DiVerify: Diversifying Identity Verification in Next-Generation Software Signing
- URL: http://arxiv.org/abs/2406.15596v1
- Date: Fri, 21 Jun 2024 18:53:52 GMT
- Title: DiVerify: Diversifying Identity Verification in Next-Generation Software Signing
- Authors: Chinenye L. Okafor, James C. Davis, Santiago Torres-Arias,
- Abstract summary: Code signing enables software developers to digitally sign their code using cryptographic keys, thereby associating the code to their identity.
Next-generation software signing such as Sigstore and OpenPubKey simplify code signing by providing streamlined mechanisms to verify and link signer identities to the public key.
We introduce Diverse Identity Verification (DiVerify) scheme, which strengthens the security guarantees of next-generation software signing by leveraging threshold identity validations and scope mechanisms.
- Score: 6.367742522528132
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Code signing enables software developers to digitally sign their code using cryptographic keys, thereby associating the code to their identity. This allows users to verify the authenticity and integrity of the software, ensuring it has not been tampered with. Next-generation software signing such as Sigstore and OpenPubKey simplify code signing by providing streamlined mechanisms to verify and link signer identities to the public key. However, their designs have vulnerabilities: reliance on an identity provider introduces a single point of failure, and the failure to follow the principle of least privilege on the client side increases security risks. We introduce Diverse Identity Verification (DiVerify) scheme, which strengthens the security guarantees of next-generation software signing by leveraging threshold identity validations and scope mechanisms. We formalize a general definition of diverse verification scope and how it applies to next-generation software signing solutions, enabling clients to protect themselves from the impact of a compromised identity provider and help identity providers minimize the impact of compromised clients. As proof of concept, we implement DiVerify in the Sigstore ecosystem and evaluate the security improvements. By using fine-grained access control mechanisms and implementing threshold validations over account signing capabilities, we demonstrate that signing tools can protect themselves against threats from compromised identity providers and malicious signing clients.
Related papers
- Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC)
ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic.
We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
arXiv Detail & Related papers (2024-11-21T18:26:05Z) - Practical Privacy-Preserving Identity Verification using Third-Party Cloud Services and FHE (Role of Data Encoding in Circuit Depth Management) [0.0]
Governments seek to outsource national digital identity verification systems to third-party cloud services.
This leads to increased concerns regarding the privacy of users' personal data.
We propose a privacy-preserving digital identity (ID) verification protocol where the third-party cloud services process the identity data encrypted.
arXiv Detail & Related papers (2024-08-15T08:12:07Z) - Excavating Vulnerabilities Lurking in Multi-Factor Authentication Protocols: A Systematic Security Analysis [2.729532849571912]
Single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques.
To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently.
arXiv Detail & Related papers (2024-07-29T23:37:38Z) - Attribute-Based Authentication in Secure Group Messaging for Distributed Environments [2.254434034390528]
Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement protocol allow a group of users to share a cryptographic secret in a dynamic manner.
The use of digital certificates for authentication in a group goes against the group members' privacy.
We provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes.
arXiv Detail & Related papers (2024-05-20T14:09:28Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Revocable Quantum Digital Signatures [57.25067425963082]
We define and construct digital signatures with revocable signing keys from the LWE assumption.
In this primitive, the signing key is a quantum state which enables a user to sign many messages.
Once the key is successfully revoked, we require that the initial recipient of the key loses the ability to sign.
arXiv Detail & Related papers (2023-12-21T04:10:07Z) - HFORD: High-Fidelity and Occlusion-Robust De-identification for Face
Privacy Protection [60.63915939982923]
Face de-identification is a practical way to solve the identity protection problem.
The existing facial de-identification methods have revealed several problems.
We present a High-Fidelity and Occlusion-Robust De-identification (HFORD) method to deal with these issues.
arXiv Detail & Related papers (2023-11-15T08:59:02Z) - Redactable and Sanitizable Signature Schemes: Applications and
Limitations for use in Decentralized Digital Identity Systems [8.501327327617313]
Redactable signature schemes and sanitizable signature schemes are methods that permit modification of a given digital message and retain a valid signature.
We propose implementing these protocols on a digital credential and compare them against other privacy-enhancing techniques to assess their suitability.
arXiv Detail & Related papers (2023-10-26T10:28:25Z) - FedSOV: Federated Model Secure Ownership Verification with Unforgeable
Signature [60.99054146321459]
Federated learning allows multiple parties to collaborate in learning a global model without revealing private data.
We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
arXiv Detail & Related papers (2023-05-10T12:10:02Z) - CATFL: Certificateless Authentication-based Trustworthy Federated
Learning for 6G Semantic Communications [12.635921154497987]
Federated learning (FL) provides an emerging approach for collaboratively training semantic encoder/decoder models of semantic communication systems.
Most existing studies on trustworthy FL aim to eliminate data poisoning threats that are produced by malicious clients.
A certificateless authentication-based trustworthy federated learning framework is proposed, which mutually authenticates the identity of clients and server.
arXiv Detail & Related papers (2023-02-01T06:26:44Z) - Secure access system using signature verification over tablet PC [62.21072852729544]
We describe a highly versatile and scalable prototype for Web-based secure access using signature verification.
The proposed architecture can be easily extended to work with different kinds of sensors and large-scale databases.
arXiv Detail & Related papers (2023-01-11T11:05:47Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.