Self-Sovereign Identity aware TLS handshake with MbedTLS

In the digital age, online identity has become a critical part of our daily lives and has been managed through centralized and federated identity models. However, both models have drawbacks, such as a lack of user control and privacy concerns. The presence of intermediaries, such as certification authority and identity providers, is a fundamental requirements in both models. Nevertheless, they represent possible targets of cyber attacks, resulting in as data breaches and identity theft. The Self-Sovereign Identity is a new paradigm in digital identity that seeks to address these issues by putting users in control of their identity and personal data, avoiding the involvement of centralized authorities or third-party intermediaries. One of the key building blocks of the SSI model is the Decentralized Identifier (DID), which is a unique identifier anchored on a Distributed Ledger Technology (DLT). DIDs enable entities to authenticate and authorize identity-related transactions and interactions, without relying on a centralized authority. Currently, the implementation of SSI solutions is limited, particularly in the realm of IoT systems. This is because IoT systems have highly constrained hardware and software capabilities, which further complicates their integration with the Self-Sovereign paradigm. The main purpose of this thesis is to bring within this constrained IoT world the SSI model, in order to define an ecosystem of devices that, making use of their digital identity, can communicate securely over network. The main idea is to integrate the usage of DIDs within the TLS handshake, to create a secure communication channel using an SSI-aware approach. By introducing a decentralized authentication mechanism, third party entities are no longer required for identity management. In this context, the DID Documents, to which the DIDs refer, are stored onto the DLT, which serves as a Root-of-Trust, leveraging its inherent property of data immutability. Timing performance measurements are gathered to evaluate the impact of the additional SSI features. Such performances are measured on three different platforms, ie, x86/x64, ARM (Raspberry Pi) and STM32 board based on ARM Cortex-M4, according to the different TLS authentication models (server only and mutual) and according to different peer identity key types and signature algorithms (RSA2048-SHA256 and ECDSA-p256-SHA256).