1,142 research outputs found
Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments
Decentralized systems are a subset of distributed systems where multiple
authorities control different components and no authority is fully trusted by
all. This implies that any component in a decentralized system is potentially
adversarial. We revise fifteen years of research on decentralization and
privacy, and provide an overview of key systems, as well as key insights for
designers of future systems. We show that decentralized designs can enhance
privacy, integrity, and availability but also require careful trade-offs in
terms of system complexity, properties provided, and degree of
decentralization. These trade-offs need to be understood and navigated by
designers. We argue that a combination of insights from cryptography,
distributed systems, and mechanism design, aligned with the development of
adequate incentives, are necessary to build scalable and successful
privacy-preserving decentralized systems
Beyond the Hype: On Using Blockchains in Trust Management for Authentication
Trust Management (TM) systems for authentication are vital to the security of
online interactions, which are ubiquitous in our everyday lives. Various
systems, like the Web PKI (X.509) and PGP's Web of Trust are used to manage
trust in this setting. In recent years, blockchain technology has been
introduced as a panacea to our security problems, including that of
authentication, without sufficient reasoning, as to its merits.In this work, we
investigate the merits of using open distributed ledgers (ODLs), such as the
one implemented by blockchain technology, for securing TM systems for
authentication. We formally model such systems, and explore how blockchain can
help mitigate attacks against them. After formal argumentation, we conclude
that in the context of Trust Management for authentication, blockchain
technology, and ODLs in general, can offer considerable advantages compared to
previous approaches. Our analysis is, to the best of our knowledge, the first
to formally model and argue about the security of TM systems for
authentication, based on blockchain technology. To achieve this result, we
first provide an abstract model for TM systems for authentication. Then, we
show how this model can be conceptually encoded in a blockchain, by expressing
it as a series of state transitions. As a next step, we examine five prevalent
attacks on TM systems, and provide evidence that blockchain-based solutions can
be beneficial to the security of such systems, by mitigating, or completely
negating such attacks.Comment: A version of this paper was published in IEEE Trustcom.
http://ieeexplore.ieee.org/document/8029486
Self-sovereign identity decentralized identifiers, claims and credentials using non decentralized ledger technology
Dissertação de mestrado integrado em Engenharia InformáticaCurrent identity management systems rely on centralized databases to store user’s personal data, which poses
a great risks for data security, as these infrastructure create a critical point of failure for the whole system. Beside
that service providers have to bear huge maintenance costs and comply with strict data protection regulations.
Self-sovereign identity (SSI) is a new identity management paradigm that tries to answer some of these
problems by providing a decentralized user-centric identity management system that gives users full control of
their personal data. Some of its underlying concepts include Decentralized Identifiers (DIDs), Verifiable Claims
and Credentials. This approach does not rely on any central authority to enforce trust as it often uses Blockchain
or other Decentralized Ledger Technologies (DLT) as the trust anchor of the system, although other decentralized
network or databases could also be used for the same purpose.
This thesis focuses on finding alternative solutions to DLT, in the context of SSI. Despite being the most used
solution some DLTs are known to lack scalability and performance, and since a global identity management
system heavily relies on these two requirements it might not be the best solution to the problem.
This document provides an overview of the state of the art and main standards of SSI, and then focuses on
a non-DLT approach to SSI, referencing non-DLT implementations and alternative decentralized infrastructures
that can be used to replace DLTs in SSI. It highlights some of the limitations associated with using DLTs for
identity management and presents a SSI framework based on decentralized names systems and networks. This
framework couples all the main functionalities needed to create different SSI agents, which were showcased in
a proof of concept application.Actualmente os sistemas de gestão de identidade digital estão dependentes de bases de dados centralizadas
para o armazenamento de dados pessoais dos seus utilizadores. Isto representa um elevado risco de segurança,
uma vez que estas infra-estruturas representam um ponto crÃtico de falha para todo o sistema. Para além disso
os service providers têm que suportam elevados custos de manutenção para armazenar toda esta informaçao
e ainda são obrigados a cumprir as normas de protecção de dados existentes.
Self-sovereign identity (SSI) é um novo paradigma de identidade digital que tenta dar resposta a alguns destes
problemas, criando um sistema focado no utilizador e totalmente descentralizado que oferece aos utilizadores
total controlo sobre os seus dados pessoais. Alguns dos conceitos subjacentes incluem Decentalized Identifiers
(DIDs), Verifiable Credentials e Presentations. Esta abordagem não depende de qualquer autoridade central
para estabelecer confiança, dado que utiliza Blockchains ou outras Decentralized Ledger Technilogies (DLT)
como âncora de confiança do sistema. No entanto outras redes ou bases de dados descentralizadas podem
também ser utilizadas para alcançar o mesmo objectivo.
Esta tese concentra-se em encontrar soluções alternativas para a DLT no âmbito da SSI. Apesar de esta ser
a solução mais utilizada, sabe-se que algumas DLTs carecem de escalabilidade e desempenho. Sendo que um
sistema de identidade digital com abrangência global dependerá bastante destes dois requisitos, esta pode não
ser a melhor solução.
Este documento fornece uma visão geral do estado da arte e principais standards da SSI, focando-se de
seguida numa abordagem não DLT, que inclui uma breve referência a implementações não-DLT e tecnologias
alternativas que poderão ser utilizadas para substituir as DLTs na SSI. Alem disso aborda algumas das principais
limitações associadas ao uso de DLTs na gestão de identidades digitais e apresenta uma framework baseada
em name systems e redes descentralizadas. Esta framework inclui as principais funcionalidades necessárias
para implementar os diferentes agentes SSI, que foram demonstradas através de algumas aplicações proof of
concept
ZKlaims: Privacy-preserving Attribute-based Credentials using Non-interactive Zero-knowledge Techniques
In this paper we present ZKlaims: a system that allows users to present
attribute-based credentials in a privacy-preserving way. We achieve a
zero-knowledge property on the basis of Succinct Non-interactive Arguments of
Knowledge (SNARKs). ZKlaims allow users to prove statements on credentials
issued by trusted third parties. The credential contents are never revealed to
the verifier as part of the proving process. Further, ZKlaims can be presented
non-interactively, mitigating the need for interactive proofs between the user
and the verifier. This allows ZKlaims to be exchanged via fully decentralized
services and storages such as traditional peer-to-peer networks based on
distributed hash tables (DHTs) or even blockchains. To show this, we include a
performance evaluation of ZKlaims and show how it can be integrated in
decentralized identity provider services.Comment: 8 pages, published at SECRYPT 201
reclaimID: Secure, Self-Sovereign Identities using Name Systems and Attribute-Based Encryption
In this paper we present reclaimID: An architecture that allows users to
reclaim their digital identities by securely sharing identity attributes
without the need for a centralised service provider. We propose a design where
user attributes are stored in and shared over a name system under user-owned
namespaces. Attributes are encrypted using attribute-based encryption (ABE),
allowing the user to selectively authorize and revoke access of requesting
parties to subsets of his attributes. We present an implementation based on the
decentralised GNU Name System (GNS) in combination with ciphertext-policy ABE
using type-1 pairings. To show the practicality of our implementation, we
carried out experimental evaluations of selected implementation aspects
including attribute resolution performance. Finally, we show that our design
can be used as a standard OpenID Connect Identity Provider allowing our
implementation to be integrated into standard-compliant services.Comment: 12 page
Peer-to-Peer System Design Trade-Offs: A Framework Exploring the Balance between Blockchain and IPFS
The current state of the Web, which is dominated by centralized cloud services, raises several concerns on different aspects such as governance, privacy, surveillance, and security. A way to address these issues is to decentralize the platforms by adopting new distributed technologies, such as IPFS and Blockchain, which follow a full peer-to-peer model. This work proposes a set of guidelines to design decentralized systems, taking into consideration the different trade-offs these technologies face with regard to their consistency requirements. These guidelines are then illustrated with the design of a decentralized questions and answers system. This system serves to illustrate a framework to create decentralized services and applications, that uses IPFS and Blockchain technologies and incorporates the discussion and guidelines of the paper, providing solutions for data access, data provenance and data discovery. Thus, this work proposes a framework for the design of decentralized systems and contributes a set of guidelines to decide in which cases Blockchain technology may be required, or when other technologies, such as IPFS, are sufficient
- …