Secretation: Toward a Decentralised Identity and Verifiable Credentials Based Scalable and Decentralised Secret Management Solution

Abstract

Secrets such as passwords, encryption keys, and certificates are used to assist in protecting access to resources such as computing devices, customer data and other information. Unauthorised access to resources can cause significant disruption and/or disastrous consequences. Given the importance of protecting these secrets to the security and privacy of many software systems, many solutions have been proposed. These solutions take two main directions: either securely store the secret and implement an access control mechanism, or divide the secret into a set of shares and distribute them in different machines (such as the Shamir's secret sharing approach or multi-party computation MPC). However, apart from the MPC approach, they all share the same limitation: once the consumer receives the secret, it can be leaked and be used by any malicious actor. We believe that the secret management should not be centralised and that the secret should never be sent to the receiver. Therefore, in this paper we propose, Secretation, a new approach for managing the secrets in a decentralised way by leveraging decentralised identity concepts such as verifiable credential technologies, password-authenticated key exchange protocols and multi-party computation. The result is a more scalable and secure solution that significantly reduces the risk of leaking the secrets.