{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T09:58:03Z","timestamp":1743069483452,"version":"3.40.3"},"publisher-location":"Cham","reference-count":31,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031610561"},{"type":"electronic","value":"9783031610578"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,6,3]],"date-time":"2024-06-03T00:00:00Z","timestamp":1717372800000},"content-version":"vor","delay-in-days":154,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Organisational Digital Identity (ODI) often relies on the credentials and keys being controlled by a single person-representative. Moreover, some Information Systems (IS) outsource the key management to a third-party controller. Both the centralisation and outsourcing of the keys threaten data integrity within the IS, allegedly provided by a trusted organisation. Also, outsourcing the control prevents an organisation from cryptographically enforcing custom policies, e.g. time-based, regarding the data originating from it. To address this, we propose a Distributed Key Management System (DKMS) that eliminates the risks associated with centralised control over an organisation\u2019s identity and allows organisation-enforceable policies. The DKMS employs threshold signatures to directly involve multiple organisation\u2019s representatives (e.g. employees, IS components, and external custodians) in data signing on its behalf. The threshold signature creation and, therefore, the custom signing policy inclusion, is fully backwards compatible with commonly used signing schemes, such as RSA or ECDSA. The feasibility of the proposed system is shown in an example data exchange system, X-Road. The implementation confirms the ability of the design to achieve distributed control over the ODI during the operational key phase. Excluding a network delay, the implementation introduces less than 200\u00a0ms overhead compared to the built-in signing solution.<\/jats:p>","DOI":"10.1007\/978-3-031-61057-8_28","type":"book-chapter","created":{"date-parts":[[2024,6,2]],"date-time":"2024-06-02T20:17:29Z","timestamp":1717359449000},"page":"475-491","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["The Power of\u00a0Many: Securing Organisational Identity Through Distributed Key Management"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0940-9713","authenticated-orcid":false,"given":"Mariia","family":"Bakhtina","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0005-3303-1481","authenticated-orcid":false,"given":"Jan","family":"Kvapil","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9784-7624","authenticated-orcid":false,"given":"Petr","family":"\u0160venda","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1829-4794","authenticated-orcid":false,"given":"Raimundas","family":"Matulevi\u010dius","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,6,3]]},"reference":[{"key":"28_CR1","unstructured":"Gaia-X: A Federated Secure Data Infrastructure. https:\/\/gaia-x.eu\/"},{"key":"28_CR2","unstructured":"Preparatory work in view of the procurement of an open source cloud-to-edge middleware platform. Technical report, European Commission (2022)"},{"key":"28_CR3","doi-asserted-by":"crossref","unstructured":"Abraham, A., Koch, K., More, S., Ramacher, S., Stopar, M.: Privacy-preserving eID derivation to self-sovereign identity systems with offline revocation. In: IEEE TrustCom 2021, pp. 506\u2013513 (2021)","DOI":"10.1109\/TrustCom53373.2021.00080"},{"key":"28_CR4","doi-asserted-by":"publisher","unstructured":"Alkeilani Alkadri, N., et al.: Deterministic wallets in a quantum world. In: CCS 2020, pp. 1017\u20131031. ACM (2020). https:\/\/doi.org\/10.1145\/3372297.3423361","DOI":"10.1145\/3372297.3423361"},{"key":"28_CR5","doi-asserted-by":"publisher","unstructured":"Bakhtina, M., Kvapil, J., Svenda, P., Matulevicius, R.: Review of key management mechanisms (2024). https:\/\/doi.org\/10.5281\/zenodo.10886209","DOI":"10.5281\/zenodo.10886209"},{"key":"28_CR6","doi-asserted-by":"crossref","unstructured":"Bakhtina, M., Leung, K.L., Matulevi\u010dius, R., Awad, A., \u0160venda, P.: A decentralised public key infrastructure for X-Road. In: ARES 2023. ACM (2023)","DOI":"10.1145\/3600160.3605092"},{"key":"28_CR7","doi-asserted-by":"publisher","unstructured":"Bakhtina, M., Matulevi\u010dius, R., Awad, A., Kivim\u00e4ki, P.: On the shift to decentralised identity management in distributed data exchange systems. In: SAC 2023, pp. 864\u2013873. ACM (2023). https:\/\/doi.org\/10.1145\/3555776.3577678","DOI":"10.1145\/3555776.3577678"},{"key":"28_CR8","doi-asserted-by":"crossref","unstructured":"Barker, E.: NIST SP 800-57. Recommendation for key management (2016)","DOI":"10.6028\/NIST.SP.800-57pt1r4"},{"key":"28_CR9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102436","volume":"110","author":"C Buck","year":"2021","unstructured":"Buck, C., Olenberger, C., Schweizer, A., V\u00f6lter, F., Eymann, T.: Never trust, always verify: a multivocal literature review on current knowledge and research gaps of zero-trust. Comput. Secur. 110, 102436 (2021)","journal-title":"Comput. Secur."},{"key":"28_CR10","unstructured":"Cybernetica: Unified eXchange Platform (UXP). https:\/\/cyber.ee\/"},{"key":"28_CR11","doi-asserted-by":"crossref","unstructured":"Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: The exact security of BIP32 wallets. In: CCS 2021, pp. 1020\u20131042. ACM (2021)","DOI":"10.1145\/3460120.3484807"},{"key":"28_CR12","doi-asserted-by":"crossref","unstructured":"Guthoff, C., Anell, S., Hainzinger, J., Dabrowski, A., Krombholz, K.: Perceptions of distributed ledger technology key management - an interview study with finance professionals. In: IEEE SP 2023, pp. 588\u2013605 (2023)","DOI":"10.1109\/SP46215.2023.10335652"},{"issue":"1","key":"28_CR13","doi-asserted-by":"publisher","first-page":"75","DOI":"10.2307\/25148625","volume":"28","author":"AR Hevner","year":"2004","unstructured":"Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75\u2013105 (2004)","journal-title":"MIS Q."},{"issue":"1","key":"28_CR14","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/s102070100002","volume":"1","author":"D Johnson","year":"2001","unstructured":"Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36\u201363 (2001)","journal-title":"Int. J. Inf. Secur."},{"key":"28_CR15","doi-asserted-by":"publisher","first-page":"78135","DOI":"10.1109\/ACCESS.2023.3299047","volume":"11","author":"V Kersic","year":"2023","unstructured":"Kersic, V., Vidovic, U., Vrecko, A., Domajnko, M., Turkanovic, M.: Orchestrating digital wallets for on- and off-chain decentralized identity management. IEEE Access 11, 78135\u201378151 (2023). https:\/\/doi.org\/10.1109\/ACCESS.2023.3299047","journal-title":"IEEE Access"},{"key":"28_CR16","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/978-3-030-81652-0_2","volume-title":"Selected Areas in Cryptography","author":"C Komlo","year":"2021","unstructured":"Komlo, C., Goldberg, I.: FROST: flexible round-optimized Schnorr threshold signatures. In: Dunkelman, O., Jacobson, M.J., Jr., O\u2019Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 34\u201365. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-81652-0_2"},{"key":"28_CR17","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/978-3-030-82824-0_9","volume-title":"Electronic Participation","author":"R Krimmer","year":"2021","unstructured":"Krimmer, R., Dedovic, S., Schmidt, C., Corici, A.A.: Developing cross-border e-governance: exploring interoperability and cross-border integration. In: Edelmann, N., et al. (eds.) ePart 2021. LNCS, vol. 12849, pp. 107\u2013124. Springer, Cham (2021)"},{"key":"28_CR18","doi-asserted-by":"crossref","unstructured":"McBride, K., Kamalanathan, S., Valdma, S.M., Toomere, T., Freudenthal, M.: Digital government interoperability and data exchange platforms: insights from a twenty country comparative study. In: ICEGOV 2022, pp. 90\u201397. ACM (2022)","DOI":"10.1145\/3560107.3560123"},{"key":"28_CR19","doi-asserted-by":"publisher","unstructured":"Nair, V., Song, D.: Decentralizing custodial wallets with MFKDF. In: IEEE ICBC 2023, pp.\u00a01\u20139 (2023). https:\/\/doi.org\/10.1109\/ICBC56567.2023.10174998","DOI":"10.1109\/ICBC56567.2023.10174998"},{"key":"28_CR20","unstructured":"Nair, V., Song, D.: Multi-factor key derivation function (MFKDF) for fast, flexible, secure, & practical key management (2023)"},{"key":"28_CR21","unstructured":"NIIS: X-Road Documentation. https:\/\/docs.x-road.global\/"},{"key":"28_CR22","unstructured":"NIIS: X-ROAD\u00ae. https:\/\/x-road.global\/"},{"key":"28_CR23","unstructured":"Wuille, P.: BIP 0032. Hierarchical Deterministic Wallets. https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0032.mediawiki"},{"key":"28_CR24","volume-title":"Self-Sovereign Identity","author":"A Preukschat","year":"2021","unstructured":"Preukschat, A., Reed, D.: Self-Sovereign Identity. Manning Publications, Shelter Island (2021)"},{"key":"28_CR25","doi-asserted-by":"crossref","unstructured":"Rose, S., Borchert, O., Mitchell, S., Connelly, S.: NIST SP 800-207. Zero trust architecture (2020)","DOI":"10.6028\/NIST.SP.800-207-draft2"},{"key":"28_CR26","doi-asserted-by":"publisher","first-page":"380","DOI":"10.1016\/j.future.2023.06.009","volume":"148","author":"A Sarfaraz","year":"2023","unstructured":"Sarfaraz, A., Chakrabortty, R.K., Essam, D.L.: AccessChain: an access control framework to protect data access in blockchain enabled supply chain. FGCS 148, 380\u2013394 (2023). https:\/\/doi.org\/10.1016\/j.future.2023.06.009","journal-title":"FGCS"},{"key":"28_CR27","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/3-540-45539-6_15","volume-title":"Advances in Cryptology - EUROCRYPT 2000","author":"V Shoup","year":"2000","unstructured":"Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207\u2013220. Springer, Heidelberg (2000). https:\/\/doi.org\/10.1007\/3-540-45539-6_15"},{"key":"28_CR28","doi-asserted-by":"crossref","unstructured":"Soltani, R., Nguyen, U.T., An, A.: Decentralized and privacy-preserving key management model. In: ISNCC 2020, pp.\u00a01\u20137 (2020)","DOI":"10.1109\/ISNCC49221.2020.9297294"},{"key":"28_CR29","unstructured":"Verizon Business: 2023 data breach investigations report (2023)"},{"key":"28_CR30","unstructured":"VNG Realisatie: NLX: Documentation. https:\/\/docs.fsc.nlx.io\/"},{"key":"28_CR31","unstructured":"Windley, P.J.: Learning Digital Identity: Design, Deploy, and Manage Identity Architectures. O\u2019Reilly Media, Incorporated (2023)"}],"container-title":["Lecture Notes in Computer Science","Advanced Information Systems Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-61057-8_28","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,6,2]],"date-time":"2024-06-02T20:22:06Z","timestamp":1717359726000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-61057-8_28"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031610561","9783031610578"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-61057-8_28","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"3 June 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CAiSE","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Advanced Information Systems Engineering","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Limassol","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Cyprus","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 June 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"7 June 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"36","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"caise2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/cyprusconferences.org\/caise2024\/#","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}