DeAuth: A Decentralized Authentication and Authorization Scheme for Secure Private Data Sharing

Abstract

The sharing of private information is a daunting, multifaceted, and expensive undertaking. Furthermore, identity management is an additional challenge that poses significant technological, operational, and legal obstacles. Present solutions and their accompanying infrastructures rely on centralized models that are susceptible to hacking and can hinder data control by the rightful owner. Consequently, blockchain technology has generated interest in the fields of identity and access control. This technology is viewed as a potential solution due to its ability to offer decentralization, transparency, provenance, security, and privacy benefits. Nevertheless, a completely decentralized and private solution that enables data owners to control their private data has yet to be presented. In this research, we introduce DeAuth, a novel decentralized, authentication and authorization scheme for secure private data transfer. DeAuth combines blockchain, smart-contracts, decentralized identity, and distributed peer-to-peer (P2P) storage to give users more control of their private data, and permissioning power to share without centralized services. For this scheme, identity is proven using decentralized identifiers and verifiable credentials, while authorization to share data is performed using the blockchain. A prototype was developed using the Ethereum Blockchain and the InterPlanetary Files System, a P2P file sharing protocol. We evaluated DeAuth through a use-case study and metrics such as security, performance, and cost. Our findings indicate DeAuth to be viable alternative to using centralized services; however, the underlying technologies are still in its infancies and require more testing before it can supplant traditional services.