Professional Documents
Culture Documents
A New Approach To Constructing Decentralized Identifier For Secure and Flexible Key Rotation
A New Approach To Constructing Decentralized Identifier For Secure and Flexible Key Rotation
Abstract—Owing to the introduction of blockchain (BC) tech- model [3]–[7], including device management systems in IoT
nology, a decentralized identity (DID) model has been proposed to applications [8]–[10]. Each entity (person, thing, or collective)
replace conventional identity models based on centralized author- generates its own DID comprising a decentralized identi-
ities. The BC platform operated by various participants provides
a new root-of-trust functionality for entity identification and fier (dID) and the associated attributes without relying on
access control. Each entity generates and registers its own iden- any trusted third parties (TTPs), such as certificate author-
tifier and credential (public key) to the BC such that any entity ities (CAs) or service/identity providers. The attributes of
can obtain the other entity’s public key. When the corresponding the DID include security credentials (sCRs) based on the
private key is compromised, the key rotation to generate and reg- public- and private-key pairs for entity identification and
ister a new key pair should be performed. However, the current
approach for cryptographically binding a decentralized identi- access control, as well as the entity description for mapping
fier with a public key induces a serious security problem that it to a real-world entity [e.g., a user’s e-mail address or the
results in both identity-stealing attacks and multiple identifiers medium access control (MAC) address of an IoT device]. Self-
for a single entity. A new DID to address the security problem sovereignty over identity is achieved when each entity can
above is proposed herein, which is based on a newly proposed control its identity, as well as when central authorities (TTPs)
cryptographic primitive (infinite one-way hash chain), as well as
its security analysis and performance evaluation on Hyperledger have no authority over them [11].
Fabric and Contiki Cooja simulator. To demonstrate the appli- As the BC is a framework for DID management, four oper-
cability of the proposed DID to various security protocols, an ations are applied to the DID—creation, registration, update,
authenticated key exchange protocol is also designed. and deletion of the DID—all of which should be initiated
Index Terms—Blockchain (BC), decentralized identity (DID), entirely by the entity (DID owner) and validated using the
hyperledger fabric, identity-stealing attack, infinite one-way hash chaincode (or smart contract) of the BC. Three security-related
chain, key rotation, root-of-trust. issues are associated with DID management–key recovery, ID
squatting, and key rotation.
A key recovery mechanism should be provided when
I. I NTRODUCTION the private key of the entity is lost. Without the key
DENTITY management models, such as the silo, feder-
I ated identity, and user-centric identity models, have evolved
over the last three decades to reduce the number of identities
recovery mechanism, the dID associated with it no longer
belongs to the original entity. Recently, a key recovery
mechanism [12] known as “key sharding” based on Shamir’s
maintained by each entity for multiple service providers and secret sharing [13] has been proposed, where the private key
to return identity control to the entity. In particular, the iden- is segregated into N shards, and each of them is distributed to
tity management of the Internet of Things (IoT) has gained N trusted entities. During a loss, the original entity requests
increasing significance as it includes not only the user identi- K (< N) shards of the key from N trusted entities, where K is
fication for controlling access to various devices and services the number of distinct shards required for the recovery. Upon
but also user–device/device–device interactions. receiving K shards, the key is successfully recovered.
Recently, the concept of decentralized identity (DID) or The second issue is the ID-squatting problem. Because the
self-sovereign identity (SSI) based on blockchain (BC) tech- same dID cannot be assigned more than once, registering
nology has been introduced as the next-generation iden- unused dIDs to the BC repeatedly through adversaries might
tity model [1], [2] replacing conventional identity models. create a problem even though the dID derived based on the
Several startups and academic research groups have proposed cryptographic hash is less sensitive to ID squatting than the
various identity management systems based on the DID human-readable ID. For instance, Namecoin [14] employed a
first-come–first-serve logic to assign name–value pairs. In a
Manuscript received May 12, 2021; revised July 17, 2021; accepted
October 18, 2021. Date of publication October 21, 2021; date of current recent study pertaining to Namecoin, only 28 of 120 000 regis-
version June 23, 2022. This work was supported by the Basic Science tered domain names were not squatted [15]. Hence, depending
Research Program through the National Research Foundation of Korea (NRF) on the application scenario, a suitable mechanism to suppress
funded by the Ministry of Education, Science and Technology under Grant
NRF-2021R1A2C100327611. (Corresponding author: Chang-Seop Park.) ID squatting is required.
Chang-Seop Park is with the Department of Software Science, Dankook The third issue is the key rotation replacing a current key
University, Yongin 16890, Republic of Korea (e-mail: csp0@dankook.ac.kr). pair (SK, PK) with a new key pair (SK + , PK + ), where a new
Hye-Min Nam is with the Department of Computer Science, Dankook
University, Yongin 16890, Republic of Korea (e-mail: nhm9410@naver.com). public key (PK + ) is posted to the BC together with the sig-
Digital Object Identifier 10.1109/JIOT.2021.3121722 nature using the current private key (SK) [16]. If an adversary
2327-4662
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10611
obtains the current private key of a certain entity, the adversary 4) The proposed DID based on the infinite one-way hash
can mount various security attacks using the compromised pri- chain is implemented using Hyperledger Fabric [18] and
vate key. Because the moment at which the private key is Contiki Cooja simulator, and its performance is evalu-
compromised cannot be predicted accurately, the only defense ated and compared with those of conventional DIDs.
is to update the key pair regularly such that the vulnerability The remainder of this article is organized as follows.
window resulting from the compromised private key can be Following the problem statements provided in Section II,
reduced. Hence, the purpose of the key rotation for the DID the backgrounds of the DID and one-way hash chain are
system is the same as that for the PKI system. introduced in addition to previous related studies, since our
Among the three security issues related to DID manage- proposed DID evolves from them. In Section IV, a new dID
ment, the key rotation issue is the main theme of this study. denoted as “BC-cID-L” for limited key rotations, which is
In this study, the relationship between a dID and its associated an intermediate step for the design of “BC-cID-F,” is intro-
credentials was investigated in addition to its security implica- duced. Subsequently, flexible key rotations are discussed in
tions. We observed that the current approach of key rotation for Section V. Security analysis and performance evaluations are
DID management exhibits security and usability issues, which provided in Sections VI and VII, respectively, and finally, the
will be discussed more comprehensively in Section II. Once concluding remarks are presented in Section VIII.
the private key is compromised, the control of the victim’s
dID is completely relinquished to the adversary, such that the
victim entity loses its own dID indefinitely (we name this the II. P ROBLEM S TATEMENT
“ID-stealing attack”), which differs significantly from the PKI After the DID is generated by the entity, it should be reg-
system. In the PKI system, even if the private key is compro- istered on the BC by the entity or the agent delegated to the
mised and a new certificate is issued to the victim entity, its entity. Hence, the uniqueness of the dID on the BC should
original identifier can be maintained. be guaranteed, and its corresponding sCRs should be asso-
Motivated by the fact that the compromised private key ciated with the dID. Currently, two approaches can be used
induces an ID-stealing attack as well as various security to link the dID to its sCRs: self-signed certificates and self-
attacks against the security protocols (e.g., entity authentica- certifying identifiers, both of which are derived from a PK and
tion and access control), a new DID resilient to such security SK pair. Given a key pair generated by the entity, the DID is
attacks is designed by embedding additional security function- composed of (dID, PK, Sig(SK)), where dID is the dID, and
ality into the DID. Whereas the sCR of the conventional DID Sig(.) is a signature on both the dID and PK using the SK
comprises a key pair, our DID’s sCR is augmented with one- in the self-signed certificate approach. Meanwhile, the DID is
time password (OTP) based on the hash chain. Therefore, the composed of (cryptographic identifier (cID), PK) in the self-
adversary should obtain the next OTP value together with the certifying identifier approach, where cID is the cryptographic
private key to mount such security attacks including the ID- identifier (cID), which is a special case of the dID and is
stealing attack. The proposed OTP serves as both a nonce derived from the PK using a cryptographic hash function h(.),
for the security protocol based on the proposed DID and where cID = h(PK). If the uniqueness of the dID derived from
a second-factor authenticator for the key rotation in DID either of the approaches is not verified by the chaincode (or
management. smart contract) of the BC, then the entity should repeat the
The major contributions of this study are as follows. registration process after generating a new key pair.
1) A new cryptographic primitive known as “infinite one- If the key pair (SK, PK) associated with dID must be
way hash chain” is designed, which is an extension of rotated (updated) because SK is compromised, then the entity
Lamport’s one-way hash chain [17], whose main weak- generates a new key pair (SK+ , PK+ ) and derives a new
ness is the finite length of the hash chain. Without a self-signed certificate (dID, PK+ , Sig(SK)) in the self-signed
preshared secret between two entities, each hash value of certificate approach. When the new self-signed certificate is
the hash chain can be used for various security purposes posted to the BC to update the current certificate (dID, PK,
once the root of the hash chain is registered. Meanwhile, Sig(SK)), the chaincode (or smart contract) verifies whether
Lamport’s hash chain requires a new root registration Sig(SK) in the new certificate is valid using the current public
when the current hash chain is exhausted, and the infinite key PK. In this case, (dID, PK+ , Sig(SK)) is posted instead
hash chain requires only one registration. of (dID, PK+ , Sig(SK+ )) because the chaincode recognizes
2) A new DID is constructed based on the proposed “infi- (dID, PK+ , Sig(SK+ )) as a new DID to register by another
nite one-way hash chain,” where the PK of the entity entity and refuses its registration. However, this is a severe
is embedded in each value of the infinite one-way hash security weakness, in that the adversary accessing the compro-
chain. The main reason for constructing a DID with such mised SK can steal the DID belonging to the original entity.
an infinite hash chain is to create an immutable dID with Meanwhile, when the current key pair (SK, PK) associated
flexible key-rotation functionality. with the cID in the self-certifying approach is updated to a new
3) An authenticated key exchange protocol between two key pair (SK+ , PK+ ), then the current cID should be changed
entities is designed to demonstrate the applicability to cID+ = h(PK+ ), where cID+ = cID because of the crypto-
of the proposed DID to various security protocols. graphic property of h(.). That is, when the key pair is rotated,
Additionally, it can be adapted for a new security mode the current dID is changed, which is undesirable and unac-
for TLS/DTLS handshake. ceptable in most digital ID applications. Suppose the cID is
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
10612 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 13, JULY 1, 2022
the identifier of a vehicle. Even if more than one identifier can Construction 1 BC-dID
be assigned to a single vehicle, it is reasonable and efficient to On input SKx ∈R {0, 1}l and dIDx ∈R {0, 1}l
identify each vehicle with a single identifier administratively. • PKx ← pkGen(SKx ), where pkGen(.) is a public-key
A current approach to mitigate the risk due to a compro- generation function;
mised private key is to proactively perform the key rotation • (dIDx , PKx , Sig(SKx )) is generated as a self-signed
to reduce the vulnerability window. However, once the pri- certificate;
vate key is exposed to the adversary, the ID-stealing attack • If dIDx is unique and Sig(SKx ) is valid, it is registered at
can be easily mounted. Hence, a new DID that is robust to the BC;
ID-stealing attacks should be designed. Furthermore, it should
demonstrate immutability, in that the dID (or cID) must not
change even when the key rotation is performed. real-world entity, it is assumed in this study that DID = (dID,
sCR) to focus on the security issues of the DID. Each dID
III. BACKGROUND AND R ELATED W ORK should be unique on each BC platform and be tightly bound
In this section, two cryptographic primitives (dID and one- to the sCR. As the sCR is stored in the BC, it cannot be a
way hash chain) are introduced as our proposed security password or a secret key, but a PK.
framework evolves from them. Each of them is proposed Two approaches can be used to bind the dID cryptographi-
as a building block to construct various security protocols cally with the sCR—self-signed certificate and self-certifying
and mechanisms, and several of their variants have been also identifier—both of which are candidates seeking the W3C
proposed to enhance their security and efficiency. standard [16]. The first approach is discussed in this section,
whereas the second approach in Section III-B. An entity x
(person, thing, or collective) generates a pair of private key
A. Decentralized Identifier and PKI
(SKx ) and public key (PKx ) and then constructs a self-signed
A globally unique identifier generated by an entity has certificate to bind dIDx cryptographically with PKx . Hence,
become a necessity since the 1980s. The universally unique DIDx = (dIDx , PKx , Sig(SKx )), where Sig(SKx ) is a self-
identifier (UUID) [19], [20] and IPv6 address for secure neigh- signed signature on both dIDx and PKx using SKx , as in
bor discovery [21] are two examples of early versions of dIDs Construction 1.
that are generated in a semidecentralized manner. A 122-bit As any entity can access a specific entity’s PK through the
UUID is generated by a device based on a device-specific BC platform, any two entities can perform various security
MAC address allocated by the device manufacturer. Similarly, protocols based on each other’s PK. However, when the key
the 128-bit IPv6 address comprising both a subnet prefix pair (SKx , PKx ) associated with dIDx is compromised, the
and an interface identifier can be generated by the entity adversary generates a new key pair (SK+ +
x , PKx ) and posts
(host/router). However, the subnet prefix is allocated by the +
(dIDx , PKx , Sig(SKx )) to the BC; therefore, the ID-stealing
Internet service provider (ISP), even though the IPv6 interface attack can be mounted as mentioned in Section II.
identifier is selected by the entity and its uniqueness is tested
within the subnet. Hence, a type of TTP, such as the device
manufacturer and the ISP, is involved in the generation of B. Cryptographic Identifier as Decentralized Identifier
globally unique identifiers. A cID is an identifier into which a cryptographic prop-
Owing to the introduction of BC technology, each entity can erty is embedded, and for a pair of private and public keys,
generate its own identifier without relying on the TTPs, such a simplified cID is derived from the public key. The con-
as CAs and service/identity providers. Because conventional cept of the cID first appeared in the design of a secure
TTPs are operated centrally, a single point of failure [22], [23] file system [24], where each file name (identifier) is derived
of CAs and multiple identifiers for an entity from multiple from a cryptographic key. Furthermore, it has been employed
service/identity providers are yielded. Meanwhile, the BC plat- to construct an IPv6 address and is known as a crypto-
form can be considered as a decentralized TTP that is operated graphically generated address (CGA) [25], which is useful
by various participants for several application domains such for securing the IPv6 neighbor discovery protocol [21] and
that each participating entity can control its own identity. the mobile IPv6 binding update protocol [26]. Meanwhile,
Recently, the concept of DID (or SSI) has been introduced an address-based key (ABK) is based on identity-based
as the next-generation identity model based on BC technology. cryptography [27], where any IPv6 address can be used as
Several startups and academic research groups have proposed a PK. However, it requires a trusted party to generate and
BC (Bitcoin, Ethereum)-based identity management systems, distribute private keys. Because the CGA does not require a
such as Sovrin [3] and Uport [4]. In particular, Certcoin [5], trusted and centrally controlled party, it is superior to both the
Authcoin [6], and Blockstack [7], all of which are based on ABK and PKI-based certificates.
Namecoin [14] (forked from Bitcoin), have been proposed as When the cID is operated on the BC platform, it can be
a decentralized PKI platform. A DID comprises a dID and the another form of dID. A typical BC-based cID (BC-cID) is an
associated attributes, where dID is also known as BC-dID as it account holder’s address in cryptocurrency systems, such as
is based on the BC platform and the attributes include the sCR Bitcoin and Ethereum. The BC-cID is a self-certifying identi-
for the entity identification. Even though the attributes of the fier, in that for a PK and cID, no proof is required to confirm
DID include the entity description for mapping the dID to the that the PK belongs to the cID’s owner (entity). The BC-cID
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10613
C. One-Way Hash Chain Fig. 1. Generation of BC-cID-L for limited key rotation.
A one-way hash chain proposed by Lamport was first
employed to design an OTP system [17] without a shared
secret between the prover and verifier. It is generated by IV. D ESIGN OF C RYPTOGRAPHIC ID FOR
applying consecutive cryptographic hash functions to a ran- L IMITED K EY ROTATIONS
dom number (seed); subsequently, the hash values of the hash A main drawback of the BC-cID in Construction 2 is that
chain are used in the reverse order as OTPs. Because the ver- the BC-cID should be changed on each key rotation. However,
ifier maintains the last hash value sent from the prover, it is if the BC-cID is fixed as an identifier of an entity, the usage
not feasible for an adversary (insider or outsider) to derive of the cID is limited. In this section, a new BC-cID named
the next hash value because of the preimage resistance of the “BC-cID-L” is designed to embed the limited key-rotation
cryptographic hash function. For a random seed Kx ∈R {0, 1}k , functionality, as a middle stage of designing “BC-cID-F” with
a one-way hash chain, hcx of length n is generated as shown the full and flexible key-rotation functionality, which will be
in Construction 3. discussed in Section V. To embed the key-rotation functional-
After generating hcx , the prover must register a root value ity into the BC-cID, BC-cID of Construction 2 is integrated
x0 in advance at the verifier. For a previous hash value (a with the one-way hash chain. Let E = {x, y, z, . . .} be a set
commitment value) xj , the next hash value (a new commitment of entities. Therefore, cID (cIDx ) of entity x can be generated
value) xj+1 satisfying xj = h(xj+1 ) can be generated only by as in Construction 4. Fig. 1 shows the BC-cID-L generated
the entity who knows the seed. An authenticated channel with based on Construction 4.
the verifier’s authentication should be provided between them When an initial entry (cIDx , x0 , PKx (0) ) for entity x is sent
to prevent man-in-the middle attacks. Lamport’s one-way hash to the BC for registration, the chaincode (or smart contract) of
chain is disadvantageous in terms of practical implementation, the BC verifies if cIDx is unique on the BC and cIDx = h(x0 ||
i.e., a new hash chain must be generated, and a new root value PKx (0) ). If the verification is successful, then the initial entry
must be registered when all hash values of a current hash chain for entity x is registered at the BC. By querying the BC,
are used. another entity (i.e., entity y) can obtain entity x’s current PK
Various schemes for converting Lamport’s finite hash chain and authenticate entity x by verifying the signature, Sig(SKx (0) )
into an infinite hash chain have been proposed, and they can on the challenge sent from entity y.
be categorized into two schemes: 1) Lamport-like [28] and If the key rotation is required, entity x can perform it directly
2) non-Lamport-like scheme [29], [37], [38]. The former is on the BC. Namely, to update the public key from PKx (0) to
based on the cryptographic hash function only, whereas the PKx (1) , entity x sends (cIDx , x1 , PKx (1) ) to the BC, and the
latter employs additional cryptographic primitives such as sig- chaincode (or smart contract) verifies if x0 = h(x1 ||PKx (1) ). If
nature or PK encryption, in addition to the cryptographic hash the verification is successful, a new entry (cIDx , x1 , PKx (1) )
function. Hence, the Lamport-like scheme is more favorable for entity x can be appended to the BC, and PKx (1) will be the
as it provides simplicity and higher implementation efficiency. current public key of cIDx . Although the number of possible
In Section V, another Lamport-like infinite hash chain is key rotations is limited to n−1 as the length of the one-way
proposed. A more detailed comparison among the schemes hash chain is n, the BC-cID-L is secure against the ID-stealing
can be found in Appendix A. attack.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
10614 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 13, JULY 1, 2022
Fig. 2. Infinite hash chain and BC-cID-F for flexible key rotation.
Proposition 1: BC-cID-L is secure against the ID-stealing Construction 5 Multiple Hash Chains, hc(Kx , i)
attack. On input Kx ∈R {0, 1}k and i ≥ 1
Proof: Suppose the BC stores (cIDx , xj−1 , PKx (j−1) ) for hcx (i) = {xj (i) | xj (i) = h(xj+1 (i) ) for j ∈ [0, n−1] and
entity x and SKx (j−1) is exposed to an adversary, where j ∈ xn (i) = h(Kx || “chain seed”||i)};
[1, n]. Then, the adversary generates its own key pair (SKAdv ,
PKAdv ) such that PKAdv = pkGen(SKAdv ) together with xAdv ,
Construction 6 Infinite Hash Chain
and sends (cIDx , xAdv , PKAdv ) to the BC. In order for the ID-
stealing attack to be successful, xj−1 = h(xAdv || PKAdv ) should On input Kx ∈R {0, 1}k
be met. However, due to the second-preimage resistance prop- • call hc(Kx , 1) to generate hcx (1) = {x0 (1) , x1 (1) , . . . ,
erty of h(.), it is not feasible to find (xAdv , PKAdv ) such that xn (1) };
xj−1 = h(xAdv ||PKAdv ) = h(xj ||PKx (j) ). • x0 (1) is a root of infinite hash chain;
• for i = 1, 2, 3, . . . . {
. call hc(Kx , i+1) to generate hcx (i+1) = {x0 (i+1) ,
V. D ESIGN OF C RYPTOGRAPHIC ID FOR
x1 (i+1) ,. . . , xn (i+1) };
F LEXIBLE K EY ROTATIONS
. for j = 1, 2, 3, . . . , n−1 {
The compromised private key in the DID model can be abused generate a 3-tuple (xj (i) , x0 (i+1) , h(j+1)(i) );
via impersonation and ID-stealing attacks. Both the BC-dID }
and BC-cID are subject to two types of attacks, whereas the . generate a 3-tuple (xn (i) , x0 (i+1) , h(1)(i+1) ));
BC-cID-L is robust to the ID-stealing attack, as discussed in }
Section IV. However, the BC-cID-L presents two security weak-
nesses. First, the number of secure key rotations for suppressing
the ID-stealing attack is limited. Second, a compromised pri-
hash chains, hcx (i) for i ≥ 1, each of which is of length
vate key can still induce illegitimate authentication. In this
n, as in Construction 5; and binds them seamlessly, as in
study, an infinite one-way hash chain and the associated OTP
Construction 6, as if they are parts of an infinite hash chain.
were designed, based on which a security-enhanced BC-cID,
To bind multiple hash chains seamlessly, the root value x0 (2)
denoted as BC-cID-F (flexible key rotation), was designed to
of the second hash chain hcx (2) = {x0 (2) , x1 (2) , x2 (2) , . . . ,
address the security weaknesses of the BC-cID-L. In particu-
xn (2) } is sent in advance when the prover (entity x) sends xj (1)
lar, it is shown in Sections V-E and VI-C that the BC-cID-F
to the verifier for j ≥ 1. A reason to send x0 (2) proactively is to
remains secure under the impersonation attack induced by the
register it as a new root value for the second hash chain before
private key compromise.
the first hash chain is exhausted. From the security viewpoint,
the integrity of the root value (i.e., x0 (2) , x0 (3) , x0 (4) , . . .) to
A. Design of Infinite Hash Chain and OTP be registered for the next hash chain should be guaranteed.
We begin with the one-way hash chain used for the Otherwise, an adversary can modify the root value into another
OTP in Section III-C. As shown in Fig. 2-(A), the origi- one and control the subsequent sessions after the current hash
nal hash chain of Construction 3 is denoted hcx (1) ={x0 (1) , chain is exhausted. To address the problem, the root value of
x1 (1) , x2 (1) , x3 (1) , . . . , xn (1) }. When the verifier maintains the next hash chain should be integrity protected by the next
xj−1 (1) as a commitment value and receives xj (1) for j ≥ hash value of the current hash chain.
1 as the next commitment value from entity x, the verifier For example, when {xj (1) , x0 (2) } is sent, xj+1 (1) is used to
checks if xj−1 (1) = h(xj (1) ). Our approach in constructing compute h(xj+1 (1) || x0 (2) ) = h(j+1)(1) such that (xj (1) , x0 (2) ,
an infinite (one-way) hash chain is to generate multiple h(j+1)1 ) is sent, where h(j+1)(1) is a type of message-integrity
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10615
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
10616 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 13, JULY 1, 2022
∗ ∗
Procedure 2 genBCupdate xj (i) ) = h(xj∗ (i ) ||PKx (i ) ) for j ∈ [1, n−1] or if D (=
∗ ∗
On input (Kx , i ≥ 1 and j ∈ [1, n]) x0 (i+1) ) = h(xj∗ (i ) ||PKx (i ) ) for j = n. Upon a successful ver-
/* compute new indices for BC-update */ ification, the current entry at the BC is changed to (A = cIDx ,
• i* ← i; j* ← j+1; α* ← j*+1; β* ← i*; ∗ ∗ ∗
• if (j = n−1) {α* ← 1; β* ← i*+1};
B = PKx (i ) , C = xj∗ (i ) , D = x0 (i +1) , E = h(α ∗ )(β ∗ ) /1).
• if (j = n) {i* ← i+1; j* ← 1}; Fig. 3 shows the method to generate and process the BC-
/* compute chain seed, PK and OTP */
∗ ∗ ∗ ∗
update transaction (Procedures 2 and 3) through a concrete
• (PKx (i ) , xn (i ) , PKx (i +1) , xn (i +1) ) ← comPK (Kx , i*); example.
∗ ∗ (β ∗) ∗) ∗ ∗
• if (β = i ) {PKx ← PKx } else {PKx (β ) ← PKx (i +1) };
(i
Entity x’s entry in the BC is shown after each BC-update
∗ ∗ ∗
• xjα ∗ (i ) ← comHash (n−j*, xn (i ) , PKx (i ) );
∗ ∗ ∗ is performed by entity x, where the initial entry for (i = 1,
• x0 (i +1) ← comHash (n, xn (i +1) , PKx (i +1) );
(β ∗) (β ∗) ∗ j = 0) is stored upon a successful registration. When the
• xα ∗ ← comHash (n−α*, xn , PKx (β ) );
∗ ∗ first BC-update{cIDx , PKx (1) , x1 (1) , [x0 (2) , h21 ]} is sent to the
• h(α ∗ )(β ∗ ) ← h(xα ∗ (β ) ||x0 (i +1) );
∗ ∗ ∗ chaincode of the BC by entity x( 1 ), the chaincode verifies if
• return (cIDx , PKx (i ) , xj∗ (i ) , x0 (i +1) , h(α ∗ )(β ∗ ) )
x0 (1) = h(x1 (1) ||PKx (1) ). Upon a successful verification, entity
x’s entry is changed as follows (❶): (A = cIDx , B = PKx (1) ,
Procedure 3 procBCupdate C = x1 (1) , D = x0 (2) , E = h21 ). D = x0 (2) is not yet confirmed
∗ ∗ ∗
On input (cIDx , PKx (i ) , xj∗ (i ) , [x0 (i +1) , h(α ∗ )(β ∗ ) ]) as a valid root of the next hash chain because E = h21 cannot
Run (chaincode) ∗ ∗ ∗ ∗
be verified without knowing x2 (1) . Hence, the verification on
• if C = h(xj∗ (i ) || PKx (i ) ) and D = h(xj∗ (i ) || PKx (i ) ) E = h21 is delayed until the next BC-update transaction is
exit (“invalid BC update”);
∗ ∗ processed.
• C ← xj∗ (i ) ; D ← x0 (i +1) ;
∗ ∗ When the second BC-update{cIDx , PKx (1) , x2 (1) ,
• if C = h(xj∗ (i ) || PKx (i ) ) {
. if E = ‘_’ {E ← h(α ∗ )(β ∗ ) }; [x0 (2) , h31 ]} is sent by entity x (❷), E = h21 can be
∗
. if E = h(xjα ∗ (i∗) || x0 (i +1) ) {E ← 1}; verified using x2 (1) . Upon a successful verification ( 2 ), E is
} set to 1, which means that the root (x0 (2) ) of the next hash
∗ ∗ ∗
• if D = h(xj∗ (i ) || PKx (i ) ) { E ← h(α ∗ )(β ∗ ) ; B ← PKx (i ) }; chain is ready to be used as a commitment value when the
• return (“valid BC update”); current hash chain is exhausted. In case of (i = 1, j = n−1),
the BC-update transaction ( 3 ) changes the current commit-
ment value (❸) from xn−1 (1) to xn (1) , but [x0 (2) , h12 ] does not
in Section V-A. Entity x generates the BC-update transaction, change E because x0 (2) has been already verified as a root of
∗ ∗ ∗
BC-update{cIDx , PKx (i ) , xj∗ (i ) , x0 (i +1) , h(α ∗ )(β ∗ ) }, as in the next hash chain. When the current hash chain is exhausted
(i ∗) (i ∗ +1)
Procedure 2, where (xj∗ , x0 , h(α ∗ )(β ∗ ) ) is the OTP as for (i = 1, j = n), the next BC-update transaction ( 4 )
defined in Section V-A. Two functions, comPK(.) and initiates the next hash chain initialization on the BC upon the
comHash(.), are for deriving a chain seed (as well as the PK) successful verification of x0 (2) = h(x1 (2) ||PKx (2) ). Therefore,
of a hash chain and a specific hash value within a hash chain, x1 (2) becomes the current commitment value (❹), and entity
respectively, which are defined in Appendix C. x’s entry is changed to (A = cIDx , B = PKx (2) , C = x1 (2) ,
∗ ∗
When receiving BC-update{cIDx , PKx (i ) , xj∗ (i ) , D = x0 (3) , E = h22 ), where D = x0 (3) is not yet verified as a
(i ∗ +1)
x0 , h(α ∗ )(β ∗ ) }, the chaincode of the BC processes valid root of the next hash chain as the verification on E = h22
it as in Procedure 3. The chaincode verifies if C(= is performed on the next BC-update. Upon a successful
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10617
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
10618 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 13, JULY 1, 2022
❷{cIDy , y4 (2) , MIC(skxy )} from entity y, entity x verifies if OTPs but cannot modify them when delivered via the normal
y3 (2) = h(y4 (2) ||PKy (2) ) and MIC(skxy ) are valid. authenticated channel. Hence, even though the adversary
When the BC-AKE above is performed successfully, a observes the current OTP (xj (i) , x0 (i+1) , h(j+1)i ) from the
mutual authentication between them is attained and a session prover, it cannot forge the next OTP from the observed OTP.
key is shared. Finally, the entries of both entities at the BC Proposition 2: Under the basic adversarial model, the
should be updated to replace the current commitment values, adversary cannot generate three-tuple OTPs accepted by the
x2 (1) and y3 (2) , by new ones, i.e., x3 (1) and y4 (2) , respectively. verifier.
As shown in the BC-AKE based on BC-cID-F, when two Proof: The security of the proposed OTP is based on
entities perform a security protocol based on BC-cID-F, each the preimage resistance of the cryptographic hash function.
entity should update its own commitment value at the end Suppose the jth three-tuple OTP (xj (i) , x0 (i+1) , h(j+1)i ) has
of the security protocol. However, this must be performed by been successfully processed by the verifier, which means that
each entity to prevent the ID-stealing attacks; more details are it is also exposed to the adversary. When the adversary derives
provided in Section V-B. (A, x0 (i+1) , B) for the (j+1)th OTP, the following condition
should be satisfied: xj (i) = h(A) and h(j+1)i = h(A|| x0 (i+1) ),
where B can be an arbitrary value as it is not verified right
VI. S ECURITY A NALYSIS AND D ISCUSSIONS
now. However, deriving such A is not feasible because of the
A. Adversarial Model and Security of Infinite Hash Chain preimage resistance.
As in Lamport’s OTP [17] based on Construction 3, When the TLS/DTLS with verifier authentication is not pro-
the OTP based on the proposed infinite hash chain vided appropriately, various attacks against TLS/DTLS can
(Construction 6) of Fig. 2-(B) requires two security assump- be mounted, such as man-in-the-middle and session-hijacking
tions to function as a secure prover authentication protocol. attacks [33]. An example of the weakness of the TLS/DTLS is
First, an authenticated channel should be provided between as follows: if an adversary’s certificate can be installed into the
the prover (entity x) and verifier (chaincode), together with the prover’s root certificate storage, the adversary can successfully
verifier authentication. Second, the integrity of the three-tuple impersonate the verifier when the prover is redirected to the
OTPs, which are maintained by the verifier, should be guar- adversary site instead of to the genuine verifier site. Therefore,
anteed. The two requirements above can be satisfied because the basic adversarial model is then extended to include the
the BC network is employed: 1) the prover can be securely possibility that the adversary will modify the current three-
connected with the BC network when the TLS/DTLS with tuple OTP from the prover (called the “extended adversarial
the verifier authentication is provided appropriately between model”).
them and 2) the integrity of the three-tuple OTPs stored at The adversary’s goal is to modify the (i · n + 1)th OTP,
the BC can be guaranteed. Additionally, it is also assumed namely, (x1 (i) , x0 (i+1) , h(2)(i) ) for i = 1, 2, 3, . . . , by replac-
that the verifier (chaincode) does not behave maliciously, ing x0 (i+1) by A0 chosen by the adversary. If h(2)(i) = h
which means that the integrity of the chaincode is guaranteed (x2 (i+1) ||x0 (i+1) ) = h (x2 (i+1) ||A0 ), A0 can be registered as a
as well. valid root value of the next hash chain, i.e., {x0 (i+1) , x1 (i+1) ,
Under the aforementioned security assumptions, the adver- x2 (i+1) , . . . , xn (i+1) } is replaced by {A0 , A1 , A2 , . . . , An } such
sarial model for the proposed OTP (called the “basic adver- that Aj = h(Aj+1 ) for j ∈ [0, n−1] and some An chosen by
sarial model”) is such that the adversary can access the the adversary. Hence, the adversary can intercept the control
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10619
over the subsequent sessions from the original prover after Protocol 1 Challenge–Response Based on BC-dID
the (i+1)n OTP session. However, it is not feasible because • entity x ← entity y: Ry
• entity x → entity y: cIDx , Ry , Sig(SKx )
of the second preimage resistance of the cryptographic hash
function. This is summarized as Proposition 3.
Proposition 3: Under the extended adversarial model, the Protocol 2 Challenge–Response Based on BC-cID-F
adversary cannot intercept the OTP sessions from the original • entity x → entity y: cIDx , x3 (1) , Sig(SKx (1) );
prover.
B. Key Rotation and ID-Stealing Attack h(x1 (i+1) ||PKx (i+1) ) = h (A1 ||PKA ) and PKx (i+1) = PKA . So,
the following experiment is defined.
Once the private key of BC-dID (Construction 1) or BC-cID
ExpB (h(.), AdvB , l): The adversary AdvB is given the
(Construction 2) is exposed to an adversary, the adversary can
entity x’s BC update and outputs (A1 , PKA ) after gener-
impersonate its owner to perform various security protocols
ating a key-pair (SKA , PKA ) and {A1 , A2 , . . . , An } such
with other entities. Furthermore, in the BC-dID, the adversary
that Aj = h(Aj+1 ||PKA ) for j ∈ [1, n−1] and An ∈R {0,
can steal the corresponding BC-dID by posting a new self-
1}l . ExpB (h(.), AdvB , l) = 1 if and only if h(x1 (i+1) ||
signed certificate to the BC. When the key is compromised, it
PKx (i+1) ) = h(A1 || PKA ) and PKx (i+1) = PKA .
is not recognizable to its owner at that time; therefore, the only
Consider the following adversary AdvA attacking h(.) in
defense against the key compromise is to perform the key rota-
ExpA (h(.), AdvA , l) using adversary AdvB as a subroutine.
tion periodically to reduce the vulnerability window. However,
AdvA :
the proposed BC-cID-F is robust to ID-stealing attacks result-
On input w = x1 (i+1) || PKx (i+1)
ing from the key compromise, since the vulnerability win-
z : = (x1 (i+1) , PKx (i+1) ).
dow does not exist due to the hash chain value used as
Run AdvB (z).
the OTP.
AdvB returns z = (A1 , PKA ).
The proposed BC-cID-F is based on an infinite hash chain
w : = A1 || PKA
comprising multiple finite hash chains, mhcx (i) for i = 1,
AdvA outputs w.
2, . . . , each of which is associated with a distinct public key
It is evident that Pr[ExpA (h(.), AdvA , l) = 1] ≥
PKx (i) . Suppose x0 (2) is the root value registered proactively
Pr[ExpB (h(.), AdvB , l) = 1]. Since h(.) is a second-preimage
for the next hash chain mhcx (2) . When the current hash chain
resistant hash function, Pr[ExpA (h(.), AdvA , l) = 1] ≤ negl(l).
is exhausted, the next commitment value will be x1 (2) such that
It is concluded that Pr[ExpB (h(.), AdvB , l) = 1] Pr[ExpA (h(.),
x0 (2) = h(x1 (2) ||PKx (2) ). If an adversary can find A1 and PKA
AdvA , l) = 1] negl(l).
(= PKx (2) ) such that x0 (2) = h(A1 ||PKA ), the adversary can
take over the control of cIDx , resulting in the security breach
of the proposed BC-cID-F. However, owing to the property C. Impersonation and Session-Hijacking Attack
of the cryptographic hash function, it is not feasible to find In addition to the ID-stealing attack discussed in
{A1 and (SKA , PKA )} such that h(x1 (2) ||PKx (2) ) = h(A1 ||PKA ), Section VI-B, a few security protocols based on BC-dID and
as shown in Proposition 4. the proposed BC-cID-F are investigated to estimate the secu-
Proposition 4: BC-cID-F is robust to the ID-stealing attack rity effects resulting from the compromise of the private key.
under the extended adversarial model. Protocol 1 shows a simple challenge–response protocol based
Proof: Suppose entity x’s current entry in the BC is on BC-dID. After receiving a random number Ry from entity
(A = cIDx , B = PKx (i) , C = xj (i) , D = x0 (i+1) , E = 1) for y, entity x generates and sends Sig(SKx ) to entity y. Sig(SKx )
some j < n, and entity x sends a BC-update{cIDx , PKx (i+1) , can be verified using PKx obtained through querying the
x1 (i+1) , x0 (i+2) , h2(i+1) } to the BC for a key rotation. After BC. However, when the private key (SKx ) of entity x is exposed
generating a key pair (SKA , PKA ) and {A1 , A2 , . . . , An } such to an adversary, the adversary can mount an impersonation
that Aj = h(Aj+1 ||PKA ) for j ∈ [1, n−1] and An ∈R {0, 1}l , attack against the following protocol.
the adversary modifies entity x’s BC update as follows: {cIDx , The purpose of Protocol 2 is the same as that of Protocol 1,
PKA , A1 , . . .}. To be accepted by the BC, the condition except that it is based on BC-cID-F. Assuming entity x’s entry
x0 (i+1) = h(A1 || PKA ) should be satisfied. However, it is in the BC is (cIDx , PKx (1) , x2 (1) , . . . ), entity y queries the BC
refused by the BC chaincode owing to the property of the to obtain PKx (1) and x2 (1) . Subsequently, both x2 (1) = h(x3 (1) ||
cryptographic hash function. For a formal proof by reduction, PKx (1) ) and Sig(SKx ) are verified to authenticate entity x. As
the following experiment ExpA is defined for h(.), an adversary each hash value (next commitment value) is an implicit chal-
AdvA , and a security parameter l. lenge for each authentication session, the challenge–response
ExpA (h(.), AdvA , l): The adversary AdvA is given w and protocol comprises a single message. Additionally, because
outputs w, where w, w ∈ {0, 1}∗ . ExpA (h(.), AdvA , l) = 1 if the next commitment value cannot be derived from the
and only if w = w and h(w) = h(w). previous commitment values without knowing the seed value,
A hash function h(.) is second-preimage resistant if for all Protocol 2 is secure against the impersonation attack even
probabilistic polynomial-time (PPT) adversaries AdvA there is though SKx (1) is compromised.
a negligible function negl(.) such that Pr[ExpA (h(.), AdvA , Furthermore, the proposed BC-AKE based on BC-cID-F
l) = 1] ≤ negl(l). Let AdvB be a PPT adversary replac- discussed in Section V-E is secure against the impersonation
ing (x1 (i+1) , PKx (i+1) ) by (A1 , PKA ) such that x0 (i+1) = attack with the compromised key. It is not feasible for the
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
10620 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 13, JULY 1, 2022
TABLE I
S ECURITY C OMPARISON OF F OUR DID S CHEMES FOR K EY ROTATION
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10621
TABLE II
a salt value, skm is a source key material, and ctxInfo is an C RYPTOGRAPHIC OVERHEAD C OMPARISON OF
arbitrary string. Each K(i) can be used as an individual key F OUR DID S CHEMES FOR K EY ROTATION
and defined as follows.
prk = HMAC(xts, skm).
K(1) = HMAC(prk, ctxInfo||0).
K(i + 1) = HMAC(prk, K(i)|| ctxInfo||i) for i ≥ 1.
For our key-derivation function, xts = 0, skm = Kx, ctx-
Info||i−1 = “key seed”||i−1, so that SKx (i) = kdf (Kx , “key
seed”||i) = K(i) for i ≥ 1.
Fig. 8. Comparison of three schemes for execution times. (a) Execution Time for Crypto. Operations on Wismote. (b) Execution Time for processing
Transaction Proposal / Response.
TABLE III
AVERAGE E XECUTION T IMES OF C RYPTOGRAPHIC P RIMITIVES hash chain of length n and the associated n EC key pairs
should be generated (for performance comparison, n was set
to 10). However, a hash chain of length n and only one
EC key pair are required to be generated for Registration of
BC-cID-F. The BC-cID requires 1 pkGen (EC key pair gen-
eration using secp256k1), 1 hash (SHA-256), and 1 sigGen
(ECDSA using secp256k1) computations, where the process-
ing times for hash, sigGen, and pkGen are 3.448, 1790.748,
and 1649.810 ms, respectively, for the BC-update generation
on the Wismote. For BC-cID-L and BC-cID-F, the hash val-
ues (xj or xj (i) ) are not stored when cIDx is generated for
Registration but generated on the fly from the seed value (xn
or xn (i) ), considering the storage limit of the sensor device
(sigGen and sigVer), and SHA-256 and HKDF with HMAC- when n becomes large. The BC-cID-F requires n−j hash and
SHA-256 were used for the cryptographic hash function h(.) n−j pkGen computations for the BC-update generation, while
and the key-derivation function kdf (.), respectively. Table III the BC-cID-F requires 2n+2 hash and 1 pkGen computations.
shows the average execution times (for ten runs on the Wismote Hence, the BC-cID-L also requires the most expensive cost
and on the Docker container) of the cryptographic primitives for the BC-update generation, while the BC-cID-F is shown
that were employed for generating and processing the BC- to be done faster than the others.
update for key rotation. For the execution times of ECDSA, Since the agent node plays the role of the proxy for the
h(.), and kdf (.), both the message length and the key length Wismote, it assembles the result of cryptographic operations
are set to 32 bytes. performed on the Wismote and sends a transaction proposal
Three schemes (BC-dID, BC-cID-L, and BC-cID-F) are to the BC. On successful processing, the corresponding
compared in Fig. 8-(a) in terms of the execution times for transaction response is returned to the Wismote via the agent
cryptographic operations performed on the Wismote to create node. Fig. 8-(b) shows a comparison of three schemes in
the transaction proposals for Registration, BC-update, and terms of the round-trip delay between the Wismote and the
BC-query. In case of BC-query, there are no cryptographic BC, starting from the Wismote. The round-trip delay does
operations to be performed on the Wismote. not include the execution time for the cryptographic opera-
The BC-cID-L requires the most expensive cost to regis- tions on the Wismote, but those performed on the chaincode
ter (cIDx , x1 , PKx (1) ) at the BC for the first time since a (Procedures 1, 3, and 4) to verify the transaction proposal. As
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.
PARK AND NAM: NEW APPROACH TO CONSTRUCTING DECENTRALIZED IDENTIFIER FOR SECURE AND FLEXIBLE KEY ROTATION 10623
TABLE IV
shown in the figure, the execution times for processing both C OMPARISON OF S EVERAL OTP S BASED ON H ASH C HAIN
transaction proposal and transaction response are not highly
variable for three schemes except for the initial Registration.
Function 1 comPK [16] D. Reed, M. Sporny, D. Longley, C. Allen, R. Grant, and M. Sabadello,
On input (Kx , i) Decentralized Identifiers (DIDs) V1.0: Core Data Model and Syntaxes,
• PKx (i) ← pkGen(kdf (Kx , “key seed”||i)); W3C, Cambridge, MA, USA, 2019.
• xn (i) ← h(Kx ||“chain seed”||i); [17] L. Lamport, “Password authentication with insecure communication,”
• PKx (i+1) ← pkGen(kdf (Kx , “key seed”||i+1)); Commun. ACM, vol. 24, no. 11, pp. 770–772, 1981.
• xn (i+1) ← h(Kx ||“chain seed”||i+1);
[18] E. Androulaki et al., “Hyperledger fabric: A distributed operating system
for permissioned blockchains,” in Proc. 13th Eur. Conf. Comput. Syst.,
• return (PKx (i) , xn (i) , PKx (i+1) , xn (i+1) ); 2018, pp. 1–15.
[19] L. Zahn, Network Computing Architecture. Upper Saddle River, NJ,
USA: Prentice-Hall, 1990.
Function 2 comHash [20] P. Leach, M. Mealling, and R. Salz, “A universally unique identi-
On input (a , xn (i) , PKx (i) ) fier (UUID) URN namespace,” IETF, RFC 4122, 2005.
• A ← a; [21] N. Leavitt, “Internet security under attack: The undermining of digital
• X ← xn (i) ; certificates,” Computer, vol. 44, no. 12, pp. 17–20, 2011.
• while (A > 0) { [22] H. Berghel, “Equifax and the latest round of identity theft roulette,”
• X ← h(X|| PKx (i) ); A ← A–1};
Computer, vol. 50, no. 12, pp. 72–76, 2017.
[23] M. Blaze, “A cryptographic file system for unix,” in Proc. 1st ACM
• return (X);
Conf. Commun. Comput. Security, 1993, pp. 33–43.
[24] T. Aura, “Cryptographically generated addresses (CGA),” IETF, RFC
3972, 2005.
[25] J. Arkko, J. Kempf, B. Zill, and P. Nikander, “Secure neighbor discov-
protocols with other entities; subsequently, a BC update was ery,” IETF, RFC 3971, 2011.
performed for the key rotation. Fig. 9 ( 3 and 4 ) shows that [26] C. Perkins, D. Johnson, and J. Arkko, “Mobility support in IPv6,” IETF,
entity x became suspicious of the private key compromise and RFC 6275, 2011.
[27] A. Shamir, Identity-Based Cryptosystems and Signature Schemes
then jumped for the key rotation to the first hash value of the (LNCS), vol. 196. Heidelberg, Germany: Springer, 1985, pp. 47–53.
third hash chain without consuming the remaining hash values [28] C. S. Park, “One-time password based on hash chain without shared
of the second hash chain. secret and re-registration,” Comput. Security, vol. 75, pp. 138–146,
Jun. 2018.
[29] K. Bicakci and N. Baykal, “Infinite length hash chains and their applica-
A PPENDIX C tions,” in Proc. IEEE 11th Int. Workshops Enabling Technol., Jun. 2002,
pp. 1–5.
See Functions 1 and 2. [30] S. Raza, H. Shafagh, K. Hewage, R. Hummen, and T. Voigt, “LiTHE:
Lightweight secure CoAP for the Internet of Things,” IEEE Sensors J.,
vol. 13, no. 10, pp. 3711–3720, Oct. 2013.
R EFERENCES [31] S. Raza, L. Seitz, D. Sitenkov, and G. Selander, “S3K: Scalable secu-
rity with symmetric keys—DTLS key establishment for the Internet of
[1] P. Dunphy and F. A. P. Petitcolas, “A first look at identity manage- Things,” IEEE Trans. Autom. Sci. Eng., vol. 13, no. 3, pp. 1270–1280,
ment schemes on the blockchain,” IEEE Security Privacy, vol. 16, no. 4, Jul. 2016.
pp. 20–29, May/Jun. 2018. [32] T. Kothmayr, C. Schmitt, W. Hu, M. Brünig, and G. Carle, “DTLS based
[2] K. C. Toth and A. Anderson-Priddy, “Self-sovereign digital identity: security and two-way authentication for the Internet of Things,” Ad Hoc
A paradigm shift for identity,” IEEE Security Privacy, vol. 17, no. 3, Netw., vol. 11, no. 8, pp. 2710–2723, 2013.
pp. 17–27, May/Jun. 2019. [33] C. Meyer and J. Schwenk, “Lessons learned from previous SSL/TLS
[3] A. Tobin and D. Reed, The Inevitable Rise of Self-Sovereign Identity, attacks—A brief chronology of attacks and weaknesses,” in Proc. IACR
Sovrin Found., Provo, UT, USA, 2016. Cryptol. ePrint Archive, 2013, pp. 1–15.
[4] C. Lundkvist, R. Heck, J. Torstensson, Z. Mitton, and M. Sena, uPort: [34] H. Krawczyk and P. Eronen, “HMAC-based extract-and-expand key
A Platform for Self-Sovereign Identity, uPort, Brooklyn, NY, USA, 2017. derivation function (HKDF),” IETF, RFC 5869, 2010.
[5] C. Fromknecht, D. Velicanu, and S. Yakoubov, CertCoin: A Namecoin [35] H. Krawczyk, Cryptographic Extraction and Key Derivation: The
Based Decentralized Authentication System, MIT, Cambridge, MA, HKDF Scheme (LNCS 6223). Heidelberg, Germany: Springer, 2010,
USA, 2014. pp. 631–648.
[6] B. Leiding, C. H. Cap, T. Mundt, and S. Rashidibajgan, “AuthCoin: [36] Recommended Elliptic Curve Domain Parameters, Stand. Efficient
Validation and authentication in decentralized networks,” in Proc. 10th Cryptography, Certicom Res., Waterloo, ON, Canada, 2010.
Mediter. Conf. Inf. Syst., 2016, pp. 1–14. [37] S. Bittl, “Efficient construction of infinite length hash chains with perfect
[7] M. Ali, J. C. Nelson, R. Shea, and M. J. Freedman, “Blockstack: forward secrecy using two independent hash functions,” in Proc. 11th
A global naming and storage system secured by blockchains,” in Proc. Int. Conf. Security Cryptography, Aug. 2014, pp. 1–8.
USENIX Annu. Tech. Conf., 2016, pp. 181–194. [38] M. H. Eldefrawy, M. K. Khan, K. Alghathbar and E. S. Cho, “Broadcast
[8] Y. Kortesniemi, D. Lagutin, E. Elo, and N. Fotiou, “Improving the pri- authentication for wireless sensor networks using nested hashing and the
vacy of IoT with decentralized identifiers,” J. Comput. Netw. Commun., chinese remainder theorem,” Sensors, vol. 10, no. 9, pp. 8683–8695,
vol. 2019, Mar. 2019, Art. no. 8706760. Sep. 2010.
[9] A. S. Omar and O. Basir, “Identity management in iot networks using
blockchain and smart contracts,” in Proc. IEEE Int. Conf. Internet
Things, 2018, pp. 994–1000.
[10] Y. Ren, F. Zhu, J. Qi, J, Wang, and A. K. Sangaiah, “Identity manage- Chang-Seop Park (Member, IEEE) received the B.A. degree from Yonsei
ment and access control based on blockchain under edge computing for University, Seoul, South Korea, in 1983, and the M.Sc. and Ph.D. degrees in
the Industrial Internet of Things,” Appl. Sci., vol. 9, no. 10, p. 2058, computer science from Lehigh University, Bethlehem, PA, USA, in 1987 and
2019. 1990, respectively.
[11] “Retrieved from Christopher Allen’s Blog.” [Online]. Available: He has been with the Department of Software Science, Dankook University,
http://www.lifewithalacrity.com/. (Accessed: Oct. 20, 2020). Yongin, Republic of Korea, since 1990. He has been working on the wire-
[12] C. Allen et al., “Decentralized public key infrastructure,” in Proc. less mobile network security during the last ten years. His research interests
Rebooting Web Trust, Nov. 2015, pp. 1–21. include network security, cryptographic protocols, and coding theory.
[13] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
pp. 612–613, Nov. 1979.
[14] A. Loibl and J. Naab, “Namecoin,” in Proc. Seminars Future Internet Hye-Min Nam received the B.Sc. degree in software science from Dankook
Innov. Internet Technol. Mobile Commun., 2014, pp. 107–113. University, Yongin, Republic of Korea, in 2019, where he is currently pursuing
[15] H. Kalodner, M. Carlsten, P. Ellenbogen, J. Bonneau, and A. Narayanan, the master’s degree in computer science.
“An empirical study of namecoin and lessons for decentralized names- His research interests include blockchain, wireless sensor network security,
pace design,” in Proc. Workshop Econ. Inf. Security, 2015, pp. 1–27. and cryptographic protocols.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:15:55 UTC from IEEE Xplore. Restrictions apply.