Thank you for inviting me Name I work for a company called SI based here in Glasgow city centre. The project I’m working on is a KTP project. KTP Background DTI funded partnerships to facilitate the exchange of knowledge between an Academic Institution that has the knowledge and the Company, which has the idea, by means of an Associate, me. My job is to take the idea and the knowledge and transform that into a viable result. Knowledge Transfer Partnership 27 month DTI funded project GCU and Serendipity Interactive Glasgow Combine PKI and Biometric Technology Establish secure framework Identify legal/compliance requirements Rational – gap in the market Outcomes – secure issuance process Knowledge transfer – legal side Future plans - expand to other applications that implement the digital identity Intro – discussing local vs global and trust Digital signature + legal requirements eg Electronic communications act PKI Non-repudiation + legal + identity security + biometrics + USB Future * * * My project is a partner ship between a software development company called Serendipity Interactive (based in Glasgow) and the Glasgow Caledonian University Law School. My project came about when Serendipity Interactive spotted a gap in the current market. What they realised was missing was a secure, non-repuditable, electronic identity and this is the basis of my project.
Simply put, my project revolves around the question, “Do you know who you’re communicating with when you use any form of electronic communication?” Traditionally, communication took place on a ‘local’ level. You generally only conducted business with people you knew or had met, or that someone you knew and trusted had met. You relied on reputation, word of mouth, face to face meeting. You believed that people were you they said they were. And this was almost always true – In the realm of local communication there is a type of peer pressure. For your business to be successful, you have to trust your clients and your clients have to trust you. If any party breaks this trust word will get around and people will be very reluctant to deal with that party, so there is no advantage to it. However, the world is a much bigger place and communication takes places on a global scale, which is very different. There is no face to face established trust and no person that can vouch for both parties. Also, many communications may be one time affairs so there is no incentive to establish a trust relationship. There is also the physical aspect to any communication. On a local scale, goods or services are physically exchanged for a tangible cheque or cash – so often there is no need for trust. If a contract, it will be a physical piece of paper that the parties can sign, and can be identified as having being altered. When communicating on a global level, this isn’t the case. Goods will likely have to be delivered, so either the supplier will have to send goods and trust that the recipient pays him, or vice versa. If you’re dealing with contracts then it is very straightforward to alter an electronic document. My project involves the need for proof of, and security, of identity.
Traditionally, this wasn’t really a problem. The standard form for proof of identity was your signature. Implication of: Authentication – this is the original document Authorisation – that you’re allowed to sign this document Integrity – that the document is unchanged Non-repudiation – signature is personally yours Even if there was the risk of forgery, measures were taken to prevent this and there was still the aspect of knowing who you were dealing with, so a signature was rarely proving your identity, rather signifying your agreement. In many cases, a written signature is still the default stance when it comes to signing contracts, but as the introduction of chip and pin is illustrates even that is no longer the only option. The big problem is for businesses dealing with each other all around the world, in cases where physically signing is document, such as a contract, is still the norm. But the global nature makes this is a very difficult job – a contract with three signatories all in different countries could mean a month before a contract was signed. The ideal solution would be to sign an electronic document, but electronic documents can be easily altered and hand written signatures are awkward to transmit, and, without the local peer pressure, hand written signatures are easily forged. The solution is to be able to prove who you are, you’re identity and be able to do it in an electronic fashion. A Digital proof of identity that could be used to mark or ‘sign’ documents electronically.
Both the electronic communications act 2000 and The Electronic Signatures Regulations 2002 deal with electronic signatures. The first through ensuring what an electronic signature will do and the second in defining what and electronic signature is. This matches three out of our four criteria for a signature: Authentication Non-repudiation Integrity The only one missing is authorisation, which is external to the electronic signature and must be dealt with separately.
Once we knew the criteria that the solution must meet, we were able to put together a solution that we could implement. uniquely linked to the signatory & linked to the data to which it relates in such a manner that any subsequent change of the data is detectable - Fulfilled by PKI capable of identifying the signatory - An issuance process that encompasses identity as well as issuance of PKI created using means that the signatory can maintain under his sole control - PKI is issued to a token that is biometrically secure.
One method of digital signing is to use PKI, Public Key Infrastructure. Consists of a ‘public’ and ‘private’ key, where keys are codes that are used to encrypt or decrypt data. In PKI the two keys are different but connected, and what one encrypts the other decrypts.
To see how this works, consider Alice and Bob: Alice and Bob wish to communicate in private and keep the data secret They have enemies who want to discover and/or alter the data: Carol and Dave - impersonating Eve - eavesdropping Private Key Authenticates – key must be secure Ensures Integrity – using a hash function Public Key Encryption Verifying authentication and integrity
The next part of our implementation is to consider how to keep the private key secure, ie so that only you can use it – to meet the advanced signature requirements. Security comes in three parts: What you know What you have What you are The solution we are implementing uses something you have with some thing you are – a usb drive with biometric authentication. This means that only you can access the usb and use the private key. The combination of biometrics and pki mean that your digital signature is non-repudiatable. Ie you cannot deny that you signed a document that has you digital signature on it.
The usb token can only be accessed by scanning your fingerprint on it. And the usb token is the only place that has your ppki key. Biometrics – fingerprint combined with electronic signature – it associates security with personal identity.
Non-repudiation is one of the cornerstones of this project and is closely related to the biometric token. The token is used to authenticate the user as the owner of the token by matching scanned fingerprint to the fingerprint algorithm stored on the bio-token. This fingerprint authentication then allows the user access to the private key on the token with which they can then sign documents. This functionality allowed by the token will be key to implement the requirements of the project, namely: to guarantee the identity of a signatory or that of someone accessing a system. The fingerprint scanning, combined with the private key will enable this to happen, but it is dependant on the identity of the user being verified to being with and consequently the bio-token being issued to the correct person. This requires a good issuance process.
Now that we have the capability of signing documents and keeping the signature secure, we come to the cornerstone of the project. All this is useless if we cannot determine who exactly we are talking to. As I mentioned at the beginning, we no longer have prior acquaintance with people we communicate with, so it is not enough to be sure that a communication hasn’t been tampered with and can only have come from one person; we need to know who that person is. To do this, we require a process which confirms the identity of the person being issued with a PKI key and is a process that we can trust. The solution we decided upon is a standard process that every key recipient is required to go through before they can get their key, which requires the key recipient to basically prove that they are who they say they are. The key aspect is that this process will be standardised – everyone will go through the *same* process. It will also follow the trust chain model that is inherent in public key infrastructure. One person is incapable of issuing every single key, so trust will be delegated to other trusted organisations and individuals.
Digital Identity & Security Serendipity Interactive Ltd & Glasgow Caledonian University Michael Bromby & Laura Reid