The Power of Many: Securing Organisational Identity Through Distributed Key Management

Varování

Publikace nespadá pod Pedagogickou fakultu, ale pod Fakultu informatiky. Oficiální stránka publikace je na webu muni.cz.
Autoři

BAKHTINA Mariia KVAPIL Jan ŠVENDA Petr MATULEVICIUS Raimundas

Rok publikování 2024
Druh Článek ve sborníku
Konference Advanced Information Systems Engineering (CAiSE 24)
Fakulta / Pracoviště MU

Fakulta informatiky

Citace
www https://link.springer.com/chapter/10.1007/978-3-031-61057-8_28
Doi http://dx.doi.org/10.1007/978-3-031-61057-8_28
Klíčová slova distributed control;key management; organisational digital identity; security; threshold signatures; zero trust
Popis Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation's identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation's representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200ms overhead compared to the built-in signing solution.
Související projekty:

Používáte starou verzi internetového prohlížeče. Doporučujeme aktualizovat Váš prohlížeč na nejnovější verzi.