1. Introduction
The value of knowledge has risen in today’s modern world due to the changes and pace of life that has created a fierce, competitive market. Business strategies have shifted from being product-based to knowledge-based due to the attention being placed on the use of knowledge by corporations. With knowledge being an intellectual property, its management should be very effective. Knowledge management (KM), often related to organizations, is a conscious effort in the provision of knowledge at the right time and place, in the right form, and finally to the right person. This helps people to capture, share and utilize knowledge so as to improve the organization’s performance.
Knowledge actually represents an important resource for remaining competitive in business environments. Whether tacit or explicit knowledge [
1], the success of knowledge transfer or sharing (i.e., knowledge-sharing effectiveness) is contingent on the knowledge source’s capacity to identify and contribute possessed knowledge and the knowledge recipient’s predisposition to adopt and re-create knowledge. Quite similar to financial value, it is an intellectual property that needs to be securely stored and shared among parties [
2], and, above all, track its provenance, ownership and management. Defined by Quintas et al. [
3], knowledge management efforts aim to manage knowledge, by making use of existing and acquired knowledge to meet the needs of and develop opportunities, both now and in the future.
Due to the influx of knowledge, knowledge management systems (KMSs) have been developed by organizations to share and re-use knowledge, and these systems are to ensure that institutional information about several functionalities are available for all to use. From a simple system with stored-in files to complex, heterogeneous array of systems with sophisticated options, there are several components of a KMS, and these KMSs deploy KM portals as central points of access for its component systems.
The role-based access control (RBAC) framework has been the mechanism employed by most KMSs to achieve access control [
4,
5]. With roles and titles or statuses, instead of users attributed to access rights, many of today’s organizations adopt such a model to implement their access control mechanisms [
6,
7,
8,
9,
10]. With this contention in the existing literature, both researchers and practitioners over the years continued to extend the core RBAC to include features that: (1) protect and wholly secure knowledge assets; (2) align with KM initiatives; and (3) maintain the determination and motivation to share and transfer knowledge. It is important to emphasize that KM initiatives embrace numerous socio-technical elements, processes, structures, and business models in a broader spectrum. Social entities such as individuals, projects teams, collaborative groups, and inter-organizational relationships use sophisticated technological tools to function in organizations. The dynamics associated with systems and human interactions in KMS environment require critical security attention as users generate, store and utilize knowledge assets. A challenge to such KMS strategic initiatives is thus contingent on the appropriateness of the extension of RBAC deployable in KMS without compromising the overall knowledge sharing or transfer agenda.
As with other information systems, users of KMS occupy roles through specific portals and platforms, and these roles are associated with permissions. At different access levels, users can access knowledge items (or objects) and perform operations on them according to their defined specific tasks. With roles associated with a set of sessions, users are allowed to share or transfer knowledge packages across different hierarchical levels. Since knowledge gives organizations competitive advantage [
11], and remains a strategic intangible asset of an organization [
12], it is highly essential to ensure that only verifiable and authenticated users are permitted to access knowledge objects to any particular depth of granularity. We thus posit that the RBAC model is still an essential access control model to adopt in the KMS environment.
Blockchain has been a revolutionary paradigm in systems of record and it has been seen as the emerging technology in industry and the research community. The technology plays a significant role in controlling, monitoring and, most importantly, securing systems [
13,
14,
15,
16,
17]. With the facilitation of data sharing and other resources, including knowledge, its combination with other systems enable the automation of time-sensitive workflows in a cryptographic manner. Knowledge shared/given by their owners is always cryptographically proofed by the signature of the sender who holds a unique key pair, and therefore the integrity and authentication of the knowledge is guaranteed. Moreover, all transactions on the knowledge are recorded in a distributed ledger and can be securely traced. As a distributed, programmable and encrypted database for the transfer, storage, protection and access of knowledge from one location to the other, and the provision of a high level of security, the information or knowledge stored in the blockchain cannot be re-written or modified. This design makes the blockchain capable of having a permanent historical record. Although the blockchain can be seen as a remedy for securing most systems including KMSs, and preserving privacy of the knowledge, there are many research challenges that prevent its full incorporation.
KM is based on trust management and the blockchain’s trust property can be used to manage trust in generating, storing, sharing, protecting and applying a variety of knowledge. With the help of blockchain, owners’ knowledge can be integrated and collectively verified, and they will become transparent to anyone and can be used by users. Thus, users become more confident and comfortable in sharing possessed knowledge, because blockchain offers a better and more secured reporting system compared with the traditional knowledge base. In addition, it is almost impossible to alter the information or knowledge in the knowledge repository due to the security features of the blockchain. In this work, we employ Elliptic Curve Digital Signature Authentication (ECDSA) protocol, which to our best knowledge in the extant KMS literature in particular, has not been used for user verification and authentication in RBAC. To realize the effective use of RBAC model in KMS environment, this work proposes a blockchain approach to realizing access control in KMSs, to grant authorization to knowledge users in the network. Thus, our ECDSA-RBAC feature extends RBAC permission constraints to include stronger authentication in granting permissions to users to access knowledge resources for secured KMS environment. Due to the decentralized and tamper-proof nature of the blockchain, the key ideas this paper puts across are:
ensuring an effective user authentication and verification method for knowledge workers in an organization, and therefore providing an efficient access control to knowledge resources;
issuing roles and knowledge management to users, and access revocation to defaulting parties in the network; and
designing an architecture that seeks to achieve security requirements such as adding, updating, sharing and providing information or knowledge in the organization by making use of the blockchain technology.
The rest of this paper is organized as follows.
Section 2 presents the works related to this study while
Section 3 considers the background of this study.
Section 4 formulates the problem and introduces the system model and its implementation.
Section 5 gives the discussions while
Section 6 presents the conclusions of the paper.
2. Related Works
Several works have introduced RBAC models for information security and protection. In [
6], the authors were the first to present the RBAC model and they proposed the idea of roles connected with privileges, instead of the users. An RBAC model that had four different categories was also proposed by Sandhu et al. [
18]. With these fundamentals, many studies have proposed extended versions of the RBAC model. Notably, Xia et al. [
19] presented an RBAC model that simplified the complexity of the role hierarchy structure by using namespace. Ma et al. [
20] also established a structural model that consisted of three different aspects, and had the thought of a layered management. A novel RBAC model for decentralized and distributed systems was proposed by the authors of [
21], and it could be applied to dynamic assignments. We recognize these developmental extensions of RBAC, which seamlessly ensure that there is adequate information access control and management.
KMS is a task-centric information system that enables users to create, store and use knowledge to increase task performance [
22,
23]. It enables users to improve their knowledge-sharing capabilities for knowledge value creation through knowledge internalization [
24]. Although there are varied reasons for deploying KMSs in organizations, one primary objective of all such KMSs’ deployment is the ability to facilitating knowledge transfer and sharing for improved knowledge innovation across functional units [
12]. Knowledge assets are available and accessible by all individuals and functional units in the organization. For instance, subject-matter experts create knowledge as “best practices” for problem solutions stored in a knowledge base and become an intellectual asset for the organization. Users can then access such knowledge objects of best practices for their specific functions. It is, however, essential to ensure that only verified and authorized users are permitted to access them. It is therefore imperative for knowledge assets to be secured, managed and used by authorized users only for their intended purposes.
For these reasons, the adoption of the RBAC model in KMS is paramount to the control and utilization of knowledge assets throughout the organization. As evidenced in [
5,
25,
26,
27,
28], RBAC adoption in KMS is critical not only in the context of secured knowledge sharing but also the protection of knowledge assets. Thus, RBAC has featured in many KM initiatives as far as protection and security of knowledge assets are concerned.
To provide a secured framework for organizations to share their information or knowledge, there should be some considerations in the design of systems such as KMS with trusted user authentication and authorization. Without these security measures, the RBAC will be insecure, which will result in an unreliable access control. Digital signatures [
29] have been proposed to ensure some level of security in access control but the costs involved in their implementation do not make them ideal candidates for wide adoption. Maintaining a public key infrastructure (PKI) also poses a problem [
30,
31]. Although PKI-based systems are well recognized, they are vulnerable to some security problems, aside their complexity and costs. With a certificate authority (CA) acting as a third party responsible for distribution and management of certificates, there is always the tendency for a single point of failure in such systems. A typical scenario is taken from DigiNotar in [
32].
To mitigate the problems associated with PKI systems, decentralized systems have been studied. The authors of [
33,
34] presented multi-authority attribute-based encryption and signatures, respectively. While there is a requirement of a trusted setup of some parameters in [
33,
34], it was not in support of this setup. However, their implementation and interoperability always posed problems if several users were involved. By this notion, this work implements the blockchain technology to solve some of these issues. Due to its decentralized and tamper-proof nature, we are able to verify the creators of the model, proof of provenance, and there is a trust environment created to enhance transparency. The content of the models will be stored in timestamped blocks, and therefore the major components of a secured network platform—confidentiality, integrity and availability—will be achieved. In providing efficient access control and preventing malicious activities in the network, ECDSA is utilized to improve the security.
4. System Model and Implementation
In this section, we first state the problem, and then dwell on the model and implementation of our system. Considering a knowledge-sharing platform, the authenticity of roles and privileges should be of utmost importance to any organization. There is the need to verify whether a particular user is the rightful owner of a particular role corresponding to a specific knowledge resource. Without a proper verification process, the system will not be a secured one and the access control mechanism will be unreliable as well. For instance, passports and ID cards are usually used as verification methods; however, in digital worlds, these cannot be utilized. In this work, we introduce an efficient verification and access control method that is based on Elliptic Curve Cryptography (ECC), as it is the mechanism most blockchain systems thrive on. Our access control system should provide an effective management of the knowledge repository, key issuance and revocation, and verification. The blockchain will also provide transparency and knowledge resource immutability.
Our system, as shown in
Figure 1, comprises of the following major components: a user layer, knowledge processing and management units, a blockchain and a cloud server. The various components are explained below.
User layer: The user layer comprises of the two major entities associated with the knowledge, the knowledge owner and the knowledge user. The knowledge owner uploads its knowledge onto the cloud repository and determines which user has access to which knowledge, and what privileges the user should enjoy. The knowledge user, on the other hand, requests for use of the knowledge, and, upon a successful verification, the request is granted.
Knowledge Processing Unit: This unit consists of a key issuer, a verification unit, and a role assignment unit. The issuer is responsible for generating cryptographic keys, linked to the identities of the users, and are used for transactions on the network. Some typical transactions include knowledge requests, knowledge usage, etc. The verification unit, on the other hand, verifies all users on the network. Once the keys have been generated and given out to the users by the issuer, all users need to go through an authentication process before gaining access to the knowledge. With the help of the verification unit, an efficient access control is assured. The role assignment unit provides the rules of engagement of the system. It specifies what the roles of each entity are and the privileges each user gets to enjoy.
Knowledge management center: This unit is the heartbeat of the system. It consists of a network processing node and a smart contract unit. The processing nodes are responsible for processing all requests on the network and managing all other processes on the blockchain. It works in tandem with the smart contract, which is responsible for generating policies on the knowledge. When requests are made, the processing nodes receive the requests from the knowledge processing center and act on them. After processing, it binds a contract to the result and the final output is given to the user.
Blockchain: This is a growing list of all the knowledge records (knowledge blocks) that are cryptographically linked. In each block, there is a hash of the previous block, a timestamp, and a transaction. Once the processing nodes have completed their tasks, and with them collectively adhering to a protocol for internode communication and validation, the transactions are appended onto a block. Once recorded, the knowledge item cannot be altered without alteration of all the subsequent blocks, which requires all the nodes to reach a consensus.
For the creation of a block, the knowledge owner has to log his knowledge into the system and this becomes a block (not verified yet), with each block having a hash value. This hash is a string of characters that is cryptographically constructed. Therefore, the blocks are reliable and each owner can trust the knowledge of its later use. Confirmation of the block is made by all the nodes in the network. All the knowledge in the network is a transaction that is stored between at least two entities involved in the process. All previous transactions related to this knowledge will be available to a user who needs knowledge. With the use of the blockchain, the knowledge will be retained and its ownership maintained and tracked in a secure environment.
Figure 2 depicts the knowledge block creation process.
Figure 3 illustrates the various processes involved in the registration and authentication of a user. The various steps are outlined below.
A user contacts the issuer for network membership registration. The parameters needed for registration will be given by the issuer, but, as in many networks, the basic parameters include a unique ID and keying parameters.
The issuer generates a user membership key by fetching parameters from its key distribution center and sends the details to the verification unit.
The keying parameters are given to the user.
The user generates a private key to be used for all transactions by using the ECDSA protocol, which is given in detail in the sections that follow.
The verifier and the user establish mutual authentication for key and/or user validity check. Details are obtained from the database. Upon a successful verification process, the user can now access knowledge items and perform actions on the knowledge items.
The ECDSA protocol is used for authentication purposes because of its robust mathematical structure and high security compared to other schemes, and the assurance of digital data unforgeability and non-repudiation. Both discrete logarithms (DL) and ECC provide adequate security levels, but, in relation to parameters, ECC utilizes smaller parameters than DL [
39]. Significant benefits of using smaller parameters include faster computations, guarantee of certificates and smaller key sizes. For a public key cryptography, every user or device participating in the communication generally employs a pair of keys (private key and public key) attached with a set of operations to perform the cryptographic operations. Unlike the public key, which is known by all users or devices participating in the communication, the private key is only known by the user in question. Mostly, a section of public key algorithms may demand a set of constants such as ‘Domain parameters’ that are already defined and known by all participating devices during communication. In terms of any form of shared secret, there is no such need between communicating parties by the public key cryptography as may be required normally by its counterpart—the private key cryptography. However, the private key cryptography is faster than the public key cryptography.
ECDSA, first proposed by Vanstone [
39], is an elliptic curve analog to Digital Signature Algorithm (DSA) [
40]. It stems from the ECC scheme that was invented by Koblitz [
41] and Miller [
42]. It is based on points on an elliptic curve over a finite field. The mathematical basis for the security of elliptic curve cryptosystems is the computational intractability of the elliptic curve discrete logarithm problem (ECDLP).
The fourth process in the user registration and authentication is detailed as follows. There are some key factors to consider if the ECDSA protocol has to be successfully achieved. The steps involved are the setup phase, domain parameter generation and validation, key pair generation and public key validation, and signature generation and verification.