Skip to main content
banner image
venafi logo

Capitalizing on Self Sovereign Identity for Machines [Part Two]

Capitalizing on Self Sovereign Identity for Machines [Part Two]

March 9, 2021 | Sven Feuchtmüller, filancore

In Part One of this blog series, we discussed the concept of Self-Sovereign Identity (SSI). To recap, the intent of SSI is to make identities versatile for essentially every setting one can imagine. In the world at large, an identity is basically a digital certificate, which you can use to authenticate yourself or a machine. The SSI idea goes a bit further. It starts with a base identity (called decentralized identifier) and then goes a next step by enabling us to sign arbitrary claims and prove those claims towards third parties. These claims are called verifiable credentials and can be used to identify and sign any declarative statement whatsoever.

What does the applications of SSI mean for machine manufacturers? Using SSI, they can not only provide their machines with a decentralized and secure identity, but also enhance authentication and authorization through verifiable credentials issued on top of these identities. With an SSI solution that filancore built with Venafi for machine identities, organizations can communicate with or authenticate and authorize these devices and prevent them from vulnerability to attack or counterfeit. In addition, new business models are emerging that focus on guaranteeing the authenticity of generated and transmitted data by having the machine or sensors—as holders of the decentralized identity—sign the data themselves.

But if there’s one thing we know in IT, you never have full security, ever. It doesn't exist. You need to be agile enough to respond quickly if and when a security incident occurs. Crypto-agility plays a vital role in avoiding or mitigating the worst-case scenario: stolen private keys. 

To minimize your exposure by supporting  crypto-agility, you need to ensure that security administrators can identify potential issues as quickly as they arise. But more importantly, your administrators need the ability to recover quickly when those issues eventually do come up. To do this, they will need visibility into the usage of keys and certificates throughout the enterprise. Administrators must also be enabled to collect detailed Intelligence about the cryptographic processes used in your machine identities. And finally, they should be able to automatically remediate security risks as soon as vulnerabilities and compromises arise.

Machine identities are based on private keys. Credentials and certificates rely on private keys, and if they are stolen, then it can be game over. That being said, we know that cybercriminals often balance the amount of effort it costs to attack a system with the reward received when attacking it. SSI can actually deter attacks by minimizing the reward, because it spreads out your identities across a broader population.

If attackers gain access to the whole identity and everything that's connected to it, that's the absolute worst case (not to mention access to everything in between). But the good thing is that with SSI, you can give the identity to whoever is actually the subject of the identity. If you spread the identities out across everyone that's using them, and attackers target one person, they can only get one identity and one identity only. Because in this scenario there's not that much damage that can be done, it minimizes the risk profile.

Still, when worst case scenarios arise, with SSI, there are different methods for how to support crypto-agility and recover stolen private keys. The method you chose will depend on the exact scenario. You can do a key rotation, which will update your identity in such a way that everyone knows that the currently valid key is not the one that was stolen. This approach basically issues a new key on top of the old one.  Another method is to re-issue yourself a completely new identity and get all the claims reissued. That's a bit more cumbersome, because you have to have your claims re-issued by whoever created them in the first place.  

Ultimately, your goal is to make the effort to attack quite high. The great thing about the integrated solution from filancore and Venafi, is that the private key stays on the secure end device where it was created, such as on an HSM. The private key is never sent back to Venafi, so there is no central repository of the private key in that case, making the key very secure in that scenario.

Optimize for Crypto-agility

Keys and certificates are used throughout your network to serve as machine identities and authorize and protect a wide range of machine-to-machine connections and communications. But this landscape of machine identities is constantly changing, and it requires constant vigilance to maintain strong cryptography across your entire environment. You need crypto agility to make changes to every cryptographic security asset at a moment’s notice without increasing security risks or ongoing availability of critical applications and services.

The filacore integration for Verifiable Credentials is available now. You can learn more from the Venafi Marketplace.


This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.


Related Posts

Learn more about machine identity management.

Like this blog? We think you will love this.
Featured Blog

OpenCredo Venafi-Vault Wizard: Bringing InfoSec and Developers One Step Closer

Increasing visibility without slowing down developers

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Sven Feuchtmüller, filancore
Sven Feuchtmüller, filancore
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more