A Blockchain-Based Key-Revocation Access Control for Open Banking

Abstract

Open banking allows banks and financial sectors to easily access the customers’ financial data which is revolutionizing. It also provides the customers with excellent cloud access to various providers’ wide range of financial services. The storage of such sensitive services and data on cloud servers is a double-edged sword. It can ease and support fine-grained access to such services/data anywhere and anytime, supporting the open banking system. But, on the other hand, data privacy and secrecy are a challenge. Thus, efficient access control should exist for open banking’s services and data to protect cloud-hosted financial sensitive data from unauthorized customers. This paper proposes a new access control scheme that employs blockchain for the key-revocation process. We implement the smart contract’s functions on the Ethereum platform and test the contract’s code on the Kovan Testnet before deploying it to the Mainnet. Although the customer is authenticated to open banking, his key/s can be revoked according to the status response of the bank branch. Thus, his access to financial services and data is denied. We did comprehensive experiments for the revocation status response time, data exchanged until receiving the revocation status, and the time spent updating the policy. Also, we compared the results of our proposed scheme with two well-known methods—Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP). The experimental results show that our proposed scheme (BKR-AC) has a faster response time than Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) in case of nonrevoked keys/certificates and a slower response time in case of revoked keys to avoid nonrevoking a revoked key. But the data exchanged is an average for BKR-AC between CRL and OCSP, which is still a tiny amount and accepted. The security analysis proved that our scheme is secure against some well-known attacks on open banking systems. In addition, it is also secured against the chosen-text attack by employing the challenge-response authentication mechanism.