Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Certificates: 6G-ready Access Control for the Service-Based Architecture with Decentralized Identifiers and Verifiable Credentials

Sandro Rodriguez Garzon, Hai Dinh Tuan, Maria Mora Martinez, Axel Küpper, Hans Joachim Einsiedler, Daniela Schneider

TL;DR

The paper tackles secure cross-domain access control in a 6G Service-Based Architecture by replacing X.509 certificates and OAuth2 tokens with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). It introduces a concept where NFs acquire DIDs and present AuthN and AuthZ VCs issued by dedicated Identity and Permission Management Functions (IPMFs), with delegations encoded as Del VCs to reflect organizational hierarchies. A prototype built on free5GC, Aries ACA-Py, and Hyperledger Indy demonstrates mutual NF identification and one-way authorization via DIDComm-enabled sidecars, achieving an approximate 13.8% overhead in a DID/VC-enabled workflow compared to a baseline UE registration. The work argues that this decentralization reduces single points of failure in cross-domain trust, unifies access control across stakeholders, and enables dynamic permission management, while noting current transport-layer integration gaps and governance considerations for a global, multi-operator ecosystem.

Abstract

Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entities of different administrative domains. This paper introduces a novel technical concept and a prototype, outlining and implementing a 5G Service-Based Architecture that utilizes Decentralized Identifiers and Verifiable Credentials instead of traditional X.509 certificates and OAuth2.0 access tokens to authenticate and authorize network functions among each other across administrative domains. This decentralized approach to identity and permission management for network functions reduces the risk of single points of failure associated with centralized public key infrastructures. It unifies access control mechanisms and lays the groundwork for lesser complex and more trustful cross-domain key management for highly collaborative network functions in a multi-party Service-Based Architecture of 6G.

Beyond Certificates: 6G-ready Access Control for the Service-Based Architecture with Decentralized Identifiers and Verifiable Credentials

TL;DR

The paper tackles secure cross-domain access control in a 6G Service-Based Architecture by replacing X.509 certificates and OAuth2 tokens with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). It introduces a concept where NFs acquire DIDs and present AuthN and AuthZ VCs issued by dedicated Identity and Permission Management Functions (IPMFs), with delegations encoded as Del VCs to reflect organizational hierarchies. A prototype built on free5GC, Aries ACA-Py, and Hyperledger Indy demonstrates mutual NF identification and one-way authorization via DIDComm-enabled sidecars, achieving an approximate 13.8% overhead in a DID/VC-enabled workflow compared to a baseline UE registration. The work argues that this decentralization reduces single points of failure in cross-domain trust, unifies access control across stakeholders, and enables dynamic permission management, while noting current transport-layer integration gaps and governance considerations for a global, multi-operator ecosystem.

Abstract

Next generation mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. However, a federation of networks and services brings along a crucial challenge: Guaranteeing secure and trustworthy access control among network entities of different administrative domains. This paper introduces a novel technical concept and a prototype, outlining and implementing a 5G Service-Based Architecture that utilizes Decentralized Identifiers and Verifiable Credentials instead of traditional X.509 certificates and OAuth2.0 access tokens to authenticate and authorize network functions among each other across administrative domains. This decentralized approach to identity and permission management for network functions reduces the risk of single points of failure associated with centralized public key infrastructures. It unifies access control mechanisms and lays the groundwork for lesser complex and more trustful cross-domain key management for highly collaborative network functions in a multi-party Service-Based Architecture of 6G.
Paper Structure (8 sections, 5 figures)

This paper contains 8 sections, 5 figures.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Service-Based Architecture
  4. Decentralized Identity Management
  5. Related Work
  6. Concept
  7. Implementation
  8. Conclusion

Figures (5)

  • Figure 1: Issuance and presentation of DID-bound verifiable credentials.
  • Figure 2: Exemplary domain-specific issuer hierarchies assembled through right delegations and exemplary identity and permission attestations for NFs.
  • Figure 3: NF-sidecar architecture with DIDComm-tunneled HTTP/2 communication link between NFs.
  • Figure 4: Combined mutual identification and one-way authorization among NFs through the presentation of AuthN and AuthZ VCs.
  • Figure 5: Exemplary call of an NF's SBI (service producer) by another NF (service consumer) through their sidecars via the secured DIDComm channel.