-
DID Link: Authentication in TLS with Decentralized Identifiers and Verifiable Credentials
Authors:
Sandro Rodriguez Garzon,
Dennis Natusch,
Artur Philipp,
Axel Küpper,
Hans Joachim Einsiedler,
Daniela Schneider
Abstract:
Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identif…
▽ More
Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.
△ Less
Submitted 14 May, 2024; v1 submitted 13 May, 2024;
originally announced May 2024.
-
Beyond Certificates: 6G-ready Access Control for the Service-Based Architecture with Decentralized Identifiers and Verifiable Credentials
Authors:
Sandro Rodriguez Garzon,
Hai Dinh Tuan,
Maria Mora Martinez,
Axel Küpper,
Hans Joachim Einsiedler,
Daniela Schneider
Abstract:
Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entit…
▽ More
Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entities of different administrative domains. This paper introduces a novel technical concept and a prototype, outlining and implementing a 5G Service-Based Architecture that utilizes Decentralized Identifiers and Verifiable Credentials instead of traditional X.509 certificates and OAuth2.0 access tokens to authenticate and authorize network functions among each other across administrative domains. This decentralized approach to identity and permission management for network functions reduces the risk of single points of failure associated with centralized public key infrastructures. It unifies access control mechanisms and lays the groundwork for lesser complex and more trustful cross-domain key management for highly collaborative network functions in a multi-party Service-Based Architecture of 6G.
△ Less
Submitted 23 February, 2024; v1 submitted 30 October, 2023;
originally announced October 2023.
-
Development Frameworks for Microservice-based Applications: Evaluation and Comparison
Authors:
Hai Dinh-Tuan,
Maria Mora-Martinez,
Felix Beierle,
Sandro Rodriguez Garzon
Abstract:
The microservice architectural style has gained much attention from both academia and industry recently as a novel way to design, develop, and deploy cloud-native applications. This concept encourages the decomposition of a monolith into multiple independently deployable units. A typical microservices-based application is formed of two service types: functional services, which provide the core bus…
▽ More
The microservice architectural style has gained much attention from both academia and industry recently as a novel way to design, develop, and deploy cloud-native applications. This concept encourages the decomposition of a monolith into multiple independently deployable units. A typical microservices-based application is formed of two service types: functional services, which provide the core business logic, and infrastructure services, which provide essential functionalities for a microservices ecosystem. To improve developers' productivity, many software frameworks have been developed to provide those reusable infrastructure services, allowing programmers to focus on implementing microservices in arbitrary ways. In this work, we made use of four open source frameworks to develop a cloud-based application in order to compare and evaluate their usability and practicability. While all selected frameworks promote asynchronous microservice design in general, there are differences in the ways each implements services. This leads to interoperability issues, such as message topic naming convention. Additionally, a key finding is the long startup times of JVM-based services that might reduce application's resiliency and portability. Some other advantages come directly from the programming language, such as the ability of Go to generate native binary executables, which results in very small and compact Docker images (up to 78\% smaller compared to other languages).
△ Less
Submitted 14 March, 2022;
originally announced March 2022.
-
Towards Decentralized Identity Management in Multi-stakeholder 6G Networks
Authors:
Sandro Rodriguez Garzon,
Hakan Yildiz,
Axel Küpper
Abstract:
Trust-building mechanisms among network entities of different administrative domains will gain significant importance in 6G because a future mobile network will be operated cooperatively by a variety of different stakeholders rather than by a single mobile network operator. The use of trusted third party issued certificates for initial trust establishment in multi-stakeholder 6G networks is only a…
▽ More
Trust-building mechanisms among network entities of different administrative domains will gain significant importance in 6G because a future mobile network will be operated cooperatively by a variety of different stakeholders rather than by a single mobile network operator. The use of trusted third party issued certificates for initial trust establishment in multi-stakeholder 6G networks is only advisable to a limited extent, as trusted third parties not only represent single point of failures or attacks, but they also cannot guarantee global independence due to national legislation and regulatory or political influence. This article proposes to decentralize identity management in 6G networks to enable secure mutual authentication between network entities of different trust domains without relying on a trusted third party and to empower network entities with the ability to shape and strengthen cross-domain trust relationships by the exchange of verifiable credentials. A reference model for decentralized identity management in 6G is given as an initial guide for the fundamental design of a common identity management system whose operation and governance are distributed equally across multiple trust domains of interconnected and multi-stakeholder 6G ecosystems.
△ Less
Submitted 11 July, 2022; v1 submitted 1 March, 2022;
originally announced March 2022.
-
Decentralized Identifiers and Self-sovereign Identity in 6G
Authors:
Sandro Rodriguez Garzon,
Hakan Yildiz,
Axel Küpper
Abstract:
A key challenge for mobile network operators in 6G is to bring together and orchestrate a variety of new emerging players of today's mobile ecosystems in order to provide economically viable and seamless mobile connectivity in form of a multi-stakeholder service. With each new player, be it a cloud, edge or hardware provider, the need for interfaces with secure authentication and authorization mec…
▽ More
A key challenge for mobile network operators in 6G is to bring together and orchestrate a variety of new emerging players of today's mobile ecosystems in order to provide economically viable and seamless mobile connectivity in form of a multi-stakeholder service. With each new player, be it a cloud, edge or hardware provider, the need for interfaces with secure authentication and authorization mechanisms increases, as does the complexity and operational costs of the public key infrastructures required for the identity and key management. While today's centralized public key infrastructures have proven to be technically feasible in confined and trusted spaces, they do not provide the required security for access control once centralized identity providers must be avoided because of limited cross-domain interoperability, national data protection legislation, or geopolitical-strategic reasons. Recent decentralized identity management concepts, such as the W3C recommendation of Decentralized Identifiers, provide a secure, tamper-proof, and cross-domain identity management alternative for future multi-stakeholder 6G networks without relying on centralized identity provider or certification authorities. This article introduces the concept of Decentralized Identifiers together with the principles of Self-sovereign Identity and discusses opportunities and potential benefits of their application and usage for cross-domain and privacy-preserving identity and key management in 6G networks.
△ Less
Submitted 4 August, 2022; v1 submitted 17 December, 2021;
originally announced December 2021.
-
MAIA: A Microservices-based Architecture for Industrial Data Analytics
Authors:
Hai Dinh-Tuan,
Felix Beierle,
Sandro Rodriguez Garzon
Abstract:
In recent decades, it has become a significant tendency for industrial manufacturers to adopt decentralization as a new manufacturing paradigm. This enables more efficient operations and facilitates the shift from mass to customized production. At the same time, advances in data analytics give more insights into the production lines, thus improving its overall productivity. The primary objective o…
▽ More
In recent decades, it has become a significant tendency for industrial manufacturers to adopt decentralization as a new manufacturing paradigm. This enables more efficient operations and facilitates the shift from mass to customized production. At the same time, advances in data analytics give more insights into the production lines, thus improving its overall productivity. The primary objective of this paper is to apply a decentralized architecture to address new challenges in industrial analytics. The main contributions of this work are therefore two-fold: (1) an assessment of the microservices' feasibility in industrial environments, and (2) a microservices-based architecture for industrial data analytics. Also, a prototype has been developed, analyzed, and evaluated, to provide further practical insights. Initial evaluation results of this prototype underpin the adoption of microservices in industrial analytics with less than 20ms end-to-end processing latency for predicting movement paths for 100 autonomous robots on a commodity hardware server. However, it also identifies several drawbacks of the approach, which is, among others, the complexity in structure, leading to higher resource consumption.
△ Less
Submitted 16 May, 2019;
originally announced May 2019.