IRMA: The future of identities - Home | dcypher€¦ · sk1 +sk2 > 12 > 16 > 18 1. Request service...

IRMA: The future of identitiesdcypher Symposium 2019

Fabian van den [email protected]

Open University of the Netherlands

3 December 2019

#dSymp dcypher Symposium 2019 | 3 Dec. Media Plaza Utrecht ,

The OYOI project

É Own Your Own IdentityÉ NWO Long Term Cybersecurity research 2014É Radboud University NijmegenÉ KPNÉ SURFnet

É Valorisation of the IRMA projectÉ Implementations of "IRMA" on other carriers


IRMA

É I Reveal My AttributesÉ Attribute-based credentialsÉ Specifically for authentications


A standard authentication solution

IdentityProvider

User ServiceProvider

1. Request service2. Redirect to IdP

3.Auth

entica

tion 4. Send result

Trust


The IRMA solution

IdentityProvider


a.Requ

estcre

dentia

l

b.Iss

uecre

dentia

l1. Request service

2. Show credential

Trust


So, what is this credential?

É IRMA is an implementation of Attribute-Based Credentials (ABC)

É Specifically IBM’s Identity mixer (Idemix)É A credential is a cryptographic container



É IRMA is an implementation of Attribute-Based Credentials (ABC)É Specifically IBM’s Identity mixer (Idemix)

É A credential is a cryptographic container



É IRMA is an implementation of Attribute-Based Credentials (ABC)É Specifically IBM’s Identity mixer (Idemix)É A credential is a cryptographic container


Identities versus attributes

[FIDIS] project


Attributes in Idm

É FlexibleÉ Identifying (name, address, etc.)É Or Non-identifying (>18, resident of Amsterdam, etc.)É Extends role-based authentication


IRMA system

IdentityProvider


ska1

...an

a.Requ

estcre

dentia

l

b.Iss

uecre

dentia

l

1. Request service

2. Policy

3. Show credential

Trust


IRMA features

É Independence between issuing and showing: time and protocolÉ DecentralisedÉ Privacy & AuthenticationÉ Credential: security for the systemÉ AuthenticityÉ IntegrityÉ Non-transferability

É Credential: privacy for the userÉ Selective disclosure (randomisation)É Issuer unlinkability (blind signature, randomisation)É Multi-show unlinkability (randomisation, zero-knowledge proofs)


IRMA features

É Independence between issuing and showing: time and protocolÉ DecentralisedÉ Privacy & Authentication

É Credential: security for the systemÉ AuthenticityÉ IntegrityÉ Non-transferability



IRMA features

É Independence between issuing and showing: time and protocolÉ DecentralisedÉ Privacy & AuthenticationÉ Credential: security for the systemÉ AuthenticityÉ IntegrityÉ Non-transferability



At the start of the OYOI project...


And now


IRMA carrier comparison

A smart card offers:É Secure key storageÉ Strong(er) offline user binding

É A horrible user experienceÉ Poor computational powerÉ No Internet connectivity

A smartphone offers:É Weak key storageÉ Weak offline user binding

É Nicer user experienceÉ Stronger keys, faster performance,

unlimited attributes, etc.É Online issuance & verification,

updatability, etc.


Could we have the best of both worlds?

What about smart cards in the mobile phones?É SIM card

É JavaCard do not have standard support for the crypto we needÉ it is hard to get generic SIM↔ app communication

É Trusted Execution Environment

É hard to do anonymousÉ TEE’s can differ wildly between phone modelsÉ we could not get access


Could we have the best of both worlds?

What about smart cards in the mobile phones?É SIM cardÉ JavaCard do not have standard support for the crypto we needÉ it is hard to get generic SIM↔ app communication

É Trusted Execution EnvironmentÉ hard to do anonymousÉ TEE’s can differ wildly between phone modelsÉ we could not get access


Securing the private key

User

sk

ServiceProvider

sk

> 12

> 16

> 18

1. Request service

2. Policy, challenge

3. Show credential


Securing the private key

User

sk1

ServiceProvider

sk1 + sk2

> 12

> 16

> 18

1. Request service

2. Policy, challenge

KSS

sk2

3. challenge4. response

5. combined responses


The Key Share Server

É Secures the keyÉ Strong revocation (blocking)É Rate limitingÉ Can verify Issuer key validityÉ Limited loggingÉ Limited monitoring


Enrolment

Using a phone also gives innovative ways of enrolmentÉ Enrolment is an expensive processÉ Face-to-face checks needed for high assuranceÉ Requires a custom approach per countryÉ NFC-capable phones can read identity documents


Enrolment process

1. User scans her ID card (possibly via another phone2. Sends the signed data to an Enroller3. The enroller verifies the data and checks that the ID document is not revoked4. Possible additional checks. . .

5. An Issuer can then issue attributes


Binding ID document to user

É PINÉ BiometricsÉ Data consistency checks

É check with outside dataÉ mobile subscription contractÉ other attributes

É The mobile subscription contract might also provide binding to the actual phoneÉ Cross checking with other attributes can lead to higher assurance


Binding ID document to user

É PINÉ BiometricsÉ Data consistency checksÉ check with outside dataÉ mobile subscription contractÉ other attributes

É The mobile subscription contract might also provide binding to the actual phoneÉ Cross checking with other attributes can lead to higher assurance


Conclusions

É The OYOI project delivered some nice contributionsÉ 1 thesis and several scientific publicationsÉ Self-enrolment scenario’sÉ . . .É And bringing IRMA from academia to society

É IRMA now under the Privacy by Design FoundationÉ SIDN runs the core infrastructureÉ Several proof of concepts running in the field


For more information see:https://privacybydesign.foundation/irma/http://credentials.github.io/

Or mail me:[email protected]@privacybydesign.foundation


https://privacybydesign.foundation/irma/

http://credentials.github.io/

[email protected]

[email protected]



Thank you!




[email protected]

[email protected]



Thank you!Questions?




[email protected]

[email protected]

Traditional digital signatures


Attribute-based signatures


Comparison

Standard digital signatures:É Are very rigidÉ Always identifying and linkableÉ Provide non-repudiation & integrity

Attribute-based signatures:É Are flexibleÉ Can be anonymous and always unlinkableÉ Provide non-repudiation & integrity

É ... and authentic attribute dataÉ Realised by serialising standard authentication proofÉ where the challenge is the document hash.


Comparison


Attribute-based signatures:É Are flexibleÉ Can be anonymous and always unlinkableÉ Provide non-repudiation & integrityÉ ... and authentic attribute data

É Realised by serialising standard authentication proofÉ where the challenge is the document hash.


Comparison


Attribute-based signatures:É Are flexibleÉ Can be anonymous and always unlinkableÉ Provide non-repudiation & integrityÉ ... and authentic attribute dataÉ Realised by serialising standard authentication proofÉ where the challenge is the document hash.


IRMA: The future of identities - Home | dcypher€¦ · sk1 +sk2 > 12 > 16 > 18 1. Request service...

Documents

Transcript of IRMA: The future of identities - Home | dcypher€¦ · sk1 +sk2 > 12 > 16 > 18 1. Request service...