Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DID Link: Authentication in TLS with Decentralized Identifiers and Verifiable Credentials (2405.07533v3)

Published 13 May 2024 in cs.CR and cs.NI

Abstract: Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (28)
  1. Internet Engineering Task Force (IETF), “The Transport Layer Security (TLS) Protocol Version 1.3,” https://datatracker.ietf.org/doc/html/rfc8446, accessed: 2024-05-03.
  2. ——, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” https://www.rfc-editor.org/rfc/rfc5280, accessed: 2024-05-03.
  3. M. A. Specter, “The Economics of Cryptographic Trust: Understanding Certificate Authorities,” Ph.D. dissertation, Massachusetts Institute of Technology, 2016.
  4. A. Kashaf, V. Sekar, and Y. Agarwal, “Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?” in Proceedings of the ACM Internet Measurement Conference, ser. IMC ’20.   New York, NY, USA: Association for Computing Machinery, 2020, p. 634–647.
  5. A. Delignat-Lavaud, M. Abadi, A. Birrell, I. Mironov, T. Wobber, and Y. Xie, “Web PKI: Closing the Gap between Guidelines and Practices,” in Network and Distributed System Security Symposium, 2014. [Online]. Available: https://api.semanticscholar.org/CorpusID:9286192
  6. J. Amann, R. Sommer, M. Vallentin, and S. Hall, “No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships,” in Proceedings of the 29th Annual Computer Security Applications Conference, ser. ACSAC ’13.   Association for Computing Machinery, 2013, p. 179–188.
  7. N. van der Meulen, “DigiNotar: Dissecting the First Dutch Digital Disaster,” Journal of Strategic Security, vol. 6, no. 2, pp. 46–58, 2013.
  8. Cyber Safety Review Board, “Review of the Summer 2023 Microsoft Exchange Online Intrusion,” U.S. Department of Homeland Security, Tech. Rep., 2024.
  9. World Wide Web Consortium (W3C), “Decentralized Identifiers v1.0,” https://www.w3.org/TR/did-core/, accessed: 2024-05-03.
  10. ——, “Verifiable Credentials Data Model v2.0,” https://www.w3.org/TR/vc-data-model-2.0/, accessed: 2024-05-03.
  11. Internet Engineering Task Force (IETF), “An Internet Attribute Certificate Profile for Authorization,” https://www.rfc-editor.org/rfc/rfc5755, accessed: 2024-05-03.
  12. ——, “Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS),” https://datatracker.ietf.org/doc/html/rfc7250, accessed: 2024-05-03.
  13. ——, “Selective Disclosure JWT (SD-JWT),” https://www.ietf.org/archive/id/draft-fett-oauth-selective-disclosure-jwt-02.html, accessed: 2024-05-03.
  14. World Wide Web Consortium (W3C), “JSON-LD 1.1,” https://www.w3.org/TR/json-ld11/, accessed: 2024-05-03.
  15. Sam Curren, “DID TLS Specification,” https://docs.google.com/document/d/1-aPY1eeHdR_TnF7_WpEs58RZ_jNdDeptVrNEu3groFc/edit#heading=h.7g2h28hzve7b, accessed: 2024-05-03.
  16. E. Beckwith and G. Thamilarasu, “BA-TLS: Blockchain Authentication for Transport Layer Security in Internet of Things,” in 2020 7th International Conference on Internet of Things: Systems, Management and Security (IOTSMS), 2020, pp. 1–8.
  17. Y. Chu, J. M. Kim, Y. Lee, S. Shim, and J. Huh, “SS-DPKI: Self-Signed Certificate Based Decentralized Public Key Infrastructure for Secure Communication,” in 2020 IEEE International Conference on Consumer Electronics (ICCE), 2020, pp. 1–6.
  18. J. Yan, X. Hang, B. Yang, L. Su, and S. He, “Blockchain Based PKI and Certificates Management in Mobile Networks,” in 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020, pp. 1764–1770.
  19. S. Figueroa-Lorenzo, J. Añorga Benito, and S. Arrizabalaga, “Modbus Access Control System Based on SSI over Hyperledger Fabric Blockchain,” Sensors, vol. 21, no. 16, 2021.
  20. P. Bastian, C. Stöcker, and S. Schwalm, “Combination of x509 and DID/VC for inheritance properties of trust in digital identities,” in Open Identity Summit 2022, Copenhagen, Denmark, July 7-8, 2022, ser. LNI, vol. P-325.   Gesellschaft für Informatik e.V., 2022, pp. 137–142.
  21. A. Claudio and A. Vesco, “A Novel DID Method Leveraging the IOTA Tangle and Its Integration into OpenSSL,” in Blockchain and Applications, 5th International Congress.   Springer Nature Switzerland, 2023, pp. 394–404.
  22. L. Perugini and A. Vesco, “On the integration of Self-Sovereign Identity with TLS 1.3 Handshake to Build Trust in IoT Systems,” Internet of Things, vol. 25, p. 101103, 2024.
  23. Kaliya Young, “Verifiable Credentials Flavors Explained,” https://www.lfph.io/wp-content/uploads/2021/02/Verifiable-Credentials-Flavors-Explained.pdf, accessed: 2024-05-03.
  24. Internet Engineering Task Force (IETF), “Transport Layer Security (TLS) Extensions: Extension Definitions,” https://datatracker.ietf.org/doc/html/rfc6066, accessed: 2024-05-03.
  25. F. Hoops, A. Muhle, F. Matthes, and C. Meinel, “A Taxonomy of Decentralized Identifier Methods for Practitioners,” in 2023 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS).   IEEE Computer Society, 2023, pp. 57–65.
  26. S. Bistarelli, F. Micheli, and F. Santini, “A Survey on Decentralized Identifier Methods for Self Sovereign Identity,” in Proceedings of the Italian Conference on Cyber Security (ITASEC 2023), 2023.
  27. Decentralized Identity Foundation (DIF), “DIDComm Messaging v2.1,” https://identity.foundation/didcomm-messaging/spec/v2.1/, accessed: 2024-01-25.
  28. ——, “Peer DID Method Specification,” https://identity.foundation/peer-did-method-spec/, accessed: 2024-05-03.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now