The Power of Many: Securing Organisational Identity Through
Distributed Key Management

D 2024

The Power of Many: Securing Organisational Identity Through Distributed Key Management

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA a Raimundas MATULEVICIUS

Základní údaje

Originální název

The Power of Many: Securing Organisational Identity Through Distributed Key Management

Autoři

BAKHTINA, Mariia, Jan KVAPIL (203 Česká republika, garant, domácí), Petr ŠVENDA (203 Česká republika, domácí) a Raimundas MATULEVICIUS

Vydání

Cham (Switzerland), Advanced Information Systems Engineering (CAiSE 24), od s. 475-491, 17 s. 2024

Nakladatel

Springer Nature Switzerland

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Švýcarsko

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

elektronická verze "online"

Odkazy

URL

Organizační jednotka

Fakulta informatiky

ISBN

978-3-031-61056-1

DOI

http://dx.doi.org/10.1007/978-3-031-61057-8_28

Klíčová slova anglicky

distributed control;key management; organisational digital identity; security; threshold signatures; zero trust

Štítky

authentication, smart cards

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 5. 9. 2024 15:41, RNDr. Pavel Šmerk, Ph.D.

Anotace

V originále

Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation's identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation's representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200ms overhead compared to the built-in signing solution.

Návaznosti

MUNI/A/1586/2023, interní kód MU

Název: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů

Investor: Masarykova univerzita, Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů

101087529, interní kód MU

Název: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS)

Investor: Evropská unie, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Rozšiřování účasti a posílení ERA

Citovat

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA a Raimundas MATULEVICIUS. The Power of Many: Securing Organisational Identity Through Distributed Key Management. Online. In Advanced Information Systems Engineering (CAiSE 24). Cham (Switzerland): Springer Nature Switzerland, 2024, s. 475-491. ISBN 978-3-031-61056-1. Dostupné z: https://dx.doi.org/10.1007/978-3-031-61057-8_28.

@inproceedings{2424077,
   author = {Bakhtina, Mariia and Kvapil, Jan and Švenda, Petr and Matulevicius, Raimundas},
   address = {Cham (Switzerland)},
   booktitle = {Advanced Information Systems Engineering (CAiSE 24)},
   doi = {http://dx.doi.org/10.1007/978-3-031-61057-8_28},
   keywords = {distributed control;key management; organisational digital identity; security; threshold signatures; zero trust},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {Cham (Switzerland)},
   isbn = {978-3-031-61056-1},
   pages = {475-491},
   publisher = {Springer Nature Switzerland},
   title = {The Power of Many: Securing Organisational Identity Through Distributed Key Management},
   url = {https://link.springer.com/chapter/10.1007/978-3-031-61057-8_28},
   year = {2024}
}

TY  - JOUR
ID  - 2424077
AU  - Bakhtina, Mariia - Kvapil, Jan - Švenda, Petr - Matulevicius, Raimundas
PY  - 2024
TI  - The Power of Many: Securing Organisational Identity Through Distributed Key Management
PB  - Springer Nature Switzerland
CY  - Cham (Switzerland)
SN  - 9783031610561
KW  - distributed control;key management
KW  - organisational digital identity
KW  - security
KW  - threshold signatures
KW  - zero trust
UR  - https://link.springer.com/chapter/10.1007/978-3-031-61057-8_28
N2  - Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation's identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation's representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200ms overhead compared to the built-in signing solution.
ER  -

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA a Raimundas MATULEVICIUS. The Power of Many: Securing Organisational Identity Through Distributed Key Management. Online. In \textit{Advanced Information Systems Engineering (CAiSE 24)}. Cham (Switzerland): Springer Nature Switzerland, 2024, s.~475-491. ISBN~978-3-031-61056-1. Dostupné z: https://dx.doi.org/10.1007/978-3-031-61057-8\_{}28.

Podrobný výpis o publikaci