The Power of Many: Securing Organisational Identity Through
Distributed Key Management

D 2024

The Power of Many: Securing Organisational Identity Through Distributed Key Management

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA and Raimundas MATULEVICIUS

Basic information

Original name

The Power of Many: Securing Organisational Identity Through Distributed Key Management

Authors

BAKHTINA, Mariia, Jan KVAPIL (203 Czech Republic, guarantor, belonging to the institution), Petr ŠVENDA (203 Czech Republic, belonging to the institution) and Raimundas MATULEVICIUS

Edition

Cham (Switzerland), Advanced Information Systems Engineering (CAiSE 24), p. 475-491, 17 pp. 2024

Publisher

Springer Nature Switzerland

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Switzerland

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

electronic version available online

References:

URL

Organization unit

Faculty of Informatics

ISBN

978-3-031-61056-1

DOI

http://dx.doi.org/10.1007/978-3-031-61057-8_28

Keywords in English

distributed control;key management; organisational digital identity; security; threshold signatures; zero trust

Abstract

V originále

Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation's identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation's representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200ms overhead compared to the built-in signing solution.

Links

MUNI/A/1586/2023, interní kód MU

Name: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů

Investor: Masaryk University, Applied research at FI: Forensic aspects of critical infrastructures, applied cryptography, cybersecurity trainings, scheduling algorithms logistics and algorithms for physical sensors

101087529, interní kód MU

Name: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS)

Investor: European Union, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Widening participation and strengthening the European Research Area

Citovat

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA and Raimundas MATULEVICIUS. The Power of Many: Securing Organisational Identity Through Distributed Key Management. Online. In Advanced Information Systems Engineering (CAiSE 24). Cham (Switzerland): Springer Nature Switzerland, 2024, p. 475-491. ISBN 978-3-031-61056-1. Available from: https://dx.doi.org/10.1007/978-3-031-61057-8_28.

@inproceedings{2424077,
   author = {Bakhtina, Mariia and Kvapil, Jan and Švenda, Petr and Matulevicius, Raimundas},
   address = {Cham (Switzerland)},
   booktitle = {Advanced Information Systems Engineering (CAiSE 24)},
   doi = {http://dx.doi.org/10.1007/978-3-031-61057-8_28},
   keywords = {distributed control;key management; organisational digital identity; security; threshold signatures; zero trust},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {Cham (Switzerland)},
   isbn = {978-3-031-61056-1},
   pages = {475-491},
   publisher = {Springer Nature Switzerland},
   title = {The Power of Many: Securing Organisational Identity Through Distributed Key Management},
   url = {https://link.springer.com/chapter/10.1007/978-3-031-61057-8_28},
   year = {2024}
}

TY  - JOUR
ID  - 2424077
AU  - Bakhtina, Mariia - Kvapil, Jan - Švenda, Petr - Matulevicius, Raimundas
PY  - 2024
TI  - The Power of Many: Securing Organisational Identity Through Distributed Key Management
PB  - Springer Nature Switzerland
CY  - Cham (Switzerland)
SN  - 9783031610561
KW  - distributed control;key management
KW  - organisational digital identity
KW  - security
KW  - threshold signatures
KW  - zero trust
UR  - https://link.springer.com/chapter/10.1007/978-3-031-61057-8_28
N2  - Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation's identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation's representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200ms overhead compared to the built-in signing solution.
ER  -

BAKHTINA, Mariia, Jan KVAPIL, Petr ŠVENDA and Raimundas MATULEVICIUS. The Power of Many: Securing Organisational Identity Through Distributed Key Management. Online. In \textit{Advanced Information Systems Engineering (CAiSE 24)}. Cham (Switzerland): Springer Nature Switzerland, 2024, p.~475-491. ISBN~978-3-031-61056-1. Available from: https://dx.doi.org/10.1007/978-3-031-61057-8\_{}28.

Detailed Information on Publication Record