In which disclosure paradigm will disclosure potentially help both the attacker and defender

Under a Creative Commons license

Open access

Abstract

Self-Sovereign Identity (SSI) empowers users to govern their digital identity and personal data. This approach has changed the identity paradigm where users become the central governor of their identity; hence the rapid growth of the SSI model. Utilizing the security and privacy properties of blockchain, together with other security technologies, SSI purports to provide a robust security and privacy service. However, this governing power for users comes with a greater accountability and security risk, as not all users are capable or trained in its use and therefore in its efficient application. This trade-off requires a systematic evaluation of potential attacks on the SSI system and their security risks. Hitherto, there have been no noteworthy research studies performed to evaluate potential attacks on the SSI system and their security risks. This paper proposes an easy, efficient and economical approach to perform an evaluation of potential attacks on the SSI system and their security risks. This approach utilises a combination of an attack tree model and risk matrix model to perform this evaluation of potential attacks and their security risks, in addition to outlining a systematic approach including describing the system architecture and determining its assets in order to perform this evaluation of potential attacks and their security risks. This evaluation work has identified three potential attacks on the SSI system: faking identity, identity theft and distributed denial of service attacks, and performed their security risk evaluation utilising the proposed approach. Finally, this paper has proposed several mitigation strategies for the three evaluated attacks on the SSI system. This proposed evaluation approach is a systematic and generalised approach for evaluating attacks and their security risks, and can be applied to any other IT system.

Keywords

Attack tree model

Risk matrix model

Digital identity

Self-sovereign identity

SSI

Identity management system

Decentralized IDentifier

DID

Verifiable credential

Distributed ledger technology

Blockchain

Faking identity

Identity theft

Distributed denial of service

Lockheed Martin’s cyber kill chain

MITRE ATT&CK framework

Diamond model of intrusion analysis

Nitin Naik received the Ph.D. degree in computer science from Aberystwyth University, Aberystwyth, U.K. He additionally holds several academic qualifications: M.Tech., M.Sc., MBA, MSW, B.Sc., and Polytechnic (Electrical Engineering). He has authored or coauthored more than 100 peer-reviewed papers in the areas of artificial intelligence, cybersecurity, big data, cloud computing, Internet of Things, and game based learning. He is currently a Senior Lecturer with the School of Informatics and Digital Engineering, Aston University, Birmingham, U.K.

Paul Grace is a senior lecturer in Computer Science at Aston University in the UK. He has over 20 years research and development experience in the field of interoperability, middleware, distributed systems, security & privacy, and pervasive computing. He has published over 100 papers in these areas. He has previously held research fellow positions at Lancaster University, Katholieke Universiteit Leuven, and the University of Southampton. He received his Ph.D.from Lancaster in 2004, an M.Sc. from the same institution in 2000 and a B.Sc. in Computer Science from the University of York in 1999.

Paul Jenkins received the Ph.D. degree in applied mathematics and computing from Cardiff University, Cardiff, U.K. He has authored or coauthored more than 50 peer-reviewed papers in the areas of artificial intelligence, cybersecurity, big data, cloud computing, Internet of Things, and game based learning. He is currently a Senior Lecturer with the Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, U.K.

Kshirasagar (Sagar) Naik is a Full Professor in the Department of Electrical and Computer Engineering at University of Waterloo. His research interests include energy performance of mobile devices and applications, detection of anomalous behaviour of wireless devices and physical systems, energy harvesting IoT (Internet of Things) devices for sustainable monitoring of physical systems, and communication security, and wireless sensor networks. He was an Associate Editor of IEEE Transactions on Parallel and Distributed Systems and a guest editor of four special issues of IEEE Journal on Selected Areas in Communications and IEEE Transactions on Cloud Computing. He is a co-author of two textbooks, namely, Software Testing and Quality Assurance (Wiley, 2008) and Software Evolution and Maintenance (Wiley, 2014). He served as a Regional Editor of Journal of Circuits, Systems, and Computers.

Jingping Song received the Ph.D. degree in computer science from Aberystwyth University, Aberystwyth, U.K., in 2016, and another Ph.D. degree in communication and information system from Northeastern University, Shenyang, China in 2020. He has authored or coauthored 3 research monographs and more than 60 peer-reviewed papers in the areas of artificial intelligence, cybersecurity, big data, and chaotic secure communication. He is currently a Lecturer with the School of software, Northeastern University, Shenyang, China.

© 2022 The Author(s). Published by Elsevier Ltd.