A Security Analysis of Blockchain-Based Did Services

Decentralized identifiers (DID) has shown great potential for sharing user identities across different domains and services without compromising user privacy. DID is designed to enable the minimum disclosure of the proof from a user’s credentials on a need-to-know basis with a contextualized delegation. At first glance, DID appears to be well-suited for this purpose. However, the overall security of DID has not been thoroughly examined. In this paper, we systemically explore key components of DID systems and analyze their possible vulnerabilities when deployed. First, we analyze the data flow between DID system components and analyze possible security threats. Next, we carefully identify potential security threats over seven different DID functional domains, ranging from user wallet to universal resolver. Lastly, we discuss the possible countermeasures against the security threats we identified.

[1]  Qing Li,et al.  Data Flow Diagram , 2009 .

[2]  Marc Eisenstadt,et al.  COVID-19 Antibody Test/Vaccination Certification: There's an App for That , 2020, IEEE Open Journal of Engineering in Medicine and Biology.

[3]  Huaqun Wang,et al.  Cryptanalysis of a Generalized Ring Signature Scheme , 2009, IEEE Transactions on Dependable and Secure Computing.

[4]  Laurent Vanbever,et al.  Hijacking Bitcoin: Routing Attacks on Cryptocurrencies , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Harry Halpin,et al.  Vision: A Critique of Immunity Passports and W3C Decentralized Identifiers , 2020, SSR.

[6]  Manel Guerrero Zapata,et al.  An ANFIS-based cache replacement method for mitigating cache pollution attacks in Named Data Networking , 2015, Comput. Networks.

[7]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[8]  Aziz Mohaisen,et al.  Exploring the Attack Surface of Blockchain: A Systematic Overview , 2019, ArXiv.

[9]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[10]  Anne V. D. M. Kayem,et al.  A Cyber Risk Based Moving Target Defense Mechanism for Microservice Architectures , 2018, 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom).

[11]  Laurent Vanbever,et al.  SABRE: Protecting Bitcoin against Routing Attacks , 2018, NDSS.

[12]  Mengjun Xie,et al.  Enhancing cache robustness for content-centric networking , 2012, 2012 Proceedings IEEE INFOCOM.

[13]  Xiaohong Yuan,et al.  Evaluating the effectiveness of Microsoft threat modeling tool , 2015, InfoSecCD.

[14]  Sachin Shetty,et al.  Air Gapped Wallet Schemes and Private Key Leakage in Permissioned Blockchain Platforms , 2019, 2019 IEEE International Conference on Blockchain (Blockchain).

[15]  A. S. Omar Decentralized Identity and Access Management Framework for Internet of Things Devices , 2020 .

[16]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[17]  Martin Tompa,et al.  How to share a secret with cheaters , 1988, Journal of Cryptology.

[18]  Aziz Mohaisen,et al.  RouteChain: Towards Blockchain-based Secure and Efficient BGP Routing , 2019, 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC).

[19]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[20]  Cas J. F. Cremers,et al.  The Provable Security of Ed25519: Theory and Practice , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[21]  Giuseppe Ateniese,et al.  Redactable Blockchain – or – Rewriting History in Bitcoin and Friends , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[22]  Mike Amundsen,et al.  Microservice Architecture: Aligning Principles, Practices, and Culture , 2016 .

[23]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[24]  David Blacka,et al.  Clarifications and Implementation Notes for DNS Security (DNSSEC) , 2013, RFC.

[25]  Caterina Urban,et al.  Formal analysis of Facebook Connect Single Sign-On authentication protocol , 2010 .

[26]  Seda F. Gürses,et al.  A critical review of 10 years of Privacy Technology , 2010 .

[27]  Andrea Vitaletti,et al.  Efficient Certification of Endpoint Control on Blockchain , 2020, IEEE Access.

[28]  Jan De Clercq,et al.  Single Sign-On Architectures , 2002, InfraSec.

[29]  Hugo Krawczyk,et al.  Chameleon Hashing and Signatures , 1998, IACR Cryptol. ePrint Arch..

[30]  Takayuki Sasaki,et al.  Alcatraz: Data Exfiltration-Resilient Corporate Network Architecture , 2018, 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC).

[31]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[32]  Satyajayant Misra,et al.  Security, Privacy, and Access Control in Information-Centric Networking: A Survey , 2016, IEEE Communications Surveys & Tutorials.

[33]  Kim-Kwang Raymond Choo,et al.  Exfiltrating data from Android devices , 2015, Comput. Secur..

[34]  Adam Doupé,et al.  Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[35]  K. Cameron,et al.  The Laws of Identity , 2005 .

[36]  Jim Groom,et al.  The Path to Self-Sovereign Identity , 2017 .

[37]  Yanick Fratantonio,et al.  ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android , 2018, CCS.

[38]  Robert K. Abercrombie,et al.  Towards Reducing the Data Exfiltration Surface for the Insider Threat , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[39]  Yong Jin,et al.  A Detection Method Against DNS Cache Poisoning Attacks Using Machine Learning Techniques: Work in Progress , 2019, 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA).

[40]  Daniel Slamanig,et al.  Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based , 2019, NDSS.

[41]  Makoto Takemiya,et al.  Sora Identity: Secure, Digital Identity on the Blockchain , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[42]  Simon S. Woo,et al.  Can We Create a Cross-Domain Federated Identity for the Industrial Internet of Things without Google? , 2020, IEEE Internet of Things Magazine.

[43]  Aziz Mohaisen,et al.  Partitioning Attacks on Bitcoin: Colliding Space, Time, and Logic , 2019, 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS).

[44]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).