Blockchain-Based Identity Management System Prototype for Enhanced Privacy and Security
Abstract
1. Introduction
- (1)
- Enhance user privacy by avoiding the third-party control.
- (2)
- Improve confidentiality, integrity, and performance through utilizing ECIES encryption algorithm.
- (3)
- Solve issues related to centralized IDMS, such as SPOF.
- (4)
- Provide the user full control over their attributes data.
- (5)
- Introduce a prototype implementation for a secure blockchain-based IDMS.
2. Literature Review
2.1. Overview of IDMSs Approaches
2.2. Centralized IDMSs
2.3. Blockchain-Based IDMSs
3. Proposed Blockchain-Based IDMS Prototype
3.1. Smart Contracts
3.2. System Design and Implementation
3.2.1. System Objectives
- ▪
- Addressing centralized IDM challenges: centralization, SPOF, third-party control, data disclosure, and user tracking.
- ▪
- Utilizing blockchain features: decentralization, distribution, and P2P communication to eliminate central control and user tracking.
- ▪
- Enhancing privacy using smart contracts to enable direct user-to-SP communication without third-party involvement.
- ▪
- Implementing ECIES encryption to protect user attributes from unauthorized access and improve the performance of cryptographic operations.
3.2.2. IDMS and Blockchain Integration Solution
- ▪
- Ethereum public blockchain ensuring user control without hierarchical authority.
- ▪
- Distributed architecture eliminating SPOF risks.
- ▪
- Smart contracts facilitating private user-SP interactions, bypassing third parties.
- ▪
- Service tokens containing encrypted attributes signed by the admin, ensuring privacy.
- ▪
- Minimum data disclosure principle combined with ECIES encryption for user anonymity and protection.
3.3. Implementation Environment
3.4. System Design
- ▪
- Admin (IDP) functions:
- ▪
- User functions:
- ▪
- SP functions:
- ▪
- The InterPlanetary File System (IPFS):
3.5. ECIES and Minimum Data Disclosure
- The user encrypts attributes using ECIES, which employs the user’s private key and the IDP’s public key to generate a shared secret that is fed to the KDF. Then, the KDF derives the AES shared key for encryption.
- On the IDP side, the decryption key is generated using the IDP’s private key and the user’s public key in a similar method adopted in step 1. This allows the IDP to decrypt and verify the hash using the AES shared key. The IDP signs each attribute, re-encrypts them, and returns them to the user, storing only the hash on-chain.
- The user encrypts the service token (containing IDP-signed attributes) using ECIES, now utilizing the user’s private key and the SP’s public key. The SP decrypts the service token and verifies the IDP signature with the IDP’s public key, without direct involvement from the IDP.
- Attributes are encrypted individually to adhere to the minimum data disclosure principle. The user selects which information to include in the service token, allowing for a mix of signed and unsigned attributes (e.g., a username requiring a signature, but a nickname for gaming or shopping not requiring one).
3.6. System Processes
3.6.1. User Page
- ▪
- The user adds attributes and encrypts them by clicking the Encrypt button.
- ▪
- The admin provides a public key to facilitate ECIES encryption by clicking Provide Public Key.
- ▪
- After encryption, the admin receives a token to sign the user attributes.
3.6.2. Admin Side
- ▪
- The admin retrieves a token by clicking Get Token, selecting the token ID, and decrypting attributes individually.
- ▪
- Decryption is performed per attribute, allowing the user to selectively send attributes.
- ▪
- Encrypted and decrypted attributes are displayed for signature completion.
- ▪
- Once all attributes are decrypted, the admin verifies and signs them using Verify and Sign.
- ▪
- After signing, the admin clicks Save Signatures to store attribute hashes on-chain while never storing the actual attributes.
- ▪
- The user then creates a service token by selecting a SP address, adding extra service attributes if necessary, and choosing which signed attributes to include.
- ▪
- The user can set a token expiration date and encrypt the service token with ECIES using the SP’s public key. The token is then automatically sent to the SP.
3.6.3. SP Side
- ▪
- The SP receives the service token, which appears on their page.
- ▪
- The SP decrypts the token by clicking its address, revealing user service attributes and verified signed attributes.
- ▪
- A message confirms verification.
3.7. Identity Token Verification
3.8. IDMS Workflow
4. Result and Discussion
4.1. Proposed Solutions and Achieved Improvements
4.1.1. Decentralization and SPOF Mitigation
4.1.2. Eliminating Third-Party Control
4.1.3. Enhanced Data Privacy and Minimal Disclosure
4.1.4. Identity Theft Prevention
4.2. Security Analysis
4.2.1. Single Point of Failure (SPOF)
4.2.2. 51% Attack
4.2.3. Man-in-the-Middle Attack
4.2.4. Anonymity
4.2.5. Integrity
4.2.6. Privacy
4.2.7. Security
4.3. The Use of ECIES
4.4. ECIES and ECDSA Algorithms Comparison
- ▪
- Pie Chart—Gas Consumption Comparison
- ▪
- Line Chart—Time Comparison of Encryption Methods
4.5. Alignment of the Proposed IDMS with the STRIDE Threat Model
- (1)
- Spoofing: Spoofing was mitigated through Ethereum address-based identity binding and cryptographic signatures.
- (2)
- Tampering: The threat of tempering data was addressed by storing hashed attributes on-chain, where any unauthorized modification triggers verification failure.
- (3)
- Repudiation: This threat was handled by using digitally signed transactions and attributes that are recorded immutably on the blockchain, providing an auditable history. Thus, the use of cryptographic digital signature offers non-repudiation service effectively.
- (4)
- Information Disclosure: The threat of information disclosure was effectively minimized via ECIES encryption and the principle of minimum data disclosure adopted in the proposed IDMS. Only hashed or encrypted data is exposed to offer enhanced privacy and confidentiality.
- (5)
- Denial of Service: This threat was reduced by using a decentralized network (Ethereum public blockchain), ensuring redundancy.
- (6)
- Elevation of Privilege: This threat is prevented through strict role definitions enforced by smart contracts, which define access and verification capabilities for Admins, Users, and service providers.
4.6. Limitations of the Proposed IDMS
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
IDMS | Identity Management System |
ECIES | Elliptic Curve Integrated Encryption Scheme |
SP | Service Provider |
IDP | Identity Provider |
ECDSA | Elliptic Curve Digital Signature Algorithm |
KDF | Key Derivation Function |
DLT | Distributed Ledger Technology |
SPOF | Single Point of Failure |
References
- Aitzhan, N.; Svetinovic, D. Security and Privacy in Decentralized Energy Trading through Multi-Signatures, Blockchain and Anonymous Messaging Streams. IEEE Trans. Dependable Secur. Comput. 2016, 15, 840–852. [Google Scholar] [CrossRef]
- Castiglione Maldonado, F. Introduction to Blockchain and Ethereum: Use Distributed Ledgers to Validate Digital Transactions in a Decentralized and Trustless Manner; Packt Publishing: Birmingham, UK, 2018. [Google Scholar]
- Joshi, J.; Nepal, S.; Zhang, Q.; Zhang, L.-J. Blockchain—ICBC 2019. In Proceedings of the Blockchain—ICBC 2019: Second International Conference, Held as Part of the Services Conference Federation, SCF 2019, San Diego, CA, USA, 25–30 June 2019; Springer: Cham, Switzerland, 2019. [Google Scholar]
- Bao, Z.; Wang, Q.; Shi, W.; Wang, L.; Lei, H.; Chen, B. When Blockchain Meets SGX: An Overview, Challenges, and Open Issues. IEEE Access 2020, 8, 170404–170420. [Google Scholar] [CrossRef]
- L’Amrani, H.; Berroukech, B.; Ajhoun, R.; El Idrissi, Y. Identity Management Systems: Laws of Identity for Models′ Evaluation. In Proceedings of the 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), Tangier, Morocco, 24–26 October 2016. [Google Scholar]
- Jøsang, A.; AlZomai, M.; Suriadi, S. Usability and Privacy in Identity Management Architectures. In Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, Ballarat, Australia, 30 January–2 February 2007. [Google Scholar]
- Agudo, I. Digital Identity and Identity Management Technologies. Serbian Publ. InfoReview Joins UPENET Netw. CEPIS Soc. J. Mag. 2010, XI, 6–12. [Google Scholar]
- Alrodhan, W.; Mitchell, C. Improving the Security of CardSpace. EURASIP J. Inf. Secur. 2009, 2009, 1–8. [Google Scholar] [CrossRef]
- Alrodhan, W. Privacy and Practicality of Identity Management Systems: Academic Overview; Vdm Verlag Dr. Müller: Saarbrücken, Germany, 2011. [Google Scholar]
- Ferdous, M.S.; Poet, R. A Comparative Analysis of Identity Management Systems. In Proceedings of the 2012 International Conference on High Performance Computing & Simulation (HPCS), Madrid, Spain, 2–6 July 2012. [Google Scholar]
- Dai, Z.; Zhou, W.; Deakin University, School of Information Technology. The Federated Identity and Access Management Architectures: A Literature Survey; Deakin University, School of Information Technology: Geelong, VIC, Australia, 2005. [Google Scholar]
- Alrodhan, W.; Mitchell, C. Enhancing User Authentication in Claim-Based Identity Management. In Proceedings of the 2010 International Symposium on Collaborative Technologies and Systems, Chicago, IL, USA, 17–21 May 2010. [Google Scholar]
- Bouras, M.; Lu, Q.; Dhelim, S.; Ning, H. A Lightweight Blockchain-Based IoT Identity Management Approach. Future Internet 2021, 13, 24. [Google Scholar] [CrossRef]
- Stockburger, L.; Kokosioulis, G.; Mukkamala, A.; Mukkamala, R.; Avital, M. Blockchain-enabled Decentralized Identity Management: The Case of Self-sovereign Identity in Public Transportation. Blockchain Res. Appl. 2021, 2, 100014. [Google Scholar] [CrossRef]
- Sung, C.; Park, J. Understanding of blockchain-based identity management system adoption in the public sector. J. Enterp. Inf. Manag. 2021, 34, 1481–1505. [Google Scholar] [CrossRef]
- Niu, J.; Ren, Z. A self-sovereign identity management scheme using smart contracts. MATEC Web Conf. 2021, 336, 08005. [Google Scholar] [CrossRef]
- Outchakoucht, A.; Es-Samaali, H.; Philippe, J. Dynamic Access Control Policy based on Blockchain and Machine Learning for the Internet of Things. Int. J. Adv. Comput. Sci. Appl. 2017, 8, 417–424. [Google Scholar] [CrossRef]
- Xiang, X.; Wang, M.; Fan, W. A Permissioned Blockchain-Based Identity Management and User Authentication Scheme for E-Health Systems. IEEE Access 2020, 8, 171771–171783. [Google Scholar] [CrossRef]
- Liao, C.-H.; Guan, X.-Q.; Cheng, J.-H.; Yuan, S.-M. Blockchain-Based Identity Management and Access Control Framework for Open Banking Ecosystem. Futur. Gener. Comput. Syst. 2022, 135, 450–466. [Google Scholar] [CrossRef]
- Feng, X.; Cui, K.; Jiang, H.; Li, Z. EBAS: An Efficient Blockchain-Based Authentication Scheme for Secure Communication in Vehicular Ad Hoc Network. Symmetry 2022, 14, 1230. [Google Scholar] [CrossRef]
- Akhter, A.F.M.S.; Ahmed, M.; Shah, A.F.M.S.; Anwar, A.; Kayes, A.S.M.; Zengin, A. A Blockchain-Based Authentication Protocol for Cooperative Vehicular Ad Hoc Network. Sensors 2021, 21, 1273. [Google Scholar] [CrossRef] [PubMed]
- Figueroa-Lorenzo, S.; Añorga Benito, J.; Arrizabalaga, S. Modbus Access Control System Based on SSI over Hyperledger Fabric Blockchain. Sensors 2021, 21, 5438. [Google Scholar] [CrossRef]
- Cocco, L.; Tonelli, R.; Marchesi, M. Blockchain and Self Sovereign Identity to Support Quality in the Food Supply Chain. Future Internet 2021, 13, 301. [Google Scholar] [CrossRef]
- Cui, P.; Dixon, J.; Guin, U.; Dimase, D. A Blockchain-Based Framework for Supply Chain Provenance. IEEE Access 2019, 7, 157113–157125. [Google Scholar] [CrossRef]
- Wang, S.; Li, D.; Zhang, Y.; Chen, J. Smart Contract-Based Product Traceability System in the Supply Chain Scenario. IEEE Access 2019, 7, 115122–115133. [Google Scholar] [CrossRef]
- Ferdousi, T.; Gruenbacher, D.; Scoglio, C.M. A Permissioned Distributed Ledger for the US Beef Cattle Supply Chain. IEEE Access 2020, 8, 154833–154847. [Google Scholar] [CrossRef]
- Javed, I.T.; Alharbi, F.; Bellaj, B.; Margaria, T.; Crespi, N.; Qureshi, K.N. Health-ID: A Blockchain-Based Decentralized Identity Management for Remote Healthcare. Healthcare 2021, 9, 712. [Google Scholar] [CrossRef]
- Zhu, Y.; Huang, C.; Hu, Z.; Al-Dhelaan, A.; Al-Dhelaan, M. Blockchain-Enabled Access Management System for Edge Computing. Electronics 2021, 10, 1000. [Google Scholar] [CrossRef]
- Ra, G.; Kim, T.; Lee, I. VAIM: Verifiable Anonymous Identity Management for Human-Centric Security and Privacy in the Internet of Things. IEEE Access 2021, 9, 75945–75960. [Google Scholar] [CrossRef]
- Stamatellis, C.; Papadopoulos, P.; Pitropakis, N.; Katsikas, S.; Buchanan, W.J. A Privacy-Preserving Healthcare Framework Using Hyperledger Fabric. Sensors 2020, 20, 6587. [Google Scholar] [CrossRef] [PubMed]
- Kassem, J.A.; Sayeed, S.; Marco-Gisbert, H.; Pervez, Z.; Dahal, K. DNS-IdM: A Blockchain Identity Management System to Secure Personal Data Sharing in a Network. Appl. Sci. 2019, 9, 2953. [Google Scholar] [CrossRef]
- Xu, R.; Chen, Y.; Blasch, E.; Chen, G. BlendCAC: A Smart Contract Enabled Decentralized Capability-Based Access Control Mechanism for the IoT. Computers 2018, 7, 39. [Google Scholar] [CrossRef]
- Wang, S.; Pei, R.; Zhang, Y. EIDM: A Ethereum-Based Cloud User Identity Management Protocol. IEEE Access 2019, 7, 115281–115291. [Google Scholar] [CrossRef]
- Gutierrez-Aguero, I.; Anguita, S.; Larrucea, X.; Gomez-Goiri, A.; Urquizu, B. Burnable Pseudo-Identity: A Non-Binding Anonymous Identity Method for Ethereum. IEEE Access 2021, 9, 108912–108923. [Google Scholar] [CrossRef]
- Gruner, A.; Muhle, A.; Meinel, C. ATIB: Design and Evaluation of an Architecture for Brokered Self-Sovereign Identity Integration and Trust-Enhancing Attribute Aggregation for Service Provider. IEEE Access 2021, 9, 138553–138570. [Google Scholar] [CrossRef]
- Moreno, R.T.; Garcia-Rodriguez, J.; Bernabe, J.B.; Skarmeta, A. A Trusted Approach for Decentralised and Privacy-Preserving Identity Management. IEEE Access 2021, 9, 105788–105804. [Google Scholar] [CrossRef]
- Sun, S.; Du, R.; Chen, S.; Li, W. Blockchain-Based IoT Access Control System: Towards Security, Lightweight, and Cross-Domain. IEEE Access 2021, 9, 36868–36878. [Google Scholar] [CrossRef]
- Li, H.; Pei, L.; Liao, D.; Chen, S.; Zhang, M.; Xu, D. FADB: A Fine-Grained Access Control Scheme for VANET Data Based on Blockchain. IEEE Access 2020, 8, 85190–85203. [Google Scholar] [CrossRef]
- Desabathina, N.V.M.; Merugu, S.; Gunjan, V.K.; Kumar, B.S. Agricultural Crowdfunding Through Blockchain. In ICDSMLA 2020; Kumar, A., Senatore, S., Gunjan, V.K., Eds.; Springer: Singapore, 2022; Volume 783. [Google Scholar]
- Verhelst, R. Implementing SSI: Comparing Uport, Sovrin and IRMA. Available online: https://info.vismaconnect.nl/blog/different-approaches-ssi (accessed on 12 February 2023).
- Bouras, M.A.; Lu, Q.; Zhang, F.; Wan, Y.; Zhang, T.; Ning, H. Distributed Ledger Technology for eHealth Identity Privacy: State of The Art and Future Perspective. Sensors 2020, 20, 483. [Google Scholar] [CrossRef] [PubMed]
- Banik, R. Tutorial: Building a web3 Frontend with React. 2021. Available online: https://medium.com/scrappy-squirrels/tutorial-building-a-web3-frontend-with-react-e0a87ea3bad (accessed on 12 February 2023).
- Docs, M. Introduction|MetaMask Docs. Available online: https://docs.metamask.io/guide/ (accessed on 12 February 2023).
- Frankenfield, J. 51% Attack. 2019. Available online: https://www.investopedia.com/terms/1/51-attack.asp (accessed on 16 February 2023).
- Das, D.; Dasgupta, K.; Biswas, U. A secure blockchain-enabled vehicle identity management framework for intelligent transportation systems. Comput. Electr. Eng. 2023, 105, 108535. [Google Scholar] [CrossRef]
- Shostack, A. Threat Modeling: Designing for Security; John Wiley & Sons: Hoboken, NJ, USA, 2014. [Google Scholar]
Method | Average Time Consumption (ms) | Average Gas Cost |
---|---|---|
ECIES | 2.55 | 1,019,742 |
ECDSA with RSA | 3.29 | 1,754,102 |
ECIES with ECIES | 2.84 | 1,298,475 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alanzi, H.M.; Alkhatib, M. Blockchain-Based Identity Management System Prototype for Enhanced Privacy and Security. Electronics 2025, 14, 2605. https://doi.org/10.3390/electronics14132605
Alanzi HM, Alkhatib M. Blockchain-Based Identity Management System Prototype for Enhanced Privacy and Security. Electronics. 2025; 14(13):2605. https://doi.org/10.3390/electronics14132605
Chicago/Turabian StyleAlanzi, Haifa Mohammed, and Mohammad Alkhatib. 2025. "Blockchain-Based Identity Management System Prototype for Enhanced Privacy and Security" Electronics 14, no. 13: 2605. https://doi.org/10.3390/electronics14132605
APA StyleAlanzi, H. M., & Alkhatib, M. (2025). Blockchain-Based Identity Management System Prototype for Enhanced Privacy and Security. Electronics, 14(13), 2605. https://doi.org/10.3390/electronics14132605