Qiuyun Lyu,Shaopeng Cheng,Hao Li,Junliang Liu,Yanzhao Shen,Zhen Wang

DOI: https://doi.org/10.1155/2022/1607996

IF: 1.968

2022-09-07

Security and Communication Networks

Abstract:Self-sovereign identity (SSI) is a new distributed method for identity management, commonly used to address the problem that users are lack of control over their identities. However, the excessive pursuit of self-sovereignty in the most existing SSI schemes hinders sanctions against attackers. To deal with the malicious behavior, a few SSI schemes introduce accountability mechanisms, but they sacrifice users' privacy. In addition, the digital identities (static strings or updatable chains) in the existing SSI schemes are as inputs to a third-party executable program (mobile app, smart contract, etc.) to achieve identity reading, storing and proving, and users' self-sovereignty are weakened. To solve the above problems, we present a new self-sovereign identity scheme to strike a balance between privacy and accountability and get rid of the dependence on the third-party program. In our scheme, one and only individual-specific executable code is generated as a digital avatar-i for each human to interact with others in cyberspace without a third-party program, in which the embedding of biometrics enhances uniqueness and user control over their identity. In addition, a joint accountability mechanism, which is based on the shamir (t, n) threshold algorithm and a consortium blockchain, is designed to restrict the power of each regulatory authority and protect users' privacy. Finally, we analyze the security, SSI properties and conduct detailed experiments in terms of the cost of computation, storage, and blockchain gas. The analysis results indicate that our scheme resists the known attacks and fulfills all the six SSI properties. Compared with the state-of-the-art schemes, the extensive experiment results show that the cost is larger in server storage, blockchain storage, and blockchain gas, but is still low enough for practical situations.

computer science, information systems,telecommunications

Le Gao,Jiaxin Yu,Junzhe Zhang,Yin Tang,Quansi Wen

DOI: https://doi.org/10.1109/access.2024.3391423

IF: 3.9

2024-04-30

IEEE Access

Abstract:The concern and opposition to centralized management of user identities by third-party authorities have led to the emergence of Self-Sovereign Identity (SSI). With the help of blockchain, SSI effectively restore users' control over their own identities, but privacy concerns due to blockchain transparency, coupled with the absence of accountability like Know Your Customer (KYC) and Anti-Money Laundering (AML), have cast uncertainties upon the viability of SSI. In this paper, we bridge this gap by introducing AASSI, a pioneering SSI protocol meticulously designed to balance the twin imperatives of privacy and accountability. Specifically, AASSI extends support for anonymity, self-derivation, fine-grained tracing and selective revocation. In the realm of anonymity and self-derivation, AASSI introduces redactable signatures, which empowers users to autonomously derive distinctive credentials for each user-service-provider interaction, effectively improving privacy protection and self-management capabilities. Pertaining to fine-grained tracing, the protocol employs a dual-tag system that facilitates tracing users' real identities as well as a granular historical records of derived credentials. For selective revocation, AASSI leverages dynamic accumulators as a building block to enable the revocation of offending users. Ultimately, we provide functional comparison, which shows that AASSI has robust features, in particular, it supports novel self-derived features that further increase user control over their identity, and fine-grained tracking, which provides more flexibility for tracers. We demonstrate protocol efficiency through off-chain time-consuming comparison, which show that AASSI dramatically reduces the time overhead of credential verification. Moreover, We test the on-chain communication overhead and experimentally prove the feasibility of AASSI.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rahma Mukta,Rue C. Teh,Hye-young Paik,Qinghua Lu,Salil S. Kanhere

2023-08-03

Abstract:Self Sovereign Identity (SSI) is an emerging identity system that facilitates secure credential issuance and verification without placing trust in any centralised authority. To bypass central trust, most SSI implementations place blockchain as a trusted mediator by placing credential transactions on-chain. Yet, existing SSI platforms face trust issues as all credential issuers in SSI are not supported with adequate trust. Current SSI solutions provide trust support to the officiated issuers (e.g., government agencies), who must follow a precise process to assess their credentials. However, there is no structured trust support for individuals of SSI who may attempt to issue a credential (e.g., letter of consent) in the context of business processes. Therefore, some risk-averse verifiers in the system may not accept the credentials from individual issuers to avoid carrying the cost of mishaps from potentially inadmissible credentials without reliance on a trusted agency. This paper proposes a trust propagation protocol that supports individual users to be trusted as verifiable issuers in the SSI platform by establishing a trust propagation credential template in the blockchain. Our approach utilises (i) the sanitizable signature scheme to propagate the required trust to an individual issuer, (ii) a voting mechanism to minimises the possibility of collusion. Our implementation demonstrates that the solution is both practical and performs well under varying system loads.

Cryptography and Security

Koichi Moriyama,Akira Otsuka

DOI: https://doi.org/10.1109/blockchain55522.2022.00012

2024-09-03

IEICE Transactions on Information and Systems

Abstract:Koichi MORIYAMA,Akira OTSUKA, Vol.E107-D, No.9, pp.1112-1122 This article describes the idea of utilizing Attested Execution Secure Processors (AESPs) that fit into building a secure Self-Sovereign Identity (SSI) system satisfying Sybil-resistance under permissionless blockchains. Today's circumstances requiring people to be more online have encouraged us to address digital identity preserving privacy. There is a momentum of research addressing SSI, and many researchers approach blockchain technology as a foundation. SSI brings natural persons various benefits such as owning controls; on the other side, digital identity systems in the real world require Sybil-resistance to comply with Anti-Money-Laundering (AML) and other needs. The main idea in our proposal is to utilize AESPs for three reasons: first is the use of attested execution capability along with tamper-resistance, which is a strong assumption; second is powerfulness and flexibility, allowing various open-source programs to be executed within a secure enclave, and the third is that equipping hardware-assisted security in mobile devices has become a norm. Rafael Pass et al.'s formal abstraction of AESPs and the ideal functionality enable us to formulate how hardware-assisted security works for secure digital identity systems preserving privacy under permissionless blockchains mathematically. Our proposal of the AESP-based SSI architecture and system protocols, , demonstrates the advantages of building a proper SSI system that satisfies the Sybil-resistant requirement. The protocols may eliminate the online distributed committee assumed in other research, such as CanDID, because of assuming AESPs; thus, allows not to rely on multi-party computation (MPC), bringing drastic flexibility and efficiency compared with the existing SSI systems. Publication Date: 2024/09/01

computer science, information systems, software engineering

Deepak Maram,Harjasleen Malvai,Fan Zhang,Nerla Jean-Louis,Alexander Frolov,Tyler Kell,Tyrone Lobban,Christine Moy,Ari Juels,Andrew Miller

DOI: https://doi.org/10.1109/SP40001.2021.00038

2021-01-01

Abstract:We present CanDID, a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials.While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presum...

Haotian Cheng,Xiaofeng Li,He Zhao,Tong Zhou,Bin Yu,Nianzu Sheng

DOI: https://doi.org/10.1016/j.jisa.2024.103735

IF: 4.96

2024-03-09

Journal of Information Security and Applications

Abstract:The popularization of digital credentials brings convenience to people, but it also increases the risks of privacy leakage and capability abuse. Designing an accountable anonymous credential scheme offers a promising solution to this problem. However, most existing schemes of accountable anonymous credentials cannot effectively support both decentralized verification and flexible revocation. In this paper, we present S-Cred, an accountable anonymous credential scheme with decentralized verification and flexible revocation, to provide a delegation issuance method for credentials. The ownership of attributes will be transferred to users' temporary identities on the blockchain. In order to prevent credentials misuse, we also design several constraint mechanisms for tracing misbehaving users and revoking their credentials. We further construct a non-fungible obfuscation mechanism by introducing special roles called cloakers. In addition, this paper conducts analysis on security, functionality, efficiency and performance. The results show that S-Cred combines decentralized authentication and flexible revocation with a low computational cost in verification, which demonstrates the practicality of our solution.

computer science, information systems

Evan Krul,Hye-young Paik,Sushmita Ruj,Salil S. Kanhere

DOI: https://doi.org/10.56553/popets-2024-0079

2024-06-27

Abstract:Digital identity is evolving from centralized systems to a decentralized approach known as Self-Sovereign Identity (SSI). SSI empowers individuals to control their digital identities, eliminating reliance on third-party data custodians and reducing the risk of data breaches. However, the concept of trust in SSI remains complex and fragmented. This paper systematically analyzes trust in SSI in light of its components and threats posed by various actors in the system. As a result, we derive three distinct trust models that capture the threats and mitigations identified across SSI literature and implementations. Our work provides a foundational framework for future SSI research and development, including a comprehensive catalogue of SSI components and design requirements for trust, shortcomings in existing SSI systems and areas for further exploration.

Cryptography and Security

Ye Yang

DOI: https://doi.org/10.5539/cis.v15n2p68

2022-03-17

Computer and Information Science

Abstract:Attribute-based anonymous credential schemes allow users to obtain credentials from the issuer and prove the possession of their attributes interactively and anonymously with service providers. So far, most existing schemes only consider single-issuer, where some of them are extended to be traceable or revocable. In the reality, anonymous credential schemes under multi-issuer are more practical, since users could query for credentials from different issuers and use some of them simultaneously, which is more efficient than showing them individually. Although there are also multi-issuer schemes where users obtain credentials from different issuers and show an aggregated credential to service providers, however, these schemes lack practical properties, for example, revocation of invalid users. In this paper, we propose a multi-issuer attribute-based anonymous credential with traceability and revocation, which provides traceability of invalid users, and revocation of the specific users. Users receive credentials from multiple issuers and show an aggregated credential of selective disclosures of attributes. We provide the security model of our scheme of anonymity and unforgeability. Finally, we discuss the computational complexity, which shows the practicality and efficiency of our scheme.

Fan Zhang,Philip Daian,Iddo Bentov

2018-01-01

Abstract:Conventional (M,N )-threshold signature schemes leave users with a painful choice. SettingM = N offers maximum resistance to key compromise. With this choice, though, loss of a single key renders the signing capability unavailable, creating paralysis in systems that use signatures for access control. Lower M improves availability, but at the expense of security. For example, a (3, 3)-multisignature cryptocurrency wallet experiences access-control paralysis upon loss of a single key, but a (2, 3)-multisig allows any two players to collude and steal funds from the third. In this paper, we introduce techniques that address this impasse by making general cryptographic access structures dynamic. Our schemes permit, e.g., a (3, 3)-multisig, to be downgraded to a (2, 3)multisig if a player goes missing. This downgrading is secure in the sense that it occurs only if a player is provably unavailable. Our main tool is what we call a Paralysis Proof, evidence that players, i.e., key holders, are unavailable or incapacitated. Using Paralysis Proofs, we show how to construct a Dynamic Access Structure System, which can securely and flexibly update target access structures without a trusted third party such as a system administrator. We present DASS constructions that combine a trust anchor (a trusted execution environment or smart contract) with a censorshipresistant channel in the form of a blockchain. We offer a formal framework for specifying DASS policies, and define and show how to achieve critical security and usability properties (safety, liveness, and paralysis-freeness) in a DASS. Paralysis Proofs can help address pervasive key-management challenges in many different settings. We present DASS schemes for three important example use cases: recovery of cryptocurrency funds should players become unavailable, returning funds to users when cryptocurrency custodians fail, and remediating critical smartcontract failures such as frozen funds. We report on practical implementations for Bitcoin and Ethereum.

Rui Shi,Huamin Feng,Yang Yang,Feng Yuan,Yingjiu Li,Hwee Hwa Pang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3280914

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Threshold attribute-based credentials are suitable for decentralized systems such as blockchains as such systems generally assume that authenticity, confidentiality, and availability can still be guaranteed in the presence of a threshold number of dishonest or faulty nodes. Coconut (NDSS'19) was the first selective disclosure attribute-based credentials scheme supporting threshold issuance. However, it does not support threshold tracing of user identities and threshold revocation of user credentials, which is desired for internal governance such as identity management, data auditing, and accountability. The communication and computation complexities of Coconut for verifying credentials are linear in the number of each user's attributes and thus costly. Addressing these issues, we propose a novel efficient threshold attribute-based anonymous credential scheme. While retaining all the features of Coconut, our scheme supports threshold tracing of user identities and threshold revocation of user credentials, and it significantly reduces the computational and communication complexities of credential verification. In addition, we prove that our scheme enjoys strong security features, including anonymity, blindness, traceability, and non-frameability.

computer science, information systems, software engineering

Aboulfazl Dayyani,Maghsoud Abbaspour

DOI: https://doi.org/10.1002/cpe.8201

2024-08-06

Concurrency and Computation Practice and Experience

Abstract:Summary The Social Internet of Things (SIoT) allows for more efficient and intelligent communication between entities (humans and objects). Managing the digital identity of objects, protecting the owner's privacy, and resisting impersonation attacks are crucial challenges in SIoT. On the other hand, the classic centralized identity provider servers contain valuable information for hackers and malicious parties. Effective solutions can be presented using decentralized technologies such as blockchains. This paper proposes a decentralized identity management system for SIoT based on smart contract technology. This system drives object identity control; conversely, a zero‐knowledge‐based protocol and double‐spend prevention ideas are proposed for privacy preservation and Sybil attack resistance, respectively. The central idea is to implement self‐sovereign identity (SSI) so that even certifiers are not privy to object‐sensitive information. Additionally, it attempts to prevent the owner from creating Sybil objects using the web of trust method. The method's scalability and convergence can be proven by considering all acknowledgment nodes and different paths. This method was compared with the most novel available methods; the results from this comparison depict the scalability and effectiveness of the proposed method for large networks.

computer science, theory & methods, software engineering

Carlo Mazzocca,Abbas Acar,Selcuk Uluagac,Rebecca Montanari,Paolo Bellavista,Mauro Conti

2024-02-04

Abstract:Digital identity has always been considered the keystone for implementing secure and trustworthy communications among parties. The ever-evolving digital landscape has gone through many technological transformations that have also affected the way entities are digitally identified. During this digital evolution, identity management has shifted from centralized to decentralized approaches. The last era of this journey is represented by the emerging Self-Sovereign Identity (SSI), which gives users full control over their data. SSI leverages decentralized identifiers (DIDs) and verifiable credentials (VCs), which have been recently standardized by the World Wide Web Community (W3C). These technologies have the potential to build more secure and decentralized digital identity systems, remarkably contributing to strengthening the security of communications that typically involve many distributed participants. It is worth noting that the scope of DIDs and VCs extends beyond individuals, encompassing a broad range of entities including cloud, edge, and Internet of Things (IoT) resources. However, due to their novelty, existing literature lacks a comprehensive survey on how DIDs and VCs have been employed in different application domains, which go beyond SSI systems. This paper provides readers with a comprehensive overview of such technologies from different perspectives. Specifically, we first provide the background on DIDs and VCs. Then, we analyze available implementations and offer an in-depth review of how these technologies have been employed across different use-case scenarios. Furthermore, we examine recent regulations and initiatives that have been emerging worldwide. Finally, we present some challenges that hinder their adoption in real-world scenarios and future research directions.

Cryptography and Security,Computers and Society

Rowdy Chotkan,Jérémie Decouchant,Johan Pouwelse

DOI: https://doi.org/10.48550/arXiv.2208.05339

2022-08-10

Distributed, Parallel, and Cluster Computing

Abstract:Self-Sovereign Identity (SSI) aspires to create a standardised identity layer for the Internet by placing citizens at the centre of their data, thereby weakening the grip of big tech on current digital identities. However, as millions of both physical and digital identities are lost annually, it is also necessary for SSIs to possibly be revoked to prevent misuse. Previous attempts at designing a revocation mechanism typically violate the principles of SSI by relying on central trusted components. This lack of a distributed revocation mechanism hampers the development of SSI. In this paper, we address this limitation and present the first fully distributed SSI revocation mechanism that does not rely on specialised trusted nodes. Our novel gossip-based propagation algorithm disseminates revocations throughout the network and provides nodes with a proof of revocation that enables offline verification of revocations. We demonstrate through simulations that our protocol adequately scales to national levels.

Efat Samir,Hongyi Wu,Mohamed Azab,Chunsheng Xin,Qiao Zhang,Chun Sheng Xin

DOI: https://doi.org/10.1109/jiot.2021.3112537

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:In a ubiquitous environment enclosing cooperative Internet-of-Things (IoT) devices, individuals, and entities, digital identity management (DIM) becomes critical and challenging. DIM pertains to device identities authentication and verification to enable trustworthy service exchange, data collection, and decision making. DIM is the supporting pillar for all online services and the foundation for security and authentication mechanisms. Due to the extreme heterogeneity, scale, and configuration complexity of such environments, enabling trustworthy DIM is crucial and seriously challenging. In an IoT context, devices use local digital identities stored within a tamper-proof unit and verified by a centralized authority for authentication. The recent attacks on IoT systems showed how vulnerable such a design is. It is also an inherent problem that influences humans. From that, self-sovereign identity (SSI) has emerged as a decentralized DIM approach embracing the concept of portable self-possession identity. SSI was presented to couple the digital identity from the owner to enable large-scale cooperation. However, digital identity storage and verification still occur on the device and in a centralized manner. Utilizing a local single-point-of-failure storage memory for verifiable credentials is one of the considerable drawbacks in contemporary SSI. In this regard, this article introduces decentralized trustworthy-self-sovereign identity management (DT-SSIM), a novel decentralized trustworthy SSI management framework. DT-SSIM integrates the secret share scheme with the blockchain-based smart contracts technologies to provide transparent and trustworthy SSI-based DIM services for IoT. Storing IoT identity credentials outside the devices' local storage preserves the identity credentials from being tampered with or misused. Evaluations and discussions show the resiliency assessment of the system and the cost and estimated running times for verification pro-esses in DT-SSIM.

computer science, information systems,telecommunications,engineering, electrical & electronic

Engin Zeydan,Josep Mangues-Bafalluy,Suayb Arslan,Yekta Turk

DOI: https://doi.org/10.1016/j.vehcom.2024.100759

IF: 6.7

2024-03-03

Vehicular Communications

Abstract:Identity and access management frameworks address user access rights and data governance for organizations, vendors and users. In response to the problems associated with centralized authorities (e.g. single point of failure, limited scalability, lack of user control), new identity management models have emerged, such as Self-Sovereign Identity (SSI), which relies on verifiable data registers to validate Decentralized Identifier (DIDs) and can be achieved in many different ways, e.g. through Distributed Ledger Technology (DLT), distributed databases or other decentralized systems. The main goal of SSI is to enable users to take control of managing their data shared with different services. In this paper, we examine a possible application of the SSI concept to aerial base station (ABS)- integrated networks. The paper presents the effective use of DID implementation to provide a secure and decentralized way to create, associate and verify credentials and identities of ABSs, ensuring secure communication between Ground Base stations (GBSs) and other nodes in the network in a multi-operator scenario. In the numerical results, the average values of various metrics (namely, the average credential presentation time, the average credential offer time, the average DIDcomm connection creation time, the average DIDcomm signing time, and the average DIDcomm revoke credential time) related to credential operations in a DID management system are given for three different number of requests (50 K, 75 K, and 100 K). We have also provided the values of the different status codes that occurred in 100 K operations in the same DID management system. Towards the end of the paper, a comparison is made between SSI-based and Non-fungible token (NFT)-based blockchain solutions, also discussing the challenges and future directions of SSI solutions in the context of ABS-integrated networks.

telecommunications,transportation science & technology

Taehoon Kim,Daehee Seo,Su-Hyun Kim,Im-Yeong Lee

DOI: https://doi.org/10.3390/s24072215

IF: 3.9

2024-03-30

Sensors

Abstract:Decentralized Identifiers have recently expanded into Internet of Things devices and are crucial in securing users' digital identities and data. However, Decentralized Identifiers face challenges in scenarios necessitating authority delegation and anonymity, such as when dealing with legal guardianship for minors, device loss or damage, and specific medical contexts involving patient information. This paper aims to strengthen data sovereignty within the Decentralized Identifier system by implementing a secure authority delegation and anonymity scheme. It suggests optimizing verifiable presentations by utilizing a sequential aggregate signature, a Non-Interactive Zero-Knowledge Proof, and a Merkle tree to prevent against linkage and Sybil attacks while facilitating delegation. This strategy mitigates security risks related to delegation and anonymity, efficiently reduces the computational and verification efforts for signatures, and reduces the size of verifiable presentations by about 1.2 to 2 times.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Weichu Deng,Jin Li,Hongyang Yan,Arthur Sandor Voundi Koe,Teng huang,Jianfeng Wang,Cong Peng

DOI: https://doi.org/10.1016/j.jisa.2024.103885

IF: 4.96

2024-09-14

Journal of Information Security and Applications

Abstract:In the Internet of Things, access control and identity management rely on centralized platforms. However, centralized platforms will compromise user privacy with identity leakage. Self-sovereign identity (SSI) is a novel model for identity management that does not require third-party centralized authority. Thus, SSI is a potential solution to the identity management problem in IoT access control. This paper's motivation is to address the problems of lack of identity sovereignty, centralized authorization, and high computational overhead for IoT access control. We propose a novel access control scheme for IoT that decentralizes identity management and tackles single-point-of-failure issues. This scheme leverages ciphertext policy attribute-based encryption (CP-ABE) and SSI to achieve the overall goal. Specifically, Our scheme eliminates the central authority and empowers users to manage their identity, allowing users to decide what attributes they disclose. Regarding the distribution of roles in the architecture, this paper follows the generic SSI model (ISSUER–HOLDER—VERIFIER) that allows a user to access a service from a service provider. To enable real-world deployment of our scheme, we establish an attribute authorization authority(such as the government) as a trusted identity point of entry. Users generate decentralized identifiers to enjoy services of interest in a privacy-preserving manner. The analysis demonstrates the practicality and superiority of our scheme. Our scheme requires less computation and is suitable for resource-constrained IoT scenarios.

computer science, information systems

Alexander Mühle,Andreas Grüner,Tatiana Gayvoronskaya,Christoph Meinel

DOI: https://doi.org/10.48550/arXiv.1807.06346

2018-07-17

Cryptography and Security

Abstract:This paper provides an overview of the Self-Sovereign Identity (SSI) concept, focusing on four different components that we identified as essential to the architecture. Self-Sovereign Identity is enabled by the new development of blockchain technology. Through the trustless, decentralised database that is provided by a blockchain, classic Identity Management registration processes can be replaced. We start off by giving a simple overview of blockchain based SSI, introducing an architecture overview as well as relevant actors in such a system. We further distinguish two major approaches, namely the Identifier Registry Model and its extension the Claim Registry Model. Subsequently we discuss identifiers in such a system, presenting past research in the area and current approaches in SSI in the context of Zooko's Triangle. As the user of an SSI has to be linked with his digital identifier we also discuss authentication solutions. Most central to the concept of an SSI are the verifiable claims that are presented to relying parties. Resources in the field are only losely connected. We will provide a more coherent view of verifiable claims in regards to blockchain based SSI and clarify differences in the used terminology. Storage solutions for the verifiable claims, both on- and off-chain, are presented with their advantages and disadvantages.

Jinguang Han,Liqun Chen,Steve Schneider,Helen Treharne,Stephan Wesemeyer

DOI: https://doi.org/10.48550/arXiv.1804.07201

2018-04-19

Abstract:Anonymous Single-Sign-On authentication schemes have been proposed to allow users to access a service protected by a verifier without revealing their identity which has become more important due to the introduction of strong privacy regulations. In this paper we describe a new approach whereby anonymous authentication to different verifiers is achieved via authorisation tags and pseudonyms. The particular innovation of our scheme is authentication can only occur between a user and its designated verifier for a service, and the verification cannot be performed by any other verifier. The benefit of this authentication approach is that it prevents information leakage of a user's service access information, even if the verifiers for these services collude which each other. Our scheme also supports a trusted third party who is authorised to de-anonymise the user and reveal her whole services access information if required. Furthermore, our scheme is lightweight because it does not rely on attribute or policy-based signature schemes to enable access to multiple services. The scheme's security model is given together with a security proof, an implementation and a performance evaluation.

Cryptography and Security

Abylay Satybaldy,Md. Sadek Ferdous,Mariusz Nowostawski

DOI: https://doi.org/10.1109/access.2024.3357940

IF: 3.9

2024-02-07

IEEE Access

Abstract:Creating and utilizing digital identities are fundamental steps towards accessing online services. In order to facilitate the management of user identities, the concept of identity management has been introduced. Various systems and protocols have been developed to manage online identities. However, these systems are provider-centric, focusing on aiding providers in managing their user bases. As a result, users often have limited control over their identity data and remain unaware of how centralized identity providers use or potentially misuse their data. Self-Sovereign Identity (SSI) has emerged as a new paradigm in the digital identity management landscape, aiming to empower users by allowing them greater control over their identity data. Although SSI is a relatively new domain, there have been numerous efforts, primarily from the industry, to introduce SSI standards, protocols, and systems, with multiple options in each category. Researchers eager to contribute to the SSI domain might find it challenging to understand the interconnections among these components. Notably, the SSI domain faces several challenges, as highlighted in various research works. These challenges must be addressed before SSI can achieve widespread adoption. This article presents a comprehensive systematic literature review of SSI, offers a detailed taxonomy, and identifies and analyzes the open challenges in SSI.

computer science, information systems,telecommunications,engineering, electrical & electronic