Signet-ring: A Framework for Authenticating Sources and Lineages of Digital Objects

ABSTRACT

Verifying sources of information is vital in assessing the credibility of facts and data in our increasingly digital world; often, the verification of the sources is as necessary as the information they provide. To battle misinformation and disinformation through digital objects, it is salient to provide consumers the ability to verify whether or not information (or data) provided by such sources was altered prior to its use (e.g., publication). Furthermore, if such an object is altered, it would also be essential to provide a means to trace back such information throughout its editing lineage in a verifiable manner. This research aims to fill the gaps in verifiable proof of sources of information, software supply-chain, and objects in other similarly critical domains.

We propose Signet-ring, a framework that provides referenceable documentation of the relationship between a digital object and its sources. In addition, the framework documents the object’s lifetime as it goes through various edits (lineage), including those by others within the framework. As such, Signet-ring provides a verifiable means for anyone to authenticate the sources of any digital object registered to it and track the object’s progression in time. This framework can be used, for example, by journalists and publishers to verify the sources of their materials (e.g., videos or images) and provide this proof to their readers for their verification. This, in turn, introduces a new layer of trust to the public in the reporting they consume.

Another noteworthy use case for Signet-ring is aiding the assurance process in software supply chains. The various stages and components of software can be certified using Signet-ring to provide verifiable checkpoints of revisions that pass assurance guarantees. For example, consider a program or a change-list (e.g., a pull request) that one person authentically creates and registers within Signet-ring. Suppose this code becomes visible, and any third-party modifications (not authenticated by the framework) are available. Then, only the change within the framework will have a traceable relationship to the source and its lineage. Thus, the framework enables various stakeholders to verify the relationship between sources and software objects, including changes made to revisions of software with certified assurances.

In this presentation, we present the architecture of the Signet-ring. Signet-ring registers and authenticates all participants in the origination and publication process, potentially including the sources, publishers, and applications. It manages the following critical workflows: (1) documentation and verification of the relationships between objects and sources (certification), (2) documentation and verification of the relationships between different related objects (lineage), and (3) authentication of sources to each other (handshake). Furthermore, Signet-ring supports the lifecycle management of source identities (using cryptographic keys) and relationships between objects and sources. This lifecycle management includes the revocation of source identity keys and previously accepted object-source relationships.

Authors

Mahesh Arumugam is currently pursuing Master of Information and Data Science (MIDS) program at University of California, Berkeley.  He also works full-time as an Architect at Zscaler, Inc. He received his Ph.D. degree from Michigan State University. His interests lie in data science, data security and privacy, and distributed systems. 

Catherine Jimerson is the Purchasing Manager for the Waukegan, Illinois School District. She has a BA in Management from the University of Illinois. She will graduate with a Master of Information and Data Science (MIDS) from the University of California, Berkeley in 2023. She has visited over a dozen countries as well as lived in Beijing for a semester and Taiwan for a year. She knows Mandarin. She has done two research projects on how perceptions affect decisions. Catherine is interested in the ethical uses of technology, data management, interpretability, government, and public policy.

Diamond Rorie is in the United States Military in a Technology Management role where she maintains, supports and manages key information technology infrastructure and vendors. She has her bachelors from West Point and will graduate with a Master of Information and Cyber Security (MICS) from the University of California, Berkeley in 2023. She has been stationed abroad and at home.  Her interests are data security and privacy, cryptography, data management, government, and public policy.

Amangeet Samra is currently a full time software engineer at SUSE and also pursuing her Master of Information and Data Science from the University of California, Berkeley. She completed her bachelor’s degree in computer science at the University of California, San Diego in 2019. Prior to working at SUSE, she was a software engineer at JPMorgan Chase & Co for three years. 

Amrita Mande is pursuing her Masters of Information and Data Science (MIDS) at University of California, Berkeley. She works full-time as an Sr. Engineering Manager / Architect at Apple Inc. She has received her Bachelors  in Electronics Engineering from University of Mumbai, India. Prior to joining Apple, she has worked at VMware, as a Software Cloud Architect extensively for their multi cloud product offerings.

Daniel Aranki is an Assistant Professor of Practice in the School of Information at UC Berkeley. He received a PhD in computer science from UC Berkeley in 2017. He received a BSc in computer engineering from the Department of Electrical Engineering at Technion—Israel Institute of Technology, Haifa, Israel, in 2011. Between 2007 and 2011, he worked in the Mobile Wireless Group at Intel Corporation, Haifa, Israel. During his time there, he worked on WiFi receiver design, design and verification flow automation, and WiFi system architecture design. He is the executive director of the Berkeley Telemonitoring Project. His research interests include machine learning, statistical analysis, cybersecurity and privacy, information disclosure, and health telemonitoring.