Architecture

Abstract #

Public Key Infrastructure (PKI) is one of the most widely accepted cryptographic protocols for solving authentication for enabling secure communications on the web. PKI consists of digital certificates managed by a certification authority (CA) to verify the identity of the user, thus providing a secure communication channel. However, the traditional PKI method has problems such as difficulty in mutual trust between multiple certification center nodes, single point of failure, and low efficiency. The centralized mode of operation of CAs has led to many targeted attacks, such as man-in-the-middle attacks. In this paper, the goal of DECA is to completely decentralize the CA pool, while building a high-performance DPKI certification system to achieve a DPKI decentralized solution.

DECA uses the two basic modules of decentralized identity identification (DID) and verifiable statement (identity certificate) to define the format of identity identifiers, describe documents and processes such as generation, presentation, verification and destruction of identity certificates, covering identity and The complete life cycle of credential management, using decentralized trust management technology, provides on-chain storage and off-chain storage. Best practice is to store a small amount of data (e.g. id, state, etc.) on-chain, and a large amount of data (e.g. public key, authentication method, etc.) off-chain (e.g. IPFS), and combine them through the on-chain data transfer. Store hash, and realize decentralized authentication calculation by constructing offline data crdt consistent storage, and constructing component roles such as issuer and verifier.

This decentralized authentication protocol improves the efficiency of online cross-domain authentication transactions by verifying the hash value of the certificate instead of the signature. By placing the certificate generation process and the storage process of its hash in the registration operation, the verification process of Verifier and CA is reduced, and the efficiency is further improved.

image

Framework #

DECA utilizes decentralized identity identification (DID) and verifiable claim (identity credential), supports key PKI functions, utilizes the immutable feature of offline storage (IPFS), effectively prevents third-party attacks, utilizes IPFS-CRDT synchronization strategy, enhances Concealed sharing, fast synchronization, and the use of blockchain to synchronize a small amount of basic information, greatly reducing the cost of consensus.

image

1.Apply for user identity DID: combine user certificate, verification method and other information according to the user’s basic identification.

2.Store user identity information: Organize user identity-related information into Docs for offline storage to obtain the storage address docAddr, and use CRDT for consistent synchronization.

3.Registered user identity DID: Store user identity-related information to obtain the storage address docAddr and content hash docHash, and send a registration request like a blockchain.

4.Resolve user identity DID: The information of user DID is synchronized on the blockchain and the offline storage network, so user DID resolution can be initiated to any DECA. The client initiates a parsing request to any DECA, obtains the relevant information of the identity (including the storage address and content hash), obtains the actual user Doc through the storage address, and performs hash verification. If it passes, it proves that the Doc is credible .

Decentralized storage #

Centralized storage data is centralized, and the amount of data involved is larger, making the data more vulnerable to attacks and leaks. The security, privacy and sustainability of centrally stored data all present certain risks.

Data security includes two meanings: the first layer is “guarantee data privacy without leakage”, and the second layer is “guarantee the integrity of data without loss”.

In the current centralized storage mode, users upload all sensitive data, which not only makes users lose control over their own data, but also transfers the risk of data leakage to the cloud storage operator. If the private information is lost, damaged, leaked, or stolen, it may cause heavy losses to individuals, enterprises and even the entire society.

Centralized cloud storage operators may stop services for various reasons, but users have no right to control the behavior of service providers and control their own interests. This causes users to tend to store data in larger and more credible service providers, which makes the data centralization of the leading companies higher and higher, which also causes large-scale loss of data once the data is lost. Happening.

And DECA implements a decentralized storage method based on IPFS and web3.storage, builds a complete and unified data object adaptation layer, and makes better use of data middleware to encapsulate and encrypt data, and the encryption key is set by The user is controlled by the main body, and finally the data is stored in a decentralized storage system to ensure that data privacy is not leaked. Using the characteristics of ipfs, the integrity of the data can be guaranteed, and then the crdt technology is used to achieve eventual consistency. The data synchronized by crdt is not It is certificate metadata, only synchronizes the decentralized storage identifier, and has the characteristics of high performance and high stability.

Decentralized computing #

Current certificate systems protect online communications through the secure delivery of public keys, which correspond to identities, which use the corresponding secret private key to decrypt messages sent to them and prove that they sent messages (by signing them with the private key). Additionally users cannot be sure that their communications have not been compromised by fraudulent certificates that allow MITM (man-in-the-middle) attacks, which are difficult to detect.

DECA’s goal is to ensure that no third party can compromise the integrity and security of the entire system, and is fully capable of providing similar or higher security properties through the use of decentralized data storage consensus technology.

DECA builds on the existence of validators, but their role is limited to ensuring communication security and integrity, by leveraging identifiers in decentralized storage, through a series of algorithms that allow these values to be read globally in a secure way, which This way is less vulnerable to MITM attacks that may occur in PKI. This is achieved by linking the lookup value of a decentralized identifier to the latest and most correct public key for that identifier.

image

Decentralized OCSP #

As an important information of application identity, digital certificate is very important to ensure network communication trust. Therefore, certificate revocation is critical to mitigate vulnerabilities and potential key disclosure. The certificate holder can revoke an untrusted certificate.

DECA in combination with FEVM, has implemented a decentralized OCSP authentication system. It uses smart contracts to store and verify the status of certificates. The verifier uses certificate identifiers to verify the online status information of certificates through smart contracts, and returns the certificate status information to the verifier. The whole process has no centralized OCSP server. The verifier interacts with the FEVM to achieve decentralized OCSP online certificate authentication. image