DGMV-ICT Blackbox

Purpose

Enhance security and maintain data integrity by leveraging cutting-edge cryptographic techniques and blockchain technology. This DGMV ICT BlackBox integrates a highly advanced identity server with Hitachi Content Platform (HCP), ensuring robust, compliance-focused data protection.

Scope

The DGMV ICT BlackBox comes with the following components:

DGMV-ID Enterprise:

• Mobile app that protects your identity

• Uses device’s biometric sensor to enhance protection and authenticity

• Comes with 2FA generator (TOTP standard)

• Inbuilt innovative blockchain technology components

• Utilizes OTP Encryption to transmit data safely

DGMV-IAM:

• Protects the system from unauthorized access

• Comes with advanced security features:

  • Geofencing: Only allow specific geo regions to authenticate

  • Network Origin Checks: Enforce usage of VPN or specific network

  • MFA: Authentication only works with registered mobile device + private/public key

• OpenID Connect: Allows to protect other applications in your organization that support OIDC standard

DGMV-IAM Dashboard:

• Allows administrators to manage access and observe security related events

• Allows to onboard users to the system

• Allows to manage security policies such as geofencing rules

HCP Auth:

• Increases the protection in your Hitachi Content Platform system by adding an additional access control protections using DGMV-IAM and DGMV-IAM

• Allows defining access control lists for specific HCP Classic Namespaces

• N of M eye principle, which increases protection by requesting approval from your colleagues before making changes to the cluster

B(log)chain/NFD Log:

• Protects integrity of log files from your environment using blockchain

• Creates NFD and stores it locally and on a blockchain as a cryptographic proof, ensuring maximum integrity of log statements

• Understands various log formats

• Blockchain-Agnostic: Every EVM compatible chain can be used: Ethereum, Polygon, SUI, etc.

• Flexible configuration: Chain and snapshot interval are individually configurable

• By default, it protects all access logs from HCP Auth and DGMV-IAM

• Capable of protecting integrity of logs from other applications too, e.g. HCP Classic can stream logs to the rsyslog

DGMV ICT BlackBox OS

The above applications are shipped in the DGMV ICT BlackBox Operating System, leading to ultimate security from top to bottom:

• Minimal Operating System with custom hardened linux kernel

• AES256 Encrypted Disk to store data safely: “Military Grade”, NSA CNSSP-15

• Cloud and On-Premise installation supported

• Easily configurable:

  • Self-signed certificates by default

  • Allows to upload custom organization certificates

  • LetsEncrypt support

• Immutable File System, preventing malicious actors to modify system files to install malware on the system

• Streamlined backup system with encryption (AES256, PBKDF2-10000): protects backups against brute force attacks and unauthorized access

System Overview

DGMV ICT Blackbox is a secure, blockchain-based on layer 1 and sitting on top of it is layer 2 Smart Layer solution running on DGMV Blackbox OS, comprising five integrated apps. It includes

• DGMV-IAM for account and device management

• DGMV-ID Enterprise for identity protection and authentication

• HCP Auth for enhanced HCP security with 2FA and

• B(log)chain/NFD Log for immutable system and HCP logging on the blockchain

Standard HCP authentication

Normal standalone operations of the HCP system for allowing people to access the HCP system (both regular users and system administrators):

HCP-Auth Authentication

Two factor authentication with HCP-DGMV-AUTH people to access the HCP system by using built-in features of the HCP system.

The HCP Management API (MAPI) provides the facility to "enable" and "disable" accounts that are created in the HCP login and access system (only for the tenant specific accounts, not system level)

The following diagram depicts how our unique (un)locking technology will add additional protection to an HCP system by leveraging the official MAPI and DGMV-IAM & DGMV-ID. Thus, no changes in the official HCP system are needed.

Additionally, every access will be logged using our blogchain-based NFD Logging solution.

Technologies

Identity Server with DGMV-ID App

• Zero-Knowledge Authentication: Utilizes Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (ZK-SNARK) protocols for authentication, allowing passwordless login via the DGMV-ID app with QR code scanning. This mechanism ensures post-quantum cryptographic resilience against quantum computing threats. The DGMV-ID app protects the identity by all means, e.g. it is using protective measures to prevent any leaks of secret keys.

• Advanced User and Device Management: Incorporates comprehensive device management capabilities with streamlined onboarding processes. The server administers robust security policies, including geofencing and network origin checks, to regulate access based on real-time location and connection security assessments.

• Enhanced Access Control: Implements a "more-than-four-eyes" principle, where access requests to sensitive HCP systems require approval from multiple authenticated users, thus ensuring a multi-layered supervision and approval process before granting access rights.

Blockchain-Enhanced Logging System

• Remote Syslog Integration: The BlackBox is equipped to interface with diverse application logs via remote syslog or syslog server protocols. This facilitates the ingestion and real-time processing of log data across organizational systems.

• Smart Log Analyzer: Features an intelligent log parsing engine that segments log entries into manageable chunks. It applies cryptographic hashing using SHA-256 or other hashing algorithms to ensure the integrity of each log batch before recording them onto a chosen immutable Layer-1 blockchain.

• Blockchain Logging Component: Each batch of logs is encapsulated within blockchain transactions, ensuring that every entry is verifiable and tamper-evident. This component leverages smart contracts to automate the hashing and batching processes, reinforcing log data integrity and immutability.

Integration with Hitachi Content Platform (HCP)

• Non-Invasive HCP Interface: The integration maintains the native operational integrity of HCP by interfacing via a secure, non-intrusive API layer. This ensures that all HCP functionalities remain unaffected while enhancing its security and compliance capabilities.

• Central Log Storage: Utilizes HCP's robust object storage capabilities as a central repository for encrypted log data, ensuring high availability and redundancy. This setup not only provides a secure archival solution but also supports the real-time streaming of log data to the DGMV ICT BlackBox for immediate processing and blockchain recording.

• Cryptographic Integrity Checks: Periodic validations of data integrity are performed by comparing local copies against blockchain-stored hashes. The system features automatic alerting and corrective mechanisms for any detected discrepancies, thus ensuring data consistency and reliability.

Key Architectural Features

• Decentralized Verification and Quantum Resistance: The use of advanced cryptographic protocols provides a foundation resistant to both current and emerging threats, including those posed by quantum computing.

• Scalable and Immutable Blockchain Infrastructure: The blockchain architecture is designed to support scalable growth in audit trail data without compromising the integrity or performance, suitable for enterprise-scale logging and compliance demands.

• Comprehensive Data Protection and Compliance: By integrating state-of-the-art cryptographic and blockchain technologies, the DGMV ICT BlackBox with HCP creates a fortified data environment that meets stringent regulatory and security standards.

This architecture outlines a sophisticated approach to data integrity and access security, ensuring that all interactions with HCP are logged, auditable, and compliant with the highest standards of data protection.

Data Management

Backup and Recovery

An encrypted backup can be created manually using Admin CLI or automatically via API. The encryption password is based on a strong 256 bit key. The backup is protected and cannot be deciphered without the correct system seed, which needs to be written down after setting up the system.

DGMV ICT BlackBox backups include configuration and data.

These encrypted backups can be stored on the HCP system, ensuring high availability and preventing data loss through HCP’s advanced retention mechanisms.

NFD Logging

A unique algorithm logically groups the log messages and creates a strong cryptographic hash with metadata, which we call a Non-Fungible Data Entry (NFD). These NFDs will be periodically sent to selected blockchains, forever persisting and protecting the integrity of the log at that time.

An interface is provided within the ICT BlackBox solution that allows to examine the logs and the log integrity.

We at DigiCorp Labs are the inventors of the NFD. Our novel approach to representing log entries on the blockchain ensures your confidential logging data remains secure, while enabling the system to maintain strict data confidentiality. A patent for our unique approach is pending.

The system currently supports all EVM-compatible blockchains. Public or private blockchains can be used. We strongly recommend Polygon due to its incredibly fast block time, but also due to its accessibility.

DGMV Token

The DGMV (DigiMetaVerse) token is used as a subscription token, granting access to advanced platform features. It will fuel the advanced compliance-focused blockchain logging system.

Use Cases

HCP Auth is part of the DGMV ICT BlackBox solution. It can solely be used to add advanced MFA authentication features to your HCP system. This alone is already a great addition in terms of security, but HCP Auth also comes with advanced Data Governance Features.

Use Case 1: HCP without HCP Auth

HCP user not added to HCP Auth

Use Case 2: Request access approved

HCP user added to HCP Auth, request Approved

Use Case 3: Request access denied

HCP user added to HCP Auth, request Denied

Use Case 4: Approved session expired

HCP user added to HCP Auth, requested Approved and expired

Use Case 5: Storage Data Governance

Another advanced use case is the presence of DVOs to keep track and eventually approve changes made to the system.

HCP Auth will make sure to observe all changes made to HCP namespaces, it will compile a report and allow designated DVOs to handle the data validation and keep track of every change.

HCP user added to HCP Auth, requests has been approved and changes have been made

Image Details Deployment and Environment

Image Details

An up-to-date version of the operating system installation image is provided by DigiCorp Labs. The image can be delivered in two formats, one for cloud environments and one for on-premise.

Cloud Environments: A QCOW2-formatted image designed for seamless integration with various cloud platforms.​

On-Premise Installations: An ISO image intended for direct installation on physical hardware via bootable media, provided with an installer.

Cloud Image Deployment

Cloud Provider	QCOW2 Support	Notes
AWS	✓ Yes	Supports importing QCOW2 images; conversion may be required.
GCP	✓ Yes	Allows image import; conversion to native format may be necessary.
Hetzner	✓ Yes	Supports QCOW2 images; ensure compatibility with their platform.
OpenStack	✓ Yes	Natively supports QCOW2 format.
Equinix Metal	✓ Yes	Supports custom OS images, including QCOW2.
Scaleway	✓ Yes	Allows custom QCOW2 image uploads.
Vultr	✓ Yes	Supports uploading QCOW2 images for custom deployments.
DigitalOcean	✓ Yes	Allows custom image uploads; QCOW2 support may require conversion.
VMware	✓ Yes	Supports QCOW2 images; may require conversion to VMDK format.

Note: Some providers may require conversion of QCOW2 images to their native formats. For instance, AWS and GCP may necessitate image translation during the upload process.

Image Specifications

Images can be downloaded at https://downloads.dgmv.id Documents and Changelogs are included in the software distribution center.

Cloud Image (QCOW2):

• File Size: Approximately 1.3 GB​

• Version: v1.0.4 (Released: 04, April 2025)​ Checksum: SHA-256: 06c0617cd4bc9b21422dc0a8d4195c361a2ef27dcc87118dcc386c10bb90691a

On-Premise Installation Image (ISO):

• File Size: Approximately 1.3 GB​

• Version: v1.0.4 (Released: 04th, April 2025)​ Checksum: SHA-256: 73e2f0c4cb5fc3fa1723dadfabddf1073cfaa0adaa220506348d328e83cf19eb

On-Premise Image Deployment

For on-premise installations, the provided ISO image can be flashed onto a USB drive using tools like dd (Linux/macOS) or Rufus (Windows). Booting from this USB initiates the installation process, guiding users through system setup. The installer will take care of the disk partitioning, installation, etc.

Note that this will erase all data.

On-Premise and Cloud System Requirements

• RAM: 16 - 64 GB​

• Storage: 1TB+ SSD​ (ideally RAID 10)

• CPU: Quad-core or higher, with support for virtualization extensions​

• Network: 1 Gbps uplink​

• Additional Requirements:

  • TPM (Trusted Platform Module): Version 2.0 for enhanced security features

  • UEFI Firmware: For modern boot processes