Professional Documents
Culture Documents
AbstractSwarms of embedded devices provide new chal- Our design of the Permissioned Blockchain takes these
lenges for privacy and security. We propose Permissioned long-term issues into account and boasts fundamental features
Blockchains as an effective way to secure and manage these to handle them gracefully. Flexible, established protocols
systems of systems. A long view of blockchain technology yields
several requirements absent in extant blockchain implementa- provide a pathway from existing workflows and trust models
tions. Our approach to Permissioned Blockchains meets the to a robust and enduring system of record.
fundamental requirements for longevity, agility, and incremental Within the Permissioned Blockchain ecosystem, identity and
adoption. Distributed Identity Management is an inherent feature attribute management is built in for both users and devices.
of our Permissioned Blockchain and provides for resilient user Identities, and their associated attributes, transcend any single
and device identity and attribute management.
device or group of devices.
Keywords-IoT; cryptography; security; privacy; permissioned
blockchain; blockchain II. T RANSACTION L ONGEVITY
A. Asymmetric Key Rotation
I. I NTRODUCTION
Asymmetric cryptography (private/public key pairs) offers
A traditional Unix environment conducts logging and per- many advantages, especially when agreeing on a shared secret
missions enforcement from a multi-user system perspective. over an insecure channel or addressing non-repudiation by
With IoT, we now see a network of devices, where each device distancing the ability to verify from the ability to sign.
has different roles, capabilities, and permissions. The network However, caution is in order when designing a system with
has become the system and the devices the users. Effective these primitives.
management of both user and device identities and attributes Private key management is essential. In most designs, the
can be realized with the Distributed Identity Management that private keys become the trust anchor of the system, and the
our Permissioned Blockchain provides. proof of identity. This makes the private keys the prime target
Blockchain is ultimately a distributed, immutable log of of attackers. The longer a private key is held, the higher is
events. When harnessed properly, it greatly facilitates recon- the probability of compromise. A multi-decade system design
ciliation of event history among multiple entities. Blockchain must account for keys in use today being compromised in
enables IoT devices to perform transactions, and to be tracked the future. A strong system will withstand future revelation of
relative to time and location. The major missing link of the private keys.
well-known Bitcoin blockchain is the element of permis- Therefore, our design prioritizes easy rotation of asymmetric
sioning, i.e., a privacy-preserving, traffic-analysis- resistant keys. This degree of freedom gives the protocol the ability
methodology that leverages external trust relationships so as to adopt resilient primitives that do not exist today. Rotating
to establish an auditable identity- and attributes- management signature keys causes an adversary to have to re-attack in order
authorization framework. IoT devices suitably provisioned to be able to continue to sign, provided that the underlying
with identity management trust anchors can securely and signature scheme remains robust. Similarly, rotating key agree-
efficiently transact over permissioned blockchains. ment keys causes an adversary to have to re-attack in order to
Blockchain technology is attempting to revolutionize an be able to recover the plaintext of future transactions.
industry in existence for centuries. The integrity of a trans-
action ledger must remain intact for a decade or more. B. Device Group Membership
When contemplating contractual agreements, integrity must be When discussing proper key management, there are two
maintained for many decades. In other words, the transactions basic principles that have been developed over several decades.
will outlive the cryptographic primitives and devices that they First, assuming a suitable source of entropy, keys should be
were originally secured with. End users will need to vouch for created on the device they are being used for. Second, keys
transactions long after the original device has been removed should never be moved from device to device.
from service. Asymmetric keys may be compromised years If Alice creates a transaction today, with her Android device,
after theyve committed a transaction. she needs to be able to prove that its hers later.
978-1-5090-5873-0/17/$31.00
2017
c IEEE
TCA_CARootKey
Authenticated Attribute [i]
Primary = HMAC(Attribute HMACKey [i] ,
TCA_ID
Attribute [i]) (19)
(Primary) TCA_RootKey