-
DIDChain: Advancing Supply Chain Data Management with Decentralized Identifiers and Blockchain
Authors:
Patrick Herbke,
Sid Lamichhane,
Kaustabh Barman,
Sanjeet Raj Pandey,
Axel Küpper,
Andreas Abraham,
Markus Sabadello
Abstract:
Supply chain data management faces challenges in traceability, transparency, and trust. These issues stem from data silos and communication barriers. This research introduces DIDChain, a framework leveraging blockchain technology, Decentralized Identifiers, and the InterPlanetary File System. DIDChain improves supply chain data management. To address privacy concerns, DIDChain employs a hybrid blo…
▽ More
Supply chain data management faces challenges in traceability, transparency, and trust. These issues stem from data silos and communication barriers. This research introduces DIDChain, a framework leveraging blockchain technology, Decentralized Identifiers, and the InterPlanetary File System. DIDChain improves supply chain data management. To address privacy concerns, DIDChain employs a hybrid blockchain architecture that combines public blockchain transparency with the control of private systems. Our hybrid approach preserves the authenticity and reliability of supply chain events. It also respects the data privacy requirements of the participants in the supply chain. Central to DIDChain is the cheqd infrastructure. The cheqd infrastructure enables digital tracing of asset events, such as an asset moving from the milk-producing dairy farm to the cheese manufacturer. In this research, assets are raw materials and products. The cheqd infrastructure ensures the traceability and reliability of assets in the management of supply chain data. Our contribution to blockchain-enabled supply chain systems demonstrates the robustness of DIDChain. Integrating blockchain technology through DIDChain offers a solution to data silos and communication barriers. With DIDChain, we propose a framework to transform the supply chain infrastructure across industries.
△ Less
Submitted 17 June, 2024;
originally announced June 2024.
-
DID Link: Authentication in TLS with Decentralized Identifiers and Verifiable Credentials
Authors:
Sandro Rodriguez Garzon,
Dennis Natusch,
Artur Philipp,
Axel Küpper,
Hans Joachim Einsiedler,
Daniela Schneider
Abstract:
Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identif…
▽ More
Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.
△ Less
Submitted 14 May, 2024; v1 submitted 13 May, 2024;
originally announced May 2024.
-
Beyond Certificates: 6G-ready Access Control for the Service-Based Architecture with Decentralized Identifiers and Verifiable Credentials
Authors:
Sandro Rodriguez Garzon,
Hai Dinh Tuan,
Maria Mora Martinez,
Axel Küpper,
Hans Joachim Einsiedler,
Daniela Schneider
Abstract:
Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entit…
▽ More
Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entities of different administrative domains. This paper introduces a novel technical concept and a prototype, outlining and implementing a 5G Service-Based Architecture that utilizes Decentralized Identifiers and Verifiable Credentials instead of traditional X.509 certificates and OAuth2.0 access tokens to authenticate and authorize network functions among each other across administrative domains. This decentralized approach to identity and permission management for network functions reduces the risk of single points of failure associated with centralized public key infrastructures. It unifies access control mechanisms and lays the groundwork for lesser complex and more trustful cross-domain key management for highly collaborative network functions in a multi-party Service-Based Architecture of 6G.
△ Less
Submitted 23 February, 2024; v1 submitted 30 October, 2023;
originally announced October 2023.
-
DAXiot: A Decentralized Authentication and Authorization Scheme for Dynamic IoT Networks
Authors:
Artur Philipp,
Axel Küpper
Abstract:
Federated and decentralized networks supporting frequently changing system participants are a requirement for future Internet of Things (IoT) use cases. IoT devices and networks often lack adequate authentication and authorization mechanisms, resulting in insufficient privacy for entities in such systems. In this work we address both issues by designing a privacy preserving challenge-response styl…
▽ More
Federated and decentralized networks supporting frequently changing system participants are a requirement for future Internet of Things (IoT) use cases. IoT devices and networks often lack adequate authentication and authorization mechanisms, resulting in insufficient privacy for entities in such systems. In this work we address both issues by designing a privacy preserving challenge-response style authentication and authorization scheme based on Decentralized Identifiers and Verifiable Credentials. Our solution allows a decentralized permission management of frequently changing network participants and supports authenticated encryption for data confidentiality. We demonstrate our solution in an MQTT 5.0 scenario and evaluate its security, privacy guarantees, and performance.
△ Less
Submitted 15 July, 2023; v1 submitted 13 July, 2023;
originally announced July 2023.
-
A Tutorial on the Interoperability of Self-sovereign Identities
Authors:
Hakan Yildiz,
Axel Küpper,
Dirk Thatmann,
Sebastian Göndör,
Patrick Herbke
Abstract:
Self-sovereign identity is the latest digital identity paradigm that allows users, organizations, and things to manage identity in a decentralized fashion without any central authority controlling the process of issuing identities and verifying assertions. Following this paradigm, implementations have emerged in recent years, with some having different underlying technologies. These technological…
▽ More
Self-sovereign identity is the latest digital identity paradigm that allows users, organizations, and things to manage identity in a decentralized fashion without any central authority controlling the process of issuing identities and verifying assertions. Following this paradigm, implementations have emerged in recent years, with some having different underlying technologies. These technological differences often create interoperability problems between software that interact with each other from different implementations. Although a common problem, there is no common understanding of self-sovereign identity interoperability. In the context of this tutorial, we create a definition of interoperability of self-sovereign identities to enable a common understanding. Moreover, due to the decentralized nature, interoperability of self-sovereign identities depends on multiple components, such as ones responsible for establishing trust or enabling secure communication between entities without centralized authorities. To understand those components and their dependencies, we also present a reference model that maps the required components and considerations that build up a self-sovereign identity implementation. The reference model helps address the question of how to achieve interoperability between different implementations.
△ Less
Submitted 8 August, 2022;
originally announced August 2022.
-
Blade: A Blockchain-supported Architecture for Decentralized Services
Authors:
Sebastian Göndör,
Hakan Yildiz,
Martin Westerkamp,
Axel Küpper
Abstract:
Decentralized services and applications provide a multitude of advantages for their users, such as improved privacy, control, and independence from third parties. Anyhow, decentralization comes at the cost of certain disadvantages, such as increased application complexity or communication overhead. This aggravates the development and deployment of decentralized services and applications. In this p…
▽ More
Decentralized services and applications provide a multitude of advantages for their users, such as improved privacy, control, and independence from third parties. Anyhow, decentralization comes at the cost of certain disadvantages, such as increased application complexity or communication overhead. This aggravates the development and deployment of decentralized services and applications. In this paper we present Blade, a software platform that aims to ease the effort of development, deployment, and administration of decentralized services by implementing reusable solutions for recurring challenges developers are facing when designing decentralized service architectures. This includes functionality for e.g. identity management, access control, request handling, verification of authenticity and integrity, discovery, or routing. Blade implements all this functionality in a Blade server instance, which can be deployed on a lightweight device, such as a NAS, Raspberry Pi, or router at home. This allows users without expert knowledge to run a Blade instance with already existing hardware with little overhead. Blade supports polyglot Blade modules that implement extended functionality, such as interfaces, frontends, and business logic of decentralized applications, e.g. a decentralized instant messaging service or an online social network. Based on the Oracle GraalVM, Blade modules can be implemented in a variety of programming languages and utilize the functionality provided by the Blade server instance. Blade modules are published in a Ethereum-based decentralized marketplace from where they can be installed directly via the Blade instances...
△ Less
Submitted 29 July, 2022;
originally announced July 2022.
-
Towards Decentralized Identity Management in Multi-stakeholder 6G Networks
Authors:
Sandro Rodriguez Garzon,
Hakan Yildiz,
Axel Küpper
Abstract:
Trust-building mechanisms among network entities of different administrative domains will gain significant importance in 6G because a future mobile network will be operated cooperatively by a variety of different stakeholders rather than by a single mobile network operator. The use of trusted third party issued certificates for initial trust establishment in multi-stakeholder 6G networks is only a…
▽ More
Trust-building mechanisms among network entities of different administrative domains will gain significant importance in 6G because a future mobile network will be operated cooperatively by a variety of different stakeholders rather than by a single mobile network operator. The use of trusted third party issued certificates for initial trust establishment in multi-stakeholder 6G networks is only advisable to a limited extent, as trusted third parties not only represent single point of failures or attacks, but they also cannot guarantee global independence due to national legislation and regulatory or political influence. This article proposes to decentralize identity management in 6G networks to enable secure mutual authentication between network entities of different trust domains without relying on a trusted third party and to empower network entities with the ability to shape and strengthen cross-domain trust relationships by the exchange of verifiable credentials. A reference model for decentralized identity management in 6G is given as an initial guide for the fundamental design of a common identity management system whose operation and governance are distributed equally across multiple trust domains of interconnected and multi-stakeholder 6G ecosystems.
△ Less
Submitted 11 July, 2022; v1 submitted 1 March, 2022;
originally announced March 2022.
-
SmartSync: Cross-Blockchain Smart Contract Interaction and Synchronization
Authors:
Martin Westerkamp,
Axel Küpper
Abstract:
Cross-Blockchain communication has gained traction due to the increasing fragmentation of blockchain networks and scalability solutions such as side-chaining and sharding. With SmartSync, we propose a novel concept for cross-blockchain smart contract interactions that creates client contracts on arbitrary blockchain networks supporting the same execution environment. Client contracts mirror the lo…
▽ More
Cross-Blockchain communication has gained traction due to the increasing fragmentation of blockchain networks and scalability solutions such as side-chaining and sharding. With SmartSync, we propose a novel concept for cross-blockchain smart contract interactions that creates client contracts on arbitrary blockchain networks supporting the same execution environment. Client contracts mirror the logic and state of the original instance and enable seamless on-chain function executions providing recent states. Synchronized contracts supply instant read-only function calls to other applications hosted on the target blockchain. Hereby, current limitations in cross-chain communication are alleviated and new forms of contract interactions are enabled. State updates are transmitted in a verifiable manner using Merkle proofs and do not require trusted intermediaries. To permit lightweight synchronizations, we introduce transition confirmations that facilitate the application of verifiable state transitions without re-executing transactions of the source blockchain. We prove the concept's soundness by providing a prototypical implementation that enables smart contract forks, state synchronizations, and on-chain validation on EVM-compatible blockchains. Our evaluation demonstrates SmartSync's applicability for presented use cases providing access to recent states to third-party contracts on the target blockchain. Execution costs scale sub-linearly with the number of value updates and depend on the depth and index of corresponding Merkle proofs.
△ Less
Submitted 21 January, 2022;
originally announced January 2022.
-
Decentralized Identifiers and Self-sovereign Identity in 6G
Authors:
Sandro Rodriguez Garzon,
Hakan Yildiz,
Axel Küpper
Abstract:
A key challenge for mobile network operators in 6G is to bring together and orchestrate a variety of new emerging players of today's mobile ecosystems in order to provide economically viable and seamless mobile connectivity in form of a multi-stakeholder service. With each new player, be it a cloud, edge or hardware provider, the need for interfaces with secure authentication and authorization mec…
▽ More
A key challenge for mobile network operators in 6G is to bring together and orchestrate a variety of new emerging players of today's mobile ecosystems in order to provide economically viable and seamless mobile connectivity in form of a multi-stakeholder service. With each new player, be it a cloud, edge or hardware provider, the need for interfaces with secure authentication and authorization mechanisms increases, as does the complexity and operational costs of the public key infrastructures required for the identity and key management. While today's centralized public key infrastructures have proven to be technically feasible in confined and trusted spaces, they do not provide the required security for access control once centralized identity providers must be avoided because of limited cross-domain interoperability, national data protection legislation, or geopolitical-strategic reasons. Recent decentralized identity management concepts, such as the W3C recommendation of Decentralized Identifiers, provide a secure, tamper-proof, and cross-domain identity management alternative for future multi-stakeholder 6G networks without relying on centralized identity provider or certification authorities. This article introduces the concept of Decentralized Identifiers together with the principles of Self-sovereign Identity and discusses opportunities and potential benefits of their application and usage for cross-domain and privacy-preserving identity and key management in 6G networks.
△ Less
Submitted 4 August, 2022; v1 submitted 17 December, 2021;
originally announced December 2021.
-
Anomaly Detection with HMM Gauge Likelihood Analysis
Authors:
Boris Lorbeer,
Tanja Deutsch,
Peter Ruppel,
Axel Küpper
Abstract:
This paper describes a new method, HMM gauge likelihood analysis, or GLA, of detecting anomalies in discrete time series using Hidden Markov Models and clustering. At the center of the method lies the comparison of subsequences. To achieve this, they first get assigned to their Hidden Markov Models using the Baum-Welch algorithm. Next, those models are described by an approximating representation…
▽ More
This paper describes a new method, HMM gauge likelihood analysis, or GLA, of detecting anomalies in discrete time series using Hidden Markov Models and clustering. At the center of the method lies the comparison of subsequences. To achieve this, they first get assigned to their Hidden Markov Models using the Baum-Welch algorithm. Next, those models are described by an approximating representation of the probability distributions they define. Finally, this representation is then analyzed with the help of some clustering technique or other outlier detection tool and anomalies are detected. Clearly, HMMs could be substituted by some other appropriate model, e.g. some other dynamic Bayesian network. Our learning algorithm is unsupervised, so it does not require the labeling of large amounts of data. The usability of this method is demonstrated by applying it to synthetic and real-world syslog data.
△ Less
Submitted 19 September, 2020; v1 submitted 14 June, 2019;
originally announced June 2019.
-
Blockchain-based Supply Chain Traceability: Token Recipes model Manufacturing Processes
Authors:
Martin Westerkamp,
Friedhelm Victor,
Axel Küpper
Abstract:
Growing consumer awareness as well as manufacturers' internal quality requirements lead to novel demands on supply chain traceability. Existing centralized solutions suffer from isolated data storage and lacking trust when multiple parties are involved. Decentralized blockchain-based approaches attempt to overcome these shortcomings by creating digital representations of physical goods to facilita…
▽ More
Growing consumer awareness as well as manufacturers' internal quality requirements lead to novel demands on supply chain traceability. Existing centralized solutions suffer from isolated data storage and lacking trust when multiple parties are involved. Decentralized blockchain-based approaches attempt to overcome these shortcomings by creating digital representations of physical goods to facilitate tracking across multiple entities. However, they currently do not capture the transformation of goods in manufacturing processes. Therefore, the relation between ingredients and product is lost, limiting the ability to trace a product's provenance. We propose a blockchain-based supply chain traceability system using smart contracts. In such contracts, manufacturers define the composition of products in the form of recipes. Each ingredient of the recipe is a non-fungible token that corresponds to a batch of physical goods. When the recipe is applied, its ingredients are consumed and a new token is produced. This mechanism preserves the traceability of product transformations. The system is implemented for the Ethereum Virtual Machine and is applicable to any blockchain configuration that supports it. Our evaluation reveals that the gas costs scale linearly with the number of products considered in the system. This leads to the conclusion that the solution can handle complex use cases.
△ Less
Submitted 15 October, 2018;
originally announced October 2018.
-
Cross-Domain Discovery of Communication Peers. Identity Map** and Discovery Services (IMaDS)
Authors:
Ingo Friese,
Rebecca Copeland,
Sebastian Göndör,
Felix Beierle,
Axel Küpper,
Ricardo Lopes Pereira,
Jean-Michel Crom
Abstract:
The upcoming WebRTC-based browser-to-browser communication services present new challenges for user discovery in peer-to-peer mode. Even more so, if we wish to enable different web communication services to interact. This paper presents Identity Map** and Discovery Service (IMaDS), a global, scalable, service independent discovery service that enables users of web-based peer-to-peer applications…
▽ More
The upcoming WebRTC-based browser-to-browser communication services present new challenges for user discovery in peer-to-peer mode. Even more so, if we wish to enable different web communication services to interact. This paper presents Identity Map** and Discovery Service (IMaDS), a global, scalable, service independent discovery service that enables users of web-based peer-to-peer applications to discover other users whom to communicate with. It also provides reachability and presence information. For that, user identities need to be mapped to any compatible service identity as well as to a globally unique, service-independent identity. This map** and discovery process is suitable for multiple identifier formats and personal identifying properties, but it supports user-determined privacy options. IMaDS operates across different service domains dynamically, using context information. Users and devices have profiles containing context and other specific information that can be discovered by a search engine. The search results reveal the user's allocated globally unique identifier (GUID), which is then resolved to a list of the user's service domains identities, using a DHT-based directory service. Service-specific directories allow tracking of active endpoints, where users are currently logged on and can be contacted.
△ Less
Submitted 17 November, 2017; v1 submitted 28 April, 2017;
originally announced April 2017.
-
Cloud Service Matchmaking Approaches: A Systematic Literature Survey
Authors:
Begüm İlke Zilci,
Mathias Slawik,
Axel Küpper
Abstract:
Service matching concerns finding suitable services according to the service requester's requirements, which is a complex task due to the increasing number and diversity of cloud services available. Service matching is discussed in web services composition and user oriented service marketplaces contexts. The suggested approaches have different problem definitions and have to be examined closer in…
▽ More
Service matching concerns finding suitable services according to the service requester's requirements, which is a complex task due to the increasing number and diversity of cloud services available. Service matching is discussed in web services composition and user oriented service marketplaces contexts. The suggested approaches have different problem definitions and have to be examined closer in order to identify comparable results and to find out which approaches have built on the former ones. One of the most important use cases is service requesters with limited technical knowledge who need to compare services based on their QoS requirements in cloud service marketplaces. Our survey examines the service matching approaches in order to find out the relation between their context and their objectives. Moreover, it evaluates their applicability for the cloud service marketplaces context.
△ Less
Submitted 22 July, 2016;
originally announced July 2016.
-
Cloud Service Matchmaking using Constraint Programming
Authors:
Begüm İlke Zilci,
Mathias Slawik,
Axel Küpper
Abstract:
Service requesters with limited technical knowledge should be able to compare services based on their quality of service (QoS) requirements in cloud service marketplaces. Existing service matching approaches focus on QoS requirements as discrete numeric values and intervals. The analysis of existing research on non-functional properties reveals two improvement opportunities: list-typed QoS propert…
▽ More
Service requesters with limited technical knowledge should be able to compare services based on their quality of service (QoS) requirements in cloud service marketplaces. Existing service matching approaches focus on QoS requirements as discrete numeric values and intervals. The analysis of existing research on non-functional properties reveals two improvement opportunities: list-typed QoS properties as well as explicit handling of preferences for lower or higher property values. We develop a concept and constraint models for a service matcher which contributes to existing approaches by addressing these issues using constraint solvers. The prototype uses an API at the standardisation stage and discovers implementation challenges. This paper concludes that constraint solvers provide a valuable tool to solve the service matching problem with soft constraints and are capable of covering all QoS property types in our analysis. Our approach is to be further investigated in the application context of cloud federations.
△ Less
Submitted 22 July, 2016;
originally announced July 2016.
-
The Open Service Compendium. Business-pertinent Cloud Service Discovery, Assessment, and Selection
Authors:
Mathias Slawik,
Begüm İlke Zilci,
Fabian Knaack,
Axel Küpper
Abstract:
When trying to discover, assess, and select cloud services, companies face many challenges, such as fast-moving markets, vast numbers of offerings, and highly ambiguous selection criteria. This publication presents the Open Service Compendium (OSC), an information system which supports businesses in their discovery, assessment and cloud service selection by offering a simple dynamic service descri…
▽ More
When trying to discover, assess, and select cloud services, companies face many challenges, such as fast-moving markets, vast numbers of offerings, and highly ambiguous selection criteria. This publication presents the Open Service Compendium (OSC), an information system which supports businesses in their discovery, assessment and cloud service selection by offering a simple dynamic service description language, business-pertinent vocabularies, as well as matchmaking functionality. It contributes to the state of the art by offering a more practical, mature, simple, and usable approach than related works.
△ Less
Submitted 25 August, 2015;
originally announced August 2015.