A New Approach to Constructing Decentralized Identifier for Secure and Flexible Key Rotation

Owing to the introduction of blockchain (BC) technology, a decentralized identity (DID) model has been proposed to replace conventional identity models based on centralized authorities. The BC platform operated by various participants provides a new root-of-trust functionality for entity identification and access control. Each entity generates and registers its own identifier and credential (public key) to the BC such that any entity can obtain the other entity's public key. When the corresponding private key is compromised, the key rotation to generate and register a new key pair should be performed. However, the current approach for cryptographically binding a decentralized identifier with a public key induces a serious security problem that results in both identity-stealing attacks and multiple identifiers for a single entity. A new DID to address the security problem above is proposed herein, which is based on a newly proposed cryptographic primitive (infinite one-way hash chain), as well as its security analysis and performance evaluation on Hyperledger Fabric and Contiki Cooja simulator. To demonstrate the applicability of the proposed DID to various security protocols, an authenticated key exchange protocol is also designed.