Abstract: Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation’s identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation’s representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200 ms overhead compared to the built-in signing solution.
Authors: Mariia Bakhtina, Jan Kvapil, Petr Švenda, and Raimundas Matulevičius
Published: Advanced Information Systems Engineering. CAiSE 2024. Lecture Notes in Computer Science, vol 14663. Springer, Cham.