangladesh, February 15-16, 2020, Proceedings 2. Springer, Cham, Switzerland, 631–643.
[35]
Oswaldo Olivo, Isil Dillig, and Calvin Lin. 2015. Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). Association for Computing Machinery, New York, NY, USA, 616–628.
[36]
Ken Peffers, Tuure Tuunanen, Marcus A Rothenberger, and Samir Chatterjee. 2007. A Design Science Research Methodology for Information Systems Research. Journal of Management Information Systems 24, 3 (2007), 45–77.
[37]
Daniela Pöhn and Wolfgang Hommel. 2020. An Overview of Limitations and Approaches in Identity Management. In Proceedings of the 15th International Conference on Availability, Reliability and Security (ARES). Association for Computing Machinery, New York, NY, USA, 1–10.
[38]
Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. 2024. FALCON – Fast-Fourier Lattice-based Compact Signature over NTRU. https://falcon-sign.info.
[39]
Alex Rodriguez. 2008. RESTful Web services: The basics. http://public.dhe.ibm.com/software/dw/webservices/ws-restful/ws-restful-pdf.pdf.
[40]
Gokay Saldamli, Charit Upadhyay, Devika Jadhav, Rohit Shrishrimal, Bapugouda Patil, and Lo’ai Tawalbeh. 2022. Improved gossip protocol for blockchain applications. Cluster Computing 25, 3 (2022), 1915–1926.
[41]
Martina Angela Sasse. 2005. Usability and Trust in Information Systems. In Trust and Crime in Information Societies. Edward Elgar, Cheltenham, UK.
[42]
Simon Schwerin. 2018. Blockchain and Privacy Protection in the Case of the European General Data Protection Regulation (GDPR): A Delphi Study. The Journal of the British Blockchain Association 1 (2018), 1–76. Issue 1.
[43]
Johannes Sedlmeir, Reilly Smethurst, Alexander Rieger, and Gilbert Fridgen. 2021. Digital Identities and Verifiable Credentials. Business & Information Systems Engineering 63, 5 (2021), 603–613.
[44]
Adam Shostack. 2014. Threat Modeling: Designing for Security. John Wiley & Sons, Hoboken, NJ, USA.
[45]
Prabath Siriwardena and Prabath Siriwardena. 2020. Message-Level Security with JSON Web Signature. Apress, Berkeley, CA, USA, 157–184.
[46]
Matthias Söllner, Axel Hoffmann, and Jan Marco Leimeister. 2016. Why different trust relationships matter for information systems users. European Journal of Information Systems 25, 3 (2016), 274–287.
[47]
Deepraj Soni, Kanad Basu, Mohammed Nabeel, Najwa Aaraj, Marc Manzano, Ramesh Karri, Deepraj Soni, Kanad Basu, Mohammed Nabeel, Najwa Aaraj, 2020. CRYSTALS-Dilithium. Springer International Publishing, Cham, Switzerland, 13–30.
[48]
Katja Speck. 2019. Independent, Federated Digital Identity Management Solution ID4me Announces Public Beta At CloudFest 2019. https://id4me.org/independent-federated-digital-identity-management-solution-id4me-announces-public-beta-at-cloudfest-2019/
[49]
Shaun Stricot-Tarboton, Sivadon Chaisiri, and Ryan KL Ko. 2016. Taxonomy of Man-in-the-Middle Attacks on HTTPS. In 2016 Ieee Trustcom/Bigdatase/Ispa. IEEE, Piscataway, NJ, USA, 527–534.
[50]
Moritz Teuschel, Daniela Pöhn, Michael Grabatin, Felix Dietz, Wolfgang Hommel, and Florian Alt. 2023. ’Don’t Annoy Me With Privacy Decisions!’ — Designing Privacy-Preserving User Interfaces for SSI Wallets on Smartphones. IEEE Access 11 (2023), 131814–131835. https://doi.org/10.1109/ACCESS.2023.3334908
[51]
Meinald T Thielsch, Sarah M Meeßen, and Guido Hertel. 2018. Trust and distrust in information systems at the workplace. PeerJ 6 (2018), e5483.
[52]
Peter Torr. 2005. Demystifying the Threat-Modeling Process. IEEE Security & Privacy 3, 5 (2005), 66–70.
[53]
Xxxxxxx Xxxxxxx, Xxxx Xxxxxxxxx, Xxxxxxx Xxxxxxx, and Xxxxxxxx Xxxxxx. 2024. Web-based Protocol Enabling Distributed Identity Information Networks for Greater Sovereignty (accepted, publication pending). In International Conference on Innovations for Community Services. Springer, Xxxxxxx, Xxxxxxx, xx–xx.
[54]
Xxxxxxx Xxxxxxxx. 2023. DistIN GitHub repository. https://github.com/xxxxxxxxxxxx.
[55]
Razieh Nokhbeh Zaeem and K Suzanne Barber. 2020. The Effect of the GDPR on Privacy Policies: Recent Progress and Future Promise. ACM Transactions on Management Information Systems (TMIS) 12, 1 (2020), 1–20.

Index Terms

  1. DistIN: Analysis and Validation of a Concept and Protocol for Distributed Identity Information Networks

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Other conferences
        ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
        July 2024
        2032 pages
        ISBN:9798400717185
        DOI:10.1145/3664476
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 30 July 2024

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. blockchain
        2. cryptography
        3. decentralized
        4. digital sovereignty
        5. identity management
        6. public key infrastructure

        Qualifiers

        • Research-article
        • Research
        • Refereed limited

        Funding Sources

        • dtec.bw

        Conference

        ARES 2024

        Acceptance Rates

        Overall Acceptance Rate 228 of 451 submissions, 51%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • 0
          Total Citations
        • 28
          Total Downloads
        • Downloads (Last 12 months)28
        • Downloads (Last 6 weeks)4
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format.

        HTML Format

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media