Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Carlo Mazzocca,Abbas Acar,Selcuk Uluagac,Rebecca Montanari,Paolo Bellavista,Mauro Conti

2024-02-04

Abstract:Digital identity has always been considered the keystone for implementing secure and trustworthy communications among parties. The ever-evolving digital landscape has gone through many technological transformations that have also affected the way entities are digitally identified. During this digital evolution, identity management has shifted from centralized to decentralized approaches. The last era of this journey is represented by the emerging Self-Sovereign Identity (SSI), which gives users full control over their data. SSI leverages decentralized identifiers (DIDs) and verifiable credentials (VCs), which have been recently standardized by the World Wide Web Community (W3C). These technologies have the potential to build more secure and decentralized digital identity systems, remarkably contributing to strengthening the security of communications that typically involve many distributed participants. It is worth noting that the scope of DIDs and VCs extends beyond individuals, encompassing a broad range of entities including cloud, edge, and Internet of Things (IoT) resources. However, due to their novelty, existing literature lacks a comprehensive survey on how DIDs and VCs have been employed in different application domains, which go beyond SSI systems. This paper provides readers with a comprehensive overview of such technologies from different perspectives. Specifically, we first provide the background on DIDs and VCs. Then, we analyze available implementations and offer an in-depth review of how these technologies have been employed across different use-case scenarios. Furthermore, we examine recent regulations and initiatives that have been emerging worldwide. Finally, we present some challenges that hinder their adoption in real-world scenarios and future research directions.

Cryptography and Security,Computers and Society

Zuoqi Jiang,Jiangtao Luo,Fei Zhang,Chen He,Mengnan Wang,Yanyong Zhang

DOI: https://doi.org/10.1109/hoticn48464.2019.9063215

2019-01-01

Abstract:The current data-centric security architecture for the Information Centric Network (ICN) does not provide efficient user authentication mechanisms, thus causing undesirable issues such as interest flooding a ttacks (IFA). I no rder to address them, this paper proposes a pseudonym authentication scheme on network layer based on the system of identity-based cryptography (IBC). In the proposed approach, each consumer needs to be authenticated before sending Interest packets into the network. After successful authentication, the consumer will be assigned a temporary nickname to be used in later data request. During the procedure, IBC is adopted to protect real names of consumers and verify the interest origin. As a result, this approach can complete user authentication and protect his real identity simultaneously. The proposed approach is case studied in IFA depression and expected results are achieved.

M. Anisetti,Filippo Berto,C. Ardagna,E. Damiani

DOI: https://doi.org/10.1109/TNSM.2022.3165144

2022-09-01

IEEE Transactions on Network and Service Management

Abstract:Information-Centric Networking is an emerging alternative to host-centric networking designed for large-scale content distribution and stricter privacy requirements. Recent research on Information-Centric Networking focused on the protection of the network from attacks targeting the content delivery protocols, while assuming genuine content can always be retrieved from trustworthy nodes. In this paper, we depart from the assumption of the trustworthiness of network nodes and propose a novel certification methodology for information-centric networks that supports continuous security verification of non-functional properties. Our methodology provides a complete and detailed view of the network security status, increasing the trustworthiness of the network and its services. The proposed approach builds on an enhanced certification model capturing the evolution of the system over time. It also defines certification services that fully integrate with existing networks to collect evidence on the target of certification and carry out the certification process. It finally proposes two certification processes, centralized and decentralized, balancing the impact on the network and the system performance. Efficiency, performance, and soundness of our approach are experimentally evaluated in a simulated Named Data Networking (NDN) network targeting property availability.

Computer Science

Deepak Maram,Harjasleen Malvai,Fan Zhang,Nerla Jean-Louis,Alexander Frolov,Tyler Kell,Tyrone Lobban,Christine Moy,Ari Juels,Andrew Miller

DOI: https://doi.org/10.1109/SP40001.2021.00038

2021-01-01

Abstract:We present CanDID, a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials.While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presum...

Haotian Deng,Jinwen Liang,Chuan Zhang,Ximeng Liu,Liehuang Zhu,Song Guo

DOI: https://doi.org/10.1109/tc.2024.3398509

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Decentralized identity (DID) systems conforming to the World Wide Web Consortium (W3C) Decentralized Identifiers (DIDs) and Verifiable Credentials Data Model recommendations have recently attracted attention due to their better autonomy, interoperability, and openness design. However, those W3C recommendations lack a design for addressing the single point of failure (SPOF) and identity revocation, which could seriously compromise the robustness and practicality of DID systems. To remedy these limitations, we propose FutureDID, a DID system that enables multiple parties to jointly issue credentials and efficiently revoke DID identities, providing a robust and practical DID system. FutureDID is designed with a multi-party credential issuing mechanism based on distributed key generation technology, which transforms trust from a single entity to distributed committees and facilitates authentication between issuers, making it more resistant to SPOF. Moreover, the underlying blockchain system is built on a chameleon hash function to ensure tamper-proof and enable efficient identity revocation. We have implemented a prototype system using FISCO BCOS and conducted extensive evaluations to demonstrate the effectiveness and practicality of our system. Our evaluations have shown that FutureDID provides a significant improvement in efficiency, achieving at least a 60 × efficiency improvement in identity revocation compared to state-of-the-art systems.

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Walid Elbreiki,Shivaleela Arlimatti,Suhaidi Hassan,Adib Habbal,Mohamed Elshaikh

DOI: https://doi.org/10.1063/1.4960878

2016-01-01

AIP Conference Proceedings

Abstract:Information Centric Networks (ICN) is the new paradigm that envisages to shift the Internet away from its existing Point-to-Point architecture to a data centric, where communication is based on named hosts rather than the information stored on these hosts. Name Resolution is the center of attraction for ICN, where Named Data Objects (NDO) are used for identifying the information and guiding for routing or forwarding inside ICN. Recently, several researches use distributed NRS to overcome the problem of interest flooding, congestion and overloading. Yet the distribution of NRS is based on random distribution. How to distribute the NRS is still an important and challenging problem. In this work, we address the problem of distribution of NRS by proposing a new mechanism called Distributed Name Resolution System (DNRS), by considering the time of publishing the NDOs in the NRS. This mechanism partitions the network to distribute the workload among NRSs by increasing storage capacity. In addition, partitioning the network increases flexibility and scalability of NRS. We evaluate the effectiveness of our proposed mechanism, which achieves lesser end-to-end delay with more average throughputs compared to random distribution of NRS without disturbing the underlying routing or forwarding strategies.

Asem Othman,John Callahan

DOI: https://doi.org/10.48550/arXiv.1711.07127

2017-11-20

Abstract:Most user authentication methods and identity proving systems rely on a centralized database. Such information storage presents a single point of compromise from a security perspective. If this system is compromised it poses a direct threat to users' digital identities. This paper proposes a decentralized authentication method, called the Horcrux protocol, in which there is no such single point of compromise. The protocol relies on decentralized identifiers (DIDs) under development by the W3C Verifiable Claims Community Group and the concept of self-sovereign identity. To accomplish this, we propose specification and implementation of a decentralized biometric credential storage option via blockchains using DIDs and DID documents within the IEEE 2410-2017 Biometric Open Protocol Standard (BOPS).

Cryptography and Security

Liu Huiling,Li Hui,Yu Chaoqi,Zhu Bing,Pan Kai

DOI: https://doi.org/10.1109/ICCChina.2015.7448622

2015-01-01

Abstract:Identity/locator separation and software defined networking (SDN) have emerged in recent years as two promising technologies within the Internet community. Identity/locator separation supports mobility and shows good performance in scaling problems. By separating the control and data plane, SDN achieves the software control of the networks evolving independently of the hardware. Constant attempts are made to integrate identity/locator separation and SDN dedicated to a new network architecture incorporating these two technologies so as to retain the advantages from both of them. In this paper, we propose a novel identity-based centralized control network architecture (ICCN) by mapping identity into locator to route and decoupling control strategy from packet forwarding. ICCN provides efficient communication and host mobility. We implement ICCN and conducts experiments on a SDN-based network with up to 10 nodes, and the results show that ICCN is feasible and scalable.

Yu Wang,Mingwei Xu,Zhen Feng,Qing Li,Qi Li

DOI: https://doi.org/10.1109/pccc.2014.7017094

2014-01-01

Abstract:Information-Centric Networking (ICN) has been proposed recently to improve the efficiency of content delivery in current IP networks. ICN employs data names, instead of host addresses, as routing and forwarding indicators. Content in the ICN carries only signature of the content provider but does not contain the identity of the content consumer by default. Such information is, however, essential for many of the web applications, such as email, online social networking, online game, e-commerce, and other session-based web services.In this paper, we propose a session-based access control (SAC) mechanism for ICN scenario to bridge the gap. Key distribution protocols are designed to protect the confidentiality of the content during information delivery. We also employ a dynamic naming scheme to enhance user privacy. According to security analysis, our access control mechanism can provide communication security and privacy protection for both sides of the session. Our design can be easily applied to session-based applications in ICN with negligible overhead.

Jiang Xiaoke,Bi Jun,Nan Guoshun,Li Zhaogeng

DOI: https://doi.org/10.1109/cc.2015.7188520

2015-01-01

Abstract:The basic function of the Internet is to delivery data（what） to serve the needs of all applications. IP names the attachment points（where） to facilitate ubiquitous interconnectivity as the current way to deliver data. The fundamental mismatch between data delivery and naming attachment points leads to a lot of challenges, e.g., mapping from data name to IP address, handling dynamics of underlying topology, scaling up the data distribution, and securing communication, etc. Informationcentric networking（ICN） is proposed to shift the focus of communication paradigm from where to what, by making the named data the first-class citizen in the network, The basic consensus of ICN is to name the data independent from its container（space dimension） and session（time dimension）, which breaks the limitation of point-to-point IP semantic. It scales up data distribution by utilizing available resources, and facilitates communication to fit diverse connectivity and heterogeneous networks. However, there are only a few consensuses on the detailed design of ICN, and quite a few different ICN architectures are proposed. This paper reveals the rationales of ICN from the perspective of the Internet evolution, surveys different design choices, and discusses on two debatable topics in ICN, i.e.,self-certifying versus hierarchical names, and edge versus pervasive caching. We hope this survey helps clarify some mis-understandings on ICN and achieve more consensuses.

Ruidong Li,Hitoshi Asaeda,Jie Li,Xiaoming Fu

DOI: https://doi.org/10.1016/j.dcan.2017.06.001

IF: 6.348

2017-01-01

Digital Communications and Networks

Abstract:Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking (ICN) is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography (IBC) to propose a Distributed Authentication and Authorization Scheme (DAAS), where an identity-based signature (IBS) is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribute-based encryption (CP-ABE) is used to enable the distributed and fine-grained authorization. DAAS consists of three phases: initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the interest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest (NOAM) dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest (AM) distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.

Shrey Jain,Leon Erichsen,Glen Weyl

DOI: https://doi.org/10.48550/arXiv.2208.11443

2022-08-24

Abstract:In this article, we explore the tension between abstraction and composability in web3 today, specifically within identity solutions, and argue that the current standard DID v1.0 is sufficiently under specified, allowing for many methods and instantiations, including blockchain based certificates. We view experiments today in web3 identity as additive and complementary, and argue that often cited differences are of degree and more in form, less in substance. By way of illustration, we compare decentralized naming services and blockchain based identity certificates such as soulbound tokens (SBTs) to decentralized identifiers (DIDs) and verifiable credentials (VCs). Both paradigms, to the extent they can be meaningfully differentiated, share similar potential as well as challenges. Specifically, we refer to fears about non consensual verification (scarlet letters) and show DID method iterations are not immune by issuing an innocuous public scarlet letter to a DIDs associated public address for anyone to see. Moreover, we argue that because SBTs are unspecified, one could characterize SBTs as an iteration, or extension, of VCs that additionally aspire to achieve composability with web3 smart contracts for correct execution of code, privacy, coercion resistance, and censorship resistance. We offer research paths for how VCs can also achieve these properties. We do not comment on cost, scalability, transferability, or common knowledge as they have been previously reviewed.

Cryptography and Security

Cristian Nicolae Butincu,Adrian Alexandrescu

DOI: https://doi.org/10.1109/access.2024.3394537

IF: 3.9

2024-05-03

IEEE Access

Abstract:The increased digitalization of society raises concerns regarding data protection and user privacy, and criticism on how the companies handle user data without being transparent and without providing adequate mechanisms for users to control how their own data is being processed or shared. To address this problem and open the way for a secure and efficient society, where the privacy of citizens is paramount, the identity concept and proof of identity mechanisms need to be redesigned from the ground up. In this paper we discuss how the emerging Web3 technologies like distributed ledger technology (DLT), blockchain, smart contracts, decentralized storage systems, and crypto wallets can be leveraged to design and implement a decentralized digital identity system based on decentralized identifiers (DID) and self-sovereign identities (SSI). Such a system puts the users in full control over their own data while also providing a solid backbone for building interoperable systems that are secure, scalable, and efficient. We propose different architectures for the decentralized identity infrastructure and storage layer, and also discuss the mapping of these architectures on cloud platforms. The main goal is to provide an architectural blueprint for a scalable, secure, privacy-preserving and trusted system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sandro Rodriguez Garzon,Dennis Natusch,Artur Philipp,Axel Küpper,Hans Joachim Einsiedler,Daniela Schneider

2024-05-15

Abstract:Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.

Cryptography and Security,Networking and Internet Architecture

Athanasios V. Vasilakos,Zhe Li,Gwendal Simon,Wei You

DOI: https://doi.org/10.1016/j.jnca.2015.02.001

IF: 7.574

2015-01-01

Journal of Network and Computer Applications

Abstract:For more than a decade, the inherent drawbacks of current Internet have been calling for its revolutionary designs. The end-to-end model, which was designed for special data transmission in the early age of Internet, is causing troubles everywhere in nowadays content based web services. Consequently, Information Centric Network (ICN) is proposed to solve these problems. As the most permanent clean-slate approach for next generation Internet, ICN has attracted much attention from network researchers in the passed few years. This survey focuses on the current progress of the research work in ICN. It investigates various key aspects such as naming and routing schemes, in-network caching policies, etc., and highlights the benefit of implementing ICN, open research issues and new interests in this domain.

Chunmei XIA,Mingwei XU

DOI: https://doi.org/10.3778/j.issn.1673-9418.1303025

2013-01-01

Abstract:Network requirements are evolved from data communications between two hosts to accessing a large amount of information through networks. The current Internet uses address-centric network communication model,which is suitable for the communications between hosts but not efficient in the communications between hosts and networks. Given this fact, information-centric networking(ICN) becomes the hot spot to meet the new requirements.Firstly, this paper presents the basic idea of ICN, analyzes the features of ICN, and classifies different ICN approaches,including the following aspects: naming, resolving, routing and caching. Secondly, this paper summarizes the five key technologies in ICN which are naming, resolving, routing, distribution and caching, and then analyzes and evaluates the existing ICN schemes. Finally, several key issues in ICN are discussed and future directions are pointed out.

Jing Ren,Kejie Lu,Sheng Wang,Xiong Wang,Shizhong Xu,Lemin Li,Shucheng Liu

DOI: https://doi.org/10.1109/mnet.2014.6843229

IF: 10.294

2014-01-01

IEEE Network

Abstract:Information-centric networking, ICN, is a promising technology for future Internet design, with which a user can directly obtain a content object by its name (or identification), without specifying the location of the content object. In recent years, various ICN architectures have been proposed, and they differ significantly in terms of naming, routing, etc. Consequently, it becomes a major challenge to convince network service providers to deploy ICN-enabled networks. In this article, we will address this challenging issue by proposing a novel deployment framework, versatile ICN, based on software-defined networking concepts, which can efficiently enable different ICN architectures and can facilitate interoperation among ICN instances. Specifically, we first review existing ICN architectures and abstract their core functions. We then elaborate on the main ideas of the VICN framework, including application scenarios, design criteria, and key hardware and software components. To illustrate how the framework can be applied, we develop a prototype that can enable two major ICN architectures, and also facilitate interoperation between them. Using the prototype, we conduct evaluations to show how a user of one ICN instance can obtain a content object from another ICN instance, where the two ICN instances adopt different ICN architectures and are deployed on two NSP networks. Evaluation results confirm that the proposed framework is viable and can lead to much better delay and throughput performance.

Kai Lei,Zhongjie Wang

DOI: https://doi.org/10.1109/iccse.2012.6295245

2012-01-01

Abstract:Content-Centric Networking (CCN) is a predominant substitute of the current TCP/IP networking and it is proposed to be the next generation Internet foundation. The evident characteristic of this network architecture is caching and indexing contents by the inner nodes - the routers, so as to reduce the redundant transmission and thereby shorten the distance between user and content. In this paper, we propose and implement a user authentication scheme over CCN. We adopt the trust model based on certificate authority (CA) to provide the service of binding certificate with user's identity, and help user determine the authenticity and reliability of the publisher of the network content. Also the specialized CA we designed for CCN takes advantage of the decentralization characteristic and cache mechanism of CCN to distribute the certificates and certificate revocation list (CRL) into the network, and it reduces the load of the CA central server when retrieving and verifying certificates. Besides, we propose a timeline-based method to segment the CRL with certificate issue date, thereby making the retrieval of CRL more effective.