Self-Sovereignty Identity Management Model for Smart Healthcare System
<p>IoT enabled healthcare system.</p> "> Figure 2
<p>SSI communication Sequence.</p> "> Figure 3
<p>SSI-SHS architecture.</p> "> Figure 4
<p>Authentication Process.</p> "> Figure 5
<p>SSI-SHS process flow scenario: The doctor access the IoMT data.</p> "> Figure 6
<p>(<b>a</b>) Registration and (<b>b</b>) authentication time of stakeholders and IoMT devices.</p> "> Figure 7
<p>(<b>a</b>) Registration time on network scale; (<b>b</b>) authentication time on network scale.</p> "> Figure 8
<p>Contract deployment analysis.</p> "> Figure 9
<p>Execution time analysis of off-chain storage.</p> "> Figure 10
<p>Performance comparison.</p> ">
Abstract
:1. Introduction
- First, a system architecture is presented for a Self-Sovereign Identity Model for smart healthcare, including the IoMT network. The IoMT network is integrated with the smart healthcare distributed network.
- Second, the registration and authentication process of stakeholders in smart healthcare is presented along with the smart device installed or the patient’s collected EHR, registration, and authentication in the smart healthcare system.
- Third, we have implemented a prototype for the proposed SSI model using the permission blockchain, Hyperledger Indy, to collect the results for performance analysis.
- Finally, the proposed identity model is analysed with respect to the Allen identity model rules. Further performance analysis with respect to the execution time and storage is presented. The proposed distributed identity model gives complete control of personal data to the data owner. The patient and other stakeholders can choose the limited disclosure of personal information.
2. Preliminaries on Smart Healthcare and Identity Management
2.1. IoT Enabled Smart Healthcare Model
2.2. Digital Identity Management System
2.3. Self-Sovereign Identity (SSI)
2.4. Architecture of Self Sovereign Identity Model
- The trust triangle (issuer, holder, and verifier): Issuers are the source of credentials. The holder saves credentials issued by the issuers in its digital wallet and presents proof of claims when a verifier requests. The verifier verifies the credentials presented by the holder.
- Verifiable credentials or digital credentials: The digital equivalent of physical credentials are the verifiable credentials to prove the identity. The subject of the credentials creates a set of claims, and the verifiable credentials contain those claims. The issuer in the SSI model issues the verifiable credentials.
- Digital wallets: Digital wallets store credentials and other sensitive data and work with digital agents to securely exchange credentials among peers.
- Digital Agent: Digital agent is a software on the digital wallet that provides security to the digital wallet, participates in secure credentials exchange, and forms connections via a decentralised, secure message protocol. Edge Agents and cloud agents are two general categories of the digital agent.
- Decentralised Identifiers (DIDs): DIDs are decentralised, cryptographically verifiable, resolvable, and unique identifiers. DIDs are combinations of the private and public keys of a user. DIDs are decentralised by the nature that makes credentials available at all times for verifications. DIDs create a secure, unique, and private peer-to-peer connection between two parties who agree to connect with each other based on their requirements. The identity owner has complete control of the DIDs.
- Verifiable Data registries: A DID can be registered with any type of decentralised network, verifiable data registry, or even exchanged peer-to-peer. Blockchain can be a vital choice for verifiable data registry because a blockchain is a highly tamper-resistant transactional distributed database that no single party controls.
- Trust Framework: The trust framework contains the set of business, legal, and technical rules to use the SSI infrastructure and enables interoperable digital trust ecosystems of any size and scale.
- The issuer issues the verifiable credentials to the identity owner/holder. The VC includes the claims and attention.
- The user/holder stores this information himself. Users and holders can be the same sometimes. Furthermore, the VC holders have complete control of the VCs.
- When the user wants to access any service, he/she presents its VC to the verifier.
- The verifiers verify the VC without connecting the issuers. The verifier connects with a distributed registry (blockchain), verifies the user, and grants authorized services.
- The distributed verifiable registry has the VC schemas and DID, which helps in user verification.
- Limitations:
3. Literature Survey
3.1. Centralised Identity Model
3.2. Decentralised Identity Model
4. Proposed Framework
4.1. High-Level System Architecture of SSI Model for Smart Healthcare
4.2. Communication Sequence Flow
- Once the device is active, the patients send their own DID to the device.
- The device creates an authentication token that includes the patient’s DID, signs this token with a private key (AuthToken1), and sends the token back to the patient.
- The client creates another token (AuthToken2), including AuthToken1, and signs this with its own private key.
- The patient calls the “DIDRegister” smart contract as a message sender and passes the device address. “DIDRegister” registers the assignment between the device and registrar with a tentative state.
- The patient submits the AuthToken2 to a smart health system node which is a server application connected to the blockchain.
- The SHS checks the validity of AuthToken2 and the registration status of “DIDRegister” (step 4). If both are valid, the identity provider node proofs the assignment of “DIDRegister”. Afterward, the “DIDRegister” changes the state to active.
- The SHS node generates an AuthToken3 with a confirmation about the assignment, signs it with its private key, and sends it to the patient.
- The client forwards AuthToken3 to the device.
- The device verifies the signature of the SHS node with its built-in list (in a secured environment) and, if ok, adds the patient to its trust list.
5. Implementation
Listing 1: Example of blockchain based security implementation DDO. |
Listing 2: Example of blockchain based security implementation credential schema. |
- Write a new DID and DDO to the ledger.
- Update existing DDO such as rotating keys
- Define a new Schema name, version, and list of attributes for new credentials
- Define a revocation registry for specific credentials
- Update the revocation registry when the issuer issues or revokes the credentials.
6. Result and Analysis
6.1. Identity Framework Evaluation and Result Analysis
SSI-SHS Identity Model Evaluation
- Existence: NIST defines that every digital identity must have a non-digital existence that manages and represents the online identity. In the proposed architecture, the device and the stakeholder generate their public and private key pair and register themselves on smart healthcare. The main focus is on the patient and his own devices.
- Control: “Control” of the owner on their identity is proposed by Allen and Cameron. This principle defines that users must have control over their identity and be able to decide which part of their identity they want to share. They should be able to decide which data they share with others, for how long, and be able to refer to, update or hide the identity. In the proposed framework, multiple DID can be derived with a single key pair with different DDOs.
- Consent: The use of the user’s identity should always be with the user’s agreement. The user should decide which information and with whom it is shared. Further, the user should decide the time; this also means what time the other party can have access to this information.
- Protection: To preserve the freedom of the user and to keep the balance in the system, a censorship-resistant, independent, and force-resilient algorithm needs to be run in a decentralised manner.
- Minimization: This law describes that the closure of credentials should be as minimal as possible. The minimum disclosure protects the privacy of the user. The proposed framework uses zero-knowledge proofs (ZKP) as verifiable credentials presentation. The ZKP allows cryptographically proven claims without sharing the actual information. The claims and proofs are present on the identity ledger, where a verifier can verify the specific claims.
- Persistence: The lifetime of the digital address of identity/identifiers should be under the user’s control. The identifier should exist till the user wants it. In the proposed system, the revocation of the DID is covered, which fulfils this requirement.
- One further principle could be privacy-preserving. Even though this is already partly integrated without explicitly saying it, the privacy-preserving design of services plays a key role in Self-Sovereign Identity. Reselling user-related information is a large business on the internet.
- Access: Access to the user’s identity should be accessible to the user at any time. No intermediaries should prevent the user from accessing their identity. The distribution and access of data or identity should be accessible to the authorized parties only.In the proposed framework, only public information is available on the ledger, and the stakeholders have their personal information (or PII) on local storage. An Access Control List (ACL) is also designed on blockchain to prevent unauthorized access. If any party (doctor, hospital, pharmaceuticals, and other stakeholders) wants to access others’ information, they must first authenticate themselves in the system.
- Transparency: The identity system must be transparent to each stakeholder. This leads to high trust and continuous improvement. Further, the participants can control the actions of each other and prevent and detect malicious actions from happening.The proposed framework is designed on a blockchain distributed network. Blockchain is the solution for transparency and trust.
- Interoperability: The identities should be usable for many services; they should not be limited to a single service.
6.2. Security Analysis of SSI-SHS
6.2.1. Issuance Process Security Analysis
- The attacker gets the exchanged data between the issuer and holder;
- Man in the middle attacks over DID communication;
- Key Exposure attack;
- DDO forgery attack.
6.2.2. Authentication Process Security Analysis:
- Wallet attacks;
- Man in the middle attacks on DID communication;
- By passing an authentication attack.
6.3. Performance Analysis:
Execution Time Analysis
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Rashid, M.M.; Choi, P.; Lee, S.-H.; Kwon, K.-R. Block-HPCT: Blockchain Enabled Digital Health Passports and Contact Tracing of Infectious Diseases like COVID-19. Sensors 2022, 22, 4256. [Google Scholar] [CrossRef] [PubMed]
- McGhin, T.; Choo, K.K.R.; Liu, C.Z.; He, D. Blockchain in healthcare applications: Research challenges and opportunities. J. Netw. Comput. Appl. 2019, 135, 62–75. [Google Scholar] [CrossRef]
- World Bank. The Role of Digital Identification for Healthcare: The Emerging Use Cases; World Bank: Washington, DC, USA, 2018. [Google Scholar]
- Ullah, F.; Abdullah, A.H.; Kaiwartya, O.; Lloret, J.; Arshad, M.M. EETP-MAC: Energy efficient traffic prioritization for medium access control in wireless body area networks. Telecommun. Syst. 2020, 75, 181–203. [Google Scholar] [CrossRef]
- Baker, S.B.; Xiang, W.; Atkinson, I. Internet of things for smart healthcare: Technologies, challenges, and opportunities. IEEE Access 2017, 5, 26521–26544. [Google Scholar] [CrossRef]
- Windley, P.J. Digital Identity: Unmasking Identity Management Architecture (IMA); O’Reilly Media, Inc.: Sebastopol, CA, USA, 2005. [Google Scholar]
- Dunphy, P.; Petitcolas, F.A. A first look at identity management schemes on the blockchain. IEEE Secur. Priv. 2018, 16, 20–29. [Google Scholar] [CrossRef] [Green Version]
- Ferdous, M.S.; Chowdhury, F.; Alassafi, M.O. In search of self-sovereign identity leveraging blockchain technology. IEEE Access 2019, 7, 103059–103079. [Google Scholar] [CrossRef]
- Kim, B.G.; Cho, Y.S.; Kim, S.H.; Kim, H.; Woo, S.S. A Security Analysis of Blockchain-Based Did Services. IEEE Access 2021, 9, 22894–22913. [Google Scholar] [CrossRef]
- Marlinspike, M. What Is ‘Sovereign Source Authority’? The Moxie Tongue. 2012. Available online: http://www.moxytongue.com/2012/02/what-is-sovereign-source-authority.html (accessed on 1 February 2022).
- Deegan, P. Open Mustard Seed (OMS) Framework; ID3: Cambridge, MA, USA, 2013. [Google Scholar]
- Allen, C. The Path to Self-Sovereign Identity. Life with Alacrity. 2016. Available online: http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html (accessed on 1 February 2022).
- Preukschat, A.; Reed, D. Self-Sovereign Identity: Decentralised Digital Identity and Verifiable Credentials; Simon and Schuster: New York, NY, USA, 2021. [Google Scholar]
- Cameron, K. The laws of identity. Microsoft Corp 2005, 12, 8–11. [Google Scholar]
- Zhu, X.; Badr, Y. Identity management systems for the internet of things: A survey towards blockchain solutions. Sensors 2018, 18, 4215. [Google Scholar] [CrossRef] [Green Version]
- Kuperberg, M. Blockchain-based identity management: A survey from the enterprise and ecosystem perspective. IEEE Trans. Eng. Manag. 2019, 67, 1008–1027. [Google Scholar] [CrossRef]
- Bouras, M.A.; Lu, Q.; Zhang, F.; Wan, Y.; Zhang, T.; Ning, H. Distributed ledger technology for eHealth identity privacy: State of the art and future perspective. Sensors 2020, 20, 483. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Zhang, L.; Zhang, Y.; Tang, S.; Luo, H. Privacy protection for e-health systems by means of dynamic authentication and three-factor key agreement. IEEE Trans. Ind. Electron. 2018, 65, 2795–2805. [Google Scholar] [CrossRef] [Green Version]
- Aghili, S.F.; Mala, H.; Shojafar, M.; Peris-Lopez, P. LACO: Lightweight three-factor authentication, access control and ownership transfer scheme for e-health systems in IoT. Future Gener. Comput. Syst. 2019, 96, 410–424. [Google Scholar] [CrossRef]
- Yang, Y.; Zheng, X.; Guo, W.; Liu, X.; Chang, V. Privacy-preserving smart IoT-based healthcare big data storage and self-adaptive access control system. Inf. Sci. 2019, 479, 567–592. [Google Scholar] [CrossRef]
- Zhang, Y.; Zheng, D.; Deng, R.H. Security and privacy in smart health: Efficient policy-hiding attribute-based access control. IEEE Internet Things J. 2018, 5, 2130–2145. [Google Scholar] [CrossRef]
- Houtan, B.; Hafid, A.S.; Makrakis, D. A survey on blockchain-based self-sovereign patient identity in healthcare. IEEE Access 2020, 8, 90478–90494. [Google Scholar] [CrossRef]
- Augot, D.; Chabanne, H.; Chenevier, T.; George, W.; Lambert, L. A user-centric system for verified identities on the bitcoin blockchain. In Data Privacy Management, Cryptocurrencies and Blockchain Technology; Springer: Cham, Switzerland, 2017; pp. 390–407. [Google Scholar]
- Liang, X.; Shetty, S.; Zhao, J.; Bowden, D.; Li, D.; Liu, J. Towards Decentralised Accountability and Self-Sovereignty in Healthcare Systems. In Proceedings of the International Conference on Information and Communications Security, Beijing, China, 6–8 December 2017; Springer: Cham, Switzerland, 2017; pp. 387–398. [Google Scholar]
- Au, R.; Croll, P. Consumer-Centric and Privacy-Preserving Identity Management for Distributed e-Health Systems. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), Waikoloa, HI, USA, 7–10 January 2008; IEEE: Piscataway, NJ, USA, 2008; p. 234. [Google Scholar]
- Shuaib, M.; Alam, S.; Alam, M.S.; Nasir, M.S. Self-sovereign identity for healthcare using blockchain. Mater. Today Proc. 2021; in press. [Google Scholar] [CrossRef]
- Mikula, T.; Jacobsen, R.H. Identity and Access Management with Blockchain in Electronic Healthcare Records. In Proceedings of the 2018 21st Euromicro Conference on Digital System Design (DSD), Prague, Czech Republic, 29–31 August 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 699–706. [Google Scholar]
- Zhou, J.; Tang, F.; Zhu, H.; Nan, N.; Zhou, Z. Distributed Data Vending on Blockchain. In Proceedings of the 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Halifax, NS, Canada, 30 July–3 August 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 1100–1107. [Google Scholar]
- Buzachis, A.; Celesti, A.; Fazio, M.; Villari, M. On the Design of a Blockchain-as-a-Service-Based Health Information Exchange (Baas-Hie) System for Patient Monitoring. In Proceedings of the 2019 IEEE Symposium on Computers and Communications (ISCC), Barcelona, Spain, 29 June–3 July 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar]
- Belchior, R.; Putz, B.; Pernul, G.; Correia, M.; Vasconcelos, A.; Guerreiro, S. SSIBAC: Self-Sovereign Identity Based Access Control. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December 2020–1 January 2021; IEEE: Piscataway, NJ, USA, 2020; pp. 1935–1943. [Google Scholar]
- Neelakandan, S.; Rene Beulah, J.; Prathiba, L.; Murthy, G.L.N.; Irudaya Raj, E.F.; Arulkumar, N. Blockchain with deep learning-enabled secure healthcare data transmission and diagnostic model. Int. J. Model. Simul. Sci. Comput. 2022, 11, 2241006. [Google Scholar] [CrossRef]
- Kamalraj, R.; Neelakandan, S.; Kumar, M.R.; Rao, V.C.S.; Anand, R.; Singh, H. Interpretable filter based convolutional neural network (IF-CNN) for glucose prediction and classification using PD-SS algorithm. Measurement 2021, 183, 109804. [Google Scholar] [CrossRef]
- Harshavardhan, A.; Boyapati, P.; Neelakandan, S.; Abdul-Rasheed Akeji, A.A.; Singh Pundir, A.K.; Walia, R. LSGDM with Biogeography-Based Optimization (BBO) Model for Healthcare Applications. J. Healthc. Eng. 2022, 2022, 2170839. [Google Scholar] [CrossRef]
- Khovratovich, D.; Law, J. Sovrin: Digital identities in the blockchain era. Github Commit Jasonalaw 2017, 17, 38–99. Available online: https://sovrin.org/wp-content/uploads/AnonCred-RWC.pdf (accessed on 1 February 2022).
- Verma, G.K.; Singh, B.B.; Kumar, N.; Kaiwartya, O.; Obaidat, M.S. PFCBAS: Pairing free and provable certificate-based aggregate signature scheme for the e-healthcare monitoring system. IEEE Syst. J. 2019, 14, 1704–1715. [Google Scholar] [CrossRef]
- Kaiwartya, O.; Kumar, S. Cache agent-based geocasting in VANETs. Int. J. Inf. Commun. Technol. 2015, 7, 562–584. [Google Scholar] [CrossRef]
- Cao, Y.; Kaiwartya, O.; Aslam, N.; Han, C.; Zhang, X.; Zhuang, Y.; Dianati, M. A trajectory-driven opportunistic routing protocol for VCPS. IEEE Trans. Aerosp. Electron. Syst. 2018, 54, 2628–2642. [Google Scholar] [CrossRef] [Green Version]
- Kaiwartya, O.; Kumar, S. Geocast Routing: Recent Advances and Future Challenges in Vehicular Adhoc Networks. In Proceedings of the 2014 International Conference on Signal Processing and Integrated Networks (SPIN), Noida, India, 20–21 February 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 291–296. [Google Scholar]
- Kumar, S.; Singh, K.; Kumar, S.; Kaiwartya, O.; Cao, Y.; Zhou, H. Delimitated anti jammer scheme for Internet of vehicle: Machine learning based security approach. IEEE Access 2019, 7, 113311–113323. [Google Scholar] [CrossRef]
- Khatri, A.; Kumar, S.; Kaiwartya, O.; Aslam, N.; Meena, N.; Abdullah, A.H. Towards green computing in wireless sensor networks: Controlled mobility–aided balanced tree approach. Int. J. Commun. Syst. 2018, 31, e3463. [Google Scholar] [CrossRef]
- Kumar, S.; Kaiwartya, O.; Abdullah, A.H. Green computing for wireless sensor networks: Optimization and Huffman coding approach. Peer-to-Peer Netw. Appl. 2017, 10, 592–609. [Google Scholar]
- Kaiwartya, O.; Kumar, S. Enhanced Caching for Geocast Routing in Vehicular Ad Hoc Network. In Intelligent Computing, Networking, and Informatics; Springer: New Delhi, India, 2014; pp. 213–220. [Google Scholar]
User’s Control | Security | Portability |
---|---|---|
Users must have control of their data like which information can be seen the other | Keep identity information secure | Users can move anywhere without being tied to a provider |
Existence | Protection | Access |
Control | Persistence | Transparency |
Consent | Minimization | Interoperability |
Persistence |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Bai, P.; Kumar, S.; Aggarwal, G.; Mahmud, M.; Kaiwartya, O.; Lloret, J. Self-Sovereignty Identity Management Model for Smart Healthcare System. Sensors 2022, 22, 4714. https://doi.org/10.3390/s22134714
Bai P, Kumar S, Aggarwal G, Mahmud M, Kaiwartya O, Lloret J. Self-Sovereignty Identity Management Model for Smart Healthcare System. Sensors. 2022; 22(13):4714. https://doi.org/10.3390/s22134714
Chicago/Turabian StyleBai, Pinky, Sushil Kumar, Geetika Aggarwal, Mufti Mahmud, Omprakash Kaiwartya, and Jaime Lloret. 2022. "Self-Sovereignty Identity Management Model for Smart Healthcare System" Sensors 22, no. 13: 4714. https://doi.org/10.3390/s22134714
APA StyleBai, P., Kumar, S., Aggarwal, G., Mahmud, M., Kaiwartya, O., & Lloret, J. (2022). Self-Sovereignty Identity Management Model for Smart Healthcare System. Sensors, 22(13), 4714. https://doi.org/10.3390/s22134714