Grüner, A., Mühle, A., Meinel, C.: ATIB: Design and Evaluation of an Architecture for Brokered Self-Sovereign Identity Integration and Trust-Enhancing Attribute Aggregation for Service Provider. IEEE Access. 9, 138553–138570 (2021).
AbstractIdentity management is a principle component of securing online services. In the advancement of traditional identity management patterns, the identity provider remained a Trusted Third Party (TTP). The service provider and the user need to trust a particular identity provider for correct attributes amongst other demands. This paradigm changed with the invention of blockchain-based Self- Sovereign Identity (SSI) solutions that primarily focus on the users. SSI reduces the functional scope of the identity provider to an attribute provider while enabling attribute aggregation. Besides that, the development of new protocols, disregarding established protocols and a significantly fragmented landscape of SSI solutions pose considerable challenges for an adoption by service providers.We propose an Attribute Trustenhancing Identity Broker (ATIB) to leverage the potential of SSI for trust-enhancing attribute aggregation. Furthermore, ATIB abstracts from a dedicated SSI solution and offers standard protocols. Therefore, it facilitates the adoption by service providers. Despite the brokered integration approach, we show that ATIB provides a high security posture. Additionally, ATIB does not compromise the ten foundational SSI principles for the users.
2.
Grüner, A., Mühle, A., Meinel, C.: Analyzing Interoperability and Portability Concepts for Self-Sovereign Identity. Proceedings of the 2021 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (accepted). IEEE, Shenyang, China (2021).
AbstractThe Self-Sovereign Identity (SSI) paradigm postulates global unique identities that are controlled by the user. To achieve a widespread applicability, the emphasized interoperability principle supports the proclaimed ambition. Furthermore, identity portability enables the transfer of the identity to another SSI solution. These axioms gain additional momentum due to the development of numerous implementations. In this paper, we examine interoperability and portability concepts for SSI. Initially, we define these principles regarding the blockchainbased SSI model. Subsequently, we outline assessment criteria considering functional scope, governance/ trust, scalability and further characteristics. For interoperability, we evaluate the concepts of protocol and standard, broker, hub and pairing. Besides that, we assess the transformer and auxiliary solutions for portability. We can conclude that all interoperability schemes provide the maximum functional level theoretically. In contrast, portability patterns are fragmented in this regard. Nonetheless, protocol and standards can only be applied in the design phase, whereas broker, hub, pairing, transformer and auxiliary solutions enable interoperability, respectively portability post-deployment of the SSI system.
3.
Grüner, A., Mühle, A., Meinel, C.: On the Structure and Assessment of Trust Models in Attribute Assurance. Proceedings of the 35th International Conference on Advanced Information Networking and Applications. Springer, Toronto, Canada (2021).
AbstractOnline services fundamentally rely on identity management to secure and personalize their presence. Within identity management, attribute assurance techniques target correctness and validity of attributes. These properties are an essential foundation for service provisioning in digital businesses. A myriad of attribute assurance trust models has been published. However, a superior trust model from the various proposals has not been discriminated. Additionally, a profound assessment is challenging due to a missing general notation and approach. In this paper, we work towards the structural characteristics of a secure trust model. To achieve this, we analyze common elements of attribute assurance trust models and outline differentiating factors compared to other domains. Based on the key components, we propose a formal meta-framework to depict existing trust models. Using the framework, characteristics and security attacks of these trust schemes are elaborated. As an outcome, we can conclude that a secure trust model depends on an attack-resistant trust function that considers high trust values and several attestation issuers.
4.
Grüner, A., Mühle, A., Meinel, C.: A Taxonomy of Trust Models for Attribute Assurance in Identity Management. Proceedings of the Workshops of the International 34th Conference on Advanced Information Networking and Applications. Springer, Caserta, Italy (2020).
AbstractAttribute providers are trusted third parties in decentralized and federated identity management patterns. Service providers evaluate trust in delivered attributes with attribute assurance techniques because user properties are highly important for service provisioning. Levels of assurance define verification measures forming common ground for trust in attributes delivered by a particular provider. Beyond that, trust models that are tailored to attribute assurance in identity management enable flexible trust decisions that consider multiple attribute providers. Over time, various trust schemes for attribute assurance that address different characteristics have been proposed. We present existing models in this domain and analyze them with regard to trust scale, trust applicability, attribute aggregation, trust composition and centralization of trust. Based on the results, we create a taxonomy to arrange the trust models. Supported by this classification scheme, we devise gaps in the model coverage and propose associated future research directions.
5.
Grüner, A., Mühle, A., Meinel, C.: Using Probabilistic Attribute Aggregation for Increasing Trust in Attribute Assurance. Proceedings of the 2019 IEEE Symposium Series on Computational Intelligence in Cyber Security. IEEE, Xiamen, China (2019).
AbstractIdentity management is an essential cornerstone of securing online services. Service provisioning relies on correct and valid attributes of a digital identity. Therefore, the identity provider is a trusted third party with a specific trust requirement towards a verified attribute supply. This trust demand implies a significant dependency on users and service providers. We propose a novel attribute aggregation method to reduce the reliance on one identity provider. Trust in an attribute is modelled as a combined assurance of several identity providers based on probability distributions. We formally describe the proposed aggregation model. The resulting trust model is implemented in a gateway that is used for authentication with self-sovereign identity solutions. Thereby, we devise a service provider specific web of trust that constitutes an intermediate approach bridging a global hierarchical model and a locally decentralized peer to peer scheme.
6.
Grüner, A., Mühle, A., Meinel, C.: An Integration Architecture to Enable Service Providers for Self-sovereign Identity. Proceedings of the 18th. International Symposium on Network Computing and Applications. IEEE, Boston, MA (2019).
AbstractThe self-sovereign identity management model emerged with the rise of blockchain technology. This paradigm focuses on user-centricity and strives to place the user in full control of the digital identity. Numerous implementations embrace the self-sovereign identity concept, leading to a fragmented landscape of solutions. At the same time, traditional identity and access management protocols are largely disregarded and facilities to issue verifiable claims as attributes are not available. Therefore, service providers barely adopt these solutions. We propose a component-based architecture for integrating selfsovereign identity solutions into web applications to foster their adoption by service providers. Furthermore, we outline a sample implementation as a gateway that enables uPort and Jolocom for authentication, via the OpenID Connect protocol, as well as the retrieval of email address attestations for these solutions.
7.
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: A Comparative Analysis of Trust Requirements in Decentralized Identity Management. Proceedings of the 33rd. International Conference on Advanced Information Networking and Applications. Springer, Matsue, Japan (2019).
AbstractIdentity management is a fundamental component in securing online services. Isolated and centralized identity models have been applied within organizations. Moreover, identity federations connect digital identities across trust domain boundaries. These traditional models have been thoroughly studied with regard to trust requirements. The recently emerging blockchain technology enables a novel decentralized identity management model that targets user-centricity and eliminates the identity provider as a trusted third party. The result is a substantially different set of entities with mutual trust requirements. In this paper, we analyze decentralized identity management based on blockchain through defining topology patterns. These patterns depict schematically the decentralized setting and its main actors. We study trust requirements for the devised patterns and, finally, compare the result to traditional models. Our contribution enables a clear view of differences in trust requirements within the various models.
8.
Mühle, A., Grüner, A., Gayvoronskaya, T., Meinel, C.: A Survey on Essential Components of a Self-Sovereign Identity. Computer Science Review. 80–86 (2018).
AbstractThis paper provides an overview of the Self- Sovereign Identity (SSI) concept, focusing on four different components that we identified as essential to the architecture. Self-Sovereign Identity is enabled by the new development of blockchain technology. Through the trustless, decentralised database that is provided by a blockchain, classic Identity Management registration processes can be replaced. We start off by giving a simple overview of blockchain based SSI, introducing an architecture overview as well as relevant actors in such a system. We further distinguish two major approaches, namely the Identifier Registry Model and its extension the Claim Registry Model. Subsequently we discuss identifiers in such a system, presenting past research in the area and current approaches in SSI in the context of Zooko’s Triangle. As the user of an SSI has to be linked with his digital identifier we also discuss authentication solutions. Most central to the concept of an SSI are the verifiable claims that are presented to relying parties. Resources in the field are only losely connected. We will provide a more coherent view of verifiable claims in regards to blockchain based SSI and clarify differences in the used terminology. Storage solutions for the verifiable claims, both on- and off-chain, are presented with their advantages and disadvantages.
9.
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: Towards a Blockchain-based Identity Provider. Proceedings of the 12th. International Conference on Emerging Security Information, Systems and Technologies. IARIA, Venice, Italy (2018).
AbstractThe emerging technology blockchain is under way to revolutionize various fields. One significant domain to apply blockchain is identity management. In traditional identity management, a centralized identity provider, representing a trusted third party, supplies digital identities and their attributes. The identity provider controls and owns digital identities instead of the associated subjects and therefore, constitutes a single point of failure and compromise. To overcome the need for this trusted third party, blockchain enables the creation of a decentralized identity provider serving digital identities that are under full control of the associated subject. In this paper, we outline the design and implementation of a decentralized identity provider using an unpermissioned blockchain. Digital identities are partially stored on the blockchain and their attributes are modelled as verifiable claims, consisting of claims and attestations. In addition to that, the identity provider implements the OpenID Connect protocol to promote seamless integration into existing application landscapes. We provide a sample authentication workflow for a user at an online shop to show practical feasibility.
10.
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: A Quantifiable Trust Model for Blockchain-Based Identity Management. Proceedings of the 2018 International Conference on Blockchain. IEEE, Halifax, Canada (2018).
AbstractRemoving the need for a trusted third party, blockchain technology revolutionizes the field of identity management. Service providers rely on digital identities to securely identify, authenticate and authorize users to their services. Traditionally, these digital identities are offered by a central identity provider belonging to a specific organisation. Trust in the digital identity mainly originates from the identity provider’s reputation, organizational functioning and contractual obligations. Blockchain technology enables the creation of decentralized identity management without a central identity provider as trusted third party. Therefore, the derivation of trust in digital identities within this paradigm requires a distinct approach. In this paper we propose a novel general quantifiable trust model and a specific implementation variant for blockchainbased identity management. Applying the model, trust is deduced in a decentralized manner from attestations of claims and applied to the associated digital identity. This concept replaces trust with a central identity provider by aggregated trust into attestation issuers. Thus, promoting self-sovereign identities to be fit for purpose. The calculated numerical trust metric serves as independent basis for the definition of assurance levels to simplify and automate reasoning about trust by service providers without requiring a dedicated evaluation of a trusted third party.
