An Evaluation of Potential Attack Surfaces Based on Attack Tree Modelling and Risk Matrix Applied to Self-Sovereign Identity

Abstract

Self-Sovereign Identity (SSI) empowers users to govern their digital identity and personal data. This approach has changed the identity paradigm where users become the central governor of their identity; hence the rapid growth of the SSI model. Utilizing the security and privacy properties of blockchain, together with other security technologies, SSI purports to provide a robust security and privacy service. However, this governing power for users comes with a greater accountability and security risk, as not all users are capable or trained in its use and therefore in its efficient application. This trade-off requires a systematic evaluation of potential attacks on the SSI system and their security risks. Hitherto, there have been no noteworthy research studies performed to evaluate potential attacks on the SSI system and their security risks. This paper proposes an easy, efficient and economical approach to perform an evaluation of potential attacks on the SSI system and their security risks. This approach utilises a combination of an attack tree model and risk matrix model to perform this evaluation of potential attacks and their security risks, in addition to outlining a systematic approach including describing the system architecture and determining its assets in order to perform this evaluation of potential attacks and their security risks. This evaluation work has identified three potential attacks on the SSI system: faking identity, identity theft and distributed denial of service attacks, and performed their security risk evaluation utilising the proposed approach. Finally, this paper has proposed several mitigation strategies for the three evaluated attacks on the SSI system. This proposed evaluation approach is a systematic and generalised approach for evaluating attacks and their security risks, and can be applied to any other IT system.

Publication DOI: https://doi.org/10.1016/j.cose.2022.102808
Divisions: College of Engineering & Physical Sciences
College of Business and Social Sciences > Aston Business School > Cyber Security Innovation (CSI) Research Centre
Aston University (General)
Additional Information: © 2022 The Authors. CC BY 4.0
Uncontrolled Keywords: Attack tree model,Blockchain,DID,Decentralized IDentifier,Diamond model of intrusion analysis,Digital identity,Distributed denial of service,Distributed ledger technology,Faking identity,Identity management system,Identity theft,Lockheed Martin's cyber kill chain,MITRE ATT&CK framework,Risk matrix model,SSI,Self-sovereign identity,Verifiable credential,General Computer Science,Law
Publication ISSN: 0167-4048
Last Modified: 02 Dec 2024 08:41
Date Deposited: 20 Jun 2022 08:38
Full Text Link:
Related URLs: https://linking ... 167404822002024 (Publisher URL)
http://www.scop ... tnerID=8YFLogxK (Scopus URL)
PURE Output Type: Article
Published Date: 2022-09
Published Online Date: 2022-06-19
Accepted Date: 2022-06-17
Authors: Naik, Nitin (ORCID Profile 0000-0002-0659-9646)
Grace, Paul (ORCID Profile 0000-0003-2363-0630)
Jenkins, Paul
Naik, Kshirasagar
Song, Jingping

Export / Share Citation


Statistics

Additional statistics for this record