Tag Archive for: elektronische Identität

Self-Sovereign Identities – Will we control our identity ourselves in the future?

In the real world we can identify ourselves easily and securely, but in the virtual world we still cannot. For digital identification, there are now several variants, but not always satisfactory. Now, self-sovereign identity seems to be gaining acceptance. Our author, BFH researcher Gerhard Hassenstein, explains what it has over the other concepts. Decentralised identities have many advantages over isolated and centralised identities in terms of flexibility and privacy protection, as explained in the previously published article. With a self-sovereign ID (self-controlled identity), the user regains sole control over his or her data, as central storage of identity data is no longer necessary. On the other hand, this also reduces data security problems of central identity providers, which are increasingly exposed to attacks. This article introduces the basic building blocks of Self-Sovereign Identities and explains their concept and functionality. The approach of a self-sovereign and decentrally organised identity is not new. This concept has already been used in various forms (e.g. Idemix[1] and uProve[2]). What is new about Self-Sovereign Identity (SSI) is that it works with a decentralised public register. This is a paradigm shift.

The main components of SSI

The technology behind Self-Sovereign Identity enables people, organisations or even things to control their digital identity themselves by also being able to determine at any time which personal attributes are transmitted during an authentication process. Users are thus given more rights but also accountability regarding their personal information.

Actors

– Theholder can create one or more identities themselves, each of which can be referenced with a DID[3] (a type of identifier). A holder first claims something about himself, e.g. where he lives (place of residence). Only when an issuer (e.g. the post office) has certified this, does this assertion become a verifiable proof. The holder can then present this proof, together with their identity, to a service provider (verifier) who can validate information and identity. – Theissuer authenticates properties (attributes) of a holder in the form of verifiable credentials, which have a standardised format[4]. The issuer ideally files the credential in a public register so that anyone can check it. The credential, on the other hand, he hands over to the holder for further use. Issuers are authoritative bodies such as authorities, companies or educational institutions. – Averifier receives a certificate from a holder and can check it with the help of the public register. The verifier can then use the credential to make a specific decision (e.g. access control).

Fig. 1: SSI components

Electronic wallet (ID wallet)

The holder stores DIDs, keys and proofs in a kind of electronic wallet, just as he stores his ID, driving licence, credit cards, etc. in his physical wallet in the real world. Such an ID wallet can be installed on any device and allows SSI data to be transferred from one device to another.

Agents and Hubs

To assist the holder in the processes of creating a DID, requesting proof, establishing secure communication with issuers and verifiers, etc., the SSI infrastructure provides digital agents that “wrap” and protect the ID wallet.

Fig. 2: Agents take the work off the owner’s hands

Decentralised public data registers

The fundamental change in SSI is the move away from a central authority that controls and stores identities. However, this requires a decentralised storage of identities. In order to still be able to offer a reliable data source, a tamper-proof, distributed database must be used in the form of a publicly verifiable data register that cannot be controlled by a single party. Among other approaches, blockchain technology, which is also used in a different form for cryptocurrencies, is a suitable solution.

How it works

Simple trust in an identity

The critical point in verifying a proof is the trust that can be placed in it. In other words, does a verifier trust the information in the proof, the issuer and the identity of the bearer? The trust relationship between the issuer, the holder and the verifier is immensely important. In a simple trust relationship, an examiner trusts the statement made by an issuer in the form of a proof about the identity of a holder.

Fig. 3: Simple trust relationship

In conventional systems, a service provider is only checked for identity (e.g. by a web server certificate). However, the verification of an “identity” is often not sufficient. In many cases, it would be desirable if a service provider could also provide proof of authorisation. This is difficult to implement in conventional models. SSI, however, supports this form of mutual trust with the help of verifiable evidence. An auditor becomes the “auditee”. For example, an owner could require that an auditor provide evidence that identifies him or her as an “insurer”. However, it should not only be possible to verify such trust relationships on a technical level (e.g. by validating digital signatures). Guidelines should also be created at the legal and business level that extend the trustworthiness into technical evidence.

Authentication (DID-Auth)

A holder of an SSI must be able to prove to an issuer or verifier that he controls or is in possession of it. The data formats and procedures for this are summarised under the term DID-Auth[5]. DID-Auth allows unilateral or mutual authentication and the transmission of “Verifiable Credentials” in a secure channel.

Loss of DID or Verifiable Credentials

In a decentralised identity architecture – such as SSI, what happens if a holder loses the DID or associated credentials on their device or it is destroyed? In a centrally administered and controlled identity, this is usually not a problem; you ask the administrator of the identity if they can restore it or issue a new one. After an appropriate verification procedure, the central administration of an identity should be able to do this without any problems. This is not the case with decentralised identities, where no central authority is involved in the creation. This shifts the responsibility to the identity holder. Procedures such as “distributed key management” help the owner to distribute his identity information (key material and other information) to trustworthy trustees and, in an emergency, to restore his identity with their help. Since the trustees only ever own parts of the identity, they cannot use or misuse it themselves.

Conclusion

Even though the technologies for self-sovereign identities are not yet fully developed and some parts are still under development[6], a trend towards self-sovereign identities is emerging. Today’s society has become more sensitive to the “protection of privacy” of each individual, and makes new demands in this regard. The legal situation (at least in Europe) has also changed with the Data Protection Regulation (DSGVO). A technically secure solution that takes into account the protection of the privacy of each participant and is still user-friendly has a future.


References

1] IBM Research: http://www.zurich.ibm.com/idemix [2] Microsoft (formerly Credentica): http://research.microsoft.com/en-us/projects/u-prove/ 3] Decentralised IDentity [4] The Verifiable Credentials Data Model was published in 2019: https://www.w3.org/TR/vc-data-model [5] https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md [6] https://w3c-ccg.github.io/roadmap/diagram.html

Creative Commons LicenceCreate PDF

Related Posts

Use of mobile identity solutions within the framework of electronic ID

The need for a digital means of identification is growing. In Switzerland, electronic identity (eID) is regulated by the eID Act and provides, for example, for a division of tasks between the state and the authorities. The question therefore arises to what extent a mobile device can support identity verification, regardless of whether one actually uses a service via smartphone or the device is only used for identification and authentication. While the challenges regarding security and data protection are becoming increasingly greater in the age of Big Data, the need for an identity solution with a high level of user-friendliness is becoming more and more important. At the European level, the establishment of a digital single market is being driven forward. Switzerland, for its part, has adopted the “Digital Switzerland” strategy. Both developments require the realisation of a trustworthy electronic identity to authenticate companies and individuals for electronic transactions with authorities. However, the successful implementation and the associated acceptance of electronic identity solutions depends very much on how user-friendly and simple such a solution is perceived to be.

Identification with the smartphone

One identity solution that is perceived to be highly user-friendly is identification via mobile devices such as the smartphone. However, the security and data protection aspects for such mobile identity solutions have not yet been conclusively clarified for Switzerland. Particularly for transactions with sensitive data, mobile identity solutions are not yet widespread in Switzerland. Mobile identity solutions are also rarely used for e-government services. In general, the demands that citizens place on eGovernment services are very high. On the one hand, the protection of privacy must be guaranteed, and on the other hand, it should be possible to use the services around the clock, regardless of the device. Obtaining services and carrying out transactions via smartphone or tablet are now commonplace for many citizens. The MobileID mobile identity solution that exists in Switzerland is operated by Swisscom, Salt and Sunrise and, in contrast to the electronic identity (eID), uses not only the internet but also the radio network of the three companies. To obtain the MobileID in Switzerland, it is necessary to obtain a PKI-enabled SIM card and own a smartphone. Other possible and existing forms of mID abroad are chip-based (Sweden) and blockchain-based (Slovenia and Canada) mIDs. MobileID is only used sporadically in Switzerland (e.g. PostFinance), but for e-government services the question arises for which services and in what form the mobile device can and should support identity verification.

Already widespread abroad

A look at the administration abroad shows that electronic identity solutions go beyond chip cards and USB sticks and that successful integrations with smartphones do exist. The following solution elements can be found in the mobile identity solutions that exist on the market so far:

  • Federated identity: A Mobile ID (mID) is able to be used in different IT systems and websites.
  • Two-factor authentication: A mobile device such as a smartphone can be used as a second factor for authentication. This second factor can consist of either knowledge, possession or characteristics. In terms of mobile devices, this means that possession of a SIM card and/or a smartphone represents a second factor.
  • Mobile digital signature: SIM cards are able to use cryptographic operations. Here, a Wireless Public Key Infrastructure (WPKI) is set up, through which the user receives a digital certificate via SIM card, which he can then use several times and at different websites. It is also possible to make a digital signature legally equivalent to a physical signature.

In Finland there are over 300 services where the so-called mID is applied. In the area of social insurance, healthcare, but also as a state-recognised signature, the mID is used intensively in Finland. According to Finnish law, mobile signatures are legally equivalent to physical signatures.

Figure: Process of mID use in Moldova (Source: Moldovan government, 2014)

In Moldova, an mID solution has already been in use since 2012. Registration takes place within 15 minutes and the solution is based on strong authentication. Especially in the business-to-government sector, mID is used, but also in areas of tax returns and social insurance. Around a quarter of social security forms are verified by mID in Moldova, for example.

Identification via SIM card

In Estonia, too, mID is based on the SIM card. The certificate is always valid for three years and must then be replaced. Electronic signature and mobile authentication are based on PKI SIM cards. Almost all online service providers in the public and private sectors in Estonia accept the mID as a solution for identification and authentication. Thus, the mID is used almost everywhere in Estonia, i.e. for example for vehicle registration, driver’s licence registration, healthcare, social security, as a state-approved signature, tax declaration, business registration and elections. These examples of mobile identity solutions are almost all implemented on the basis of PKI-enabled SIM cards. However, mobile identity solutions have only gradually developed into a viable solution thanks to pioneering efforts and certain failures. It is striking that in each of the countries studied, as in Switzerland, there is only one mobile identity solution. The success factor is always the nationwide cooperation between the authorities and telecommunications companies. In addition, the support of the private sector and a high number of usable services from the public and private sectors are crucial.

Moldova creates smart applications without eID

In Switzerland, there are only a small number of business cases so far, which is why a mobile identity solution currently offers little added value for identification and authentication with a mobile identity solution. However, the foreign examples also show that the use, for example, for vehicle and driver’s licence registration is not complex and at the same time offers a very large added value for user-friendliness. Countries like Estonia show what could potentially be done with a mobile identity solution by using mID in almost all areas. Moldova also demonstrates that no eID is needed at all if the mobile identity solution is supported by all stakeholders. If the success factors of the leading countries are extrapolated to Switzerland, it can be stated that the cooperation of all telecommunication companies has already taken place and therefore a good basis has been laid. The telecommunication companies are state-certified Identity Providers (IdPs), which already carry out identity checks on citizens when they obtain an ordinary SIM card. However, as the success of a mobile identity solution depends on the number of usable services in the private and public sector, federalism seems to be a particular obstacle with regard to interoperability in the public sector, and this disadvantage also applies to the eID. Cantons would have to harmonise services related to the implementation of MobileID use in order to benefit from the positive synergy effects.


References

Estonian Government (1 April 2017). Using mobile ID. Retrieved 9 September 2018 from Id.ee: https://www.id.ee/index.php?id=36884 Gemalto (16 December 2014). White Paper National Mobile ID schemes – Learning from today’s best practices. (Gemalto, ed.) Retrieved 28 August 2018 from Gemalto Government Programs: http://www.id-world-magazine.com/wp-content/uploads/WP-Gemalto-MobileID-overview-EN.pdf Gemalto (2018). Expand your national identity system. Retrieved 17 October 2018 from Gemalto Mobile ID: https://www.gemalto.com/govt/coesys/mobile-id GSMA (11 July 2013). Finnish Mobile ID: A Lesson in Interoperability – An Executive Summary. Retrieved 28 August 2018 from GSMA: https://www.gsma.com/identity/wp-content/uploads/2013/07/SC_GSM_288_Finland-Mobile-ID-executive-summary-100713-v4.pdf Moldovan Government. (14 October 2014). Case Study. Retrieved 29 August 2018 from eGov Moldova: www.egov.md/ro/file/3695/download?token=7fnIFJzO

Creative Commons LicenceCreate PDF

Related Posts

None found

Useful and secure digital identities for all areas of life and their properties

Digital identities are with us every day. The technical possibilities are very diverse. How can digital identities enable secure identification for eGovernment and eHealth on the one hand and guarantee privacy protection on the other? Digital identities enable access to the digital society. They represent persons, organisations and objects in the digital world and are used in more and more areas of life. Each of us thus has – consciously or unconsciously – digital representations of our person for various purposes. Be it the Cumulus card from Migros, the SwissPass from the SBB or the SIM card in a mobile device, all these digital identities accompany us every day. Digital identities are very diverse. From a technical point of view, the spectrum ranges from user name/password combinations and smart cards to biometric means of identification and hardware-based certificates such as SuisseID. What characteristics should a digital identity have? A digital identity should be useful. It is a tool to be able to perform certain functionalities in the digital world. For example, with a digital identity you can prove who you are and thus use certain online services. You can digitally sign documents or data – analogous to a handwritten signature. With other, more passive identities, you can collect benefits from bonus programmes or use other real-world services, such as public transport. For some applications in the digital world, such as eGovernment, you have to be sure who is behind a digital identity. Identities, such as SuisseID, can be used as a digital ID. To do this, the identities used must be secure and trustworthy. With an identity based on a SuisseID, you can be 100% sure that you are dealing with the corresponding person. Trust in SuisseID is based on the one hand on a certified registration process, where you have to be present in person, and on the other hand on the security of the technologies used. For example, a hardware token, the SuisseID stick, prevents the SuisseID identity from being stolen. Only those who have the stick and the matching PIN can use the SuisseID. This is referred to as 2-factor authentication. A state-recognised electronic identity enjoys the highest level of trust. Here, the state assumes responsibility for registration, which is usually linked to the application for an identity document, for example an identity card or passport. But the high level of trust and security of a digital identity comes at a price: higher costs as well as complicated handling and an elaborate registration process. This usually results in poor user acceptance. Therefore, user-friendliness should always be weighed against security requirements when using digital identities. For example, a high level of security can be dispensed with for an online subscription to a daily newspaper, as the potential for damage is low. Privacy must be protected The data collection frenzy of some service providers on the Internet and various hacker attacks on customer data in recent months have strengthened the desire to protect privacy and anonymity. Particularly as it is now very difficult, and in some cases almost impossible, to remove data from the digital world once it has been disclosed. A good digital identity therefore also makes it possible to move anonymously or pseudonymously in the digital world. With these methods, the true identity of a person is hidden and only the characteristics that are essential for the use of a service, such as age, are revealed. This makes it possible to control access to inappropriate content for minors without knowing their name or gender. The disclosure of the identity (or parts of it) or the preservation of anonymity thus remains a decision of the person himself. A digital identity is not enough The various possible properties of digital identities make it clear that several identities are needed for the different areas of application. In eGovernment and also in eHealth, it is important to identify citizens and patients unambiguously in order to avoid confusion. Only a state-recognised digital identity or identities at a similarly high level of trust, such as SuisseID or the planned insurance card, which also has a unique identifier, make this possible. In other areas, where the potential for damage is lower, one can also use simpler electronic identities, such as those provided by Google or Facebook. These free identities are mostly based on self-registration with email or SMS confirmation. The personal attributes provided are mostly self-declared. Here, users and server providers alike should be aware of the dangers and risks.

Creative Commons LicenceCreate PDF

Related Posts

None found