Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Alastria Digital Identity: the Spanish Blockchain solution for SSI - Carlos Pastor

251 views

Published on

Alastria is an association to foster the implementation of a Spanish national blockchain whose nodes are run by Alastria members. Alastria gathers over 250 cross-industry members and was initiated by the some of the biggest corporations in Spain. Alastria ID proposes an implementation of the Self Sovereign Identity paradigm over a public-permissioned Blockchain and will be presented by Carlos Pastor, Alastria’s Digital Identity Commission Leader, in this webinar from SSIMeetup.org. Alastria ID vision is to become the cornerstone of a legally binding ID for members and final users, giving users complete control over their personal data. Alastria ID not only strives to be “GDPR compliant”, but also to become the best and easiest way to fulfill GDPR user rights, providing a full-fledged Identity management solution from identity creation to attestation and claim management, including consent as well as issuer revocation and user deletion rights.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Alastria Digital Identity: the Spanish Blockchain solution for SSI - Carlos Pastor

  1. 1. Alastria Digital Identity: the Spanish Blockchain solution for SSI Carlos Pastor - Alastria Digital Identity Commission Leader June 2018
  2. 2. 1. Empower global SSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA SSIMeetup.org Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup.org https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup objectives
  3. 3. What is needed: a user centric, easy to use, safe, lawful, digital identity model The solution: A Self Sovereign Identity open blockchain platform SSIMeetup.org
  4. 4. World’s first nation-wide, multi-sectoral, enterprise grade, permissioned, open Blockchain network ¡HOLA, ALASTRIA! … made in Spain ;-) SSIMeetup.org
  5. 5. Suppliers Factories Logistics Logistics Retailer Final product Customer Social networks Usage data Blockchain Self-Sovereign Identity Permissioned Privacy Resiliency Smart Contract Smart Contract Smart Contract Smart Contract Smart Contract Smart Contract Services developed by Alastria members Members collaborate on the infrastructure Members compete on the applications National Blockchain Network Nonprofit association, open to everyone SSIMeetup.org
  6. 6. Self Sovereign Identity - SSI Alastria Id: an SSI inspired, GDPR compliant, Identity Management solution SSIMeetup.org
  7. 7. The roles User Alastria ecosystem Blockchain infrastructure Coopetitive ecosystem Data owner Requires Attestations and provide Claims under his/her sole control Who am I? How am I? What can I do? SSIMeetup.org Attesters Attest identity and other user attributes Financial Education Government Corporates G.A.F.A.s Etc. Service providers Require authentication and other user attributes to provide their services Financial Education Government Corporates G.A.F.A.s Etc.
  8. 8. 1 2 3 The roles User Attesters Alastria ecosystem Service providers Require authentication and other user attributes to provide their services Attest identity and other user attributes Blockchain infrastructure Coopetitive ecosytem Data owner Requires Attestations and provide Claims under his/her sole control Financial Education Government Corporates G.A.F.A.s Etc. Who am I? How am I? What can I do? C G E F 0 to 3 Claim SSIMeetup.org Financial Education Government Corporates G.A.F.A.s Etc.
  9. 9. Claves (generación) Claims Attestations B E G G E 3 1 Information Hub storage Doc Manager Verificaciones ok User identity (Wallet) Public Privat e Educaction Corporate Govern C Bank Selección CERT B E GC Educaction Corporates GovernBank B 2 C 0 a 3 1 User Attesters Service providers SSIMeetup.org
  10. 10. Smarts Contracts ID Manager Proxy Registry Storage PersonalD ATA Alastria (Blockchain) Registry of Attestations Claims Transactions Hash Keys Claims Attestations B E G G E 3 1 Information Hub storage Doc Manager Verificaciones ok Publica Privad a C Selección CERT B 2 C 1 a 3 1 PART3. The information Hash Records evidences (hashes) never real personal data Stores personal encrypted data UserIdentity (Wallet)
  11. 11. Identity Alastria Id Specification Overview SSIMeetup.org
  12. 12. Alastria Blockchain Alastria ID Registered hashes and status: Valid, AskIssuer, Revoked, Deleted Service Provider Id Generation Claim (Level of Assurance) Authentication: This is me Claim:I am (attribute) I can do it Attestation (Level of Assurance) Who am I? How am I? What can I do? Registry Pub Keys Attestations Claims Transactions ALASTRIA ID Roles and relationships Id Recovery Attestation & Claim Repository Subject Private Keys Validation 12 ConfirmationRevocation Attestation Issuers Core Attributes Other Attributes SSIMeetup.org
  13. 13. Alastria Id – Primitive Actions On-Chain & Off-Chain • Alastria Id Generation • Authentication • Public Keys Generation, Registration, Revocation and Deletion • Attestations issuance, Registration, Revocation and Deletion • Claims Sharing, Registration, Confirmation and Deletion • Identity and Private Key Backup & Recovery • Signed transactions Alastria Blockchain 13SSIMeetup.org
  14. 14. Attestation Issuers Core Attributes Other Attributes Service Provider Id Generation Signed Claim (LoAs) Authentication: This is me Claim:I am (attributes) I can do it Signed Attestation (LoA) Who am I? How am I? What can I do? ALASTRIA ID Smart Contracts Encrypted Attestation & Claim Subject Private Keys Proxy MetaIdMngr Registry MetaIdMngr Proxy MetaIdMngr Proxy Other Contracts Validation Alastria Blockchain 14SSIMeetup.org
  15. 15. •Metaidentity Manager • Manages the relationship between public-private subject keys and Proxy •Proxy • Acts on behalf of the subject • AlastriaId is the address of the subject’s proxy contract • The proxy contract, and so every AlastriaId, is forever •Registry: AttestationRegistry, PublicKeyRegistry & ClaimRegistry • Central registry for everything related to Alastria Id • Stores mainly hashes and statuses, never personal information • Could be extended to transactions Alastria Smart Contracts (SC) 15SSIMeetup.org
  16. 16. Alastria Id – Attestation Header: @context: http://schema.org @type: Person Subject: SubjectAlastriaID: SubjectProxyAddress AttributeData: @LevelOfAssurance: 2 address: @type: PostalAddress, addressLocality: Madrid, addressRegion: Spain, postalCode: 28001, streetAddress: Alfonso XI, 6 IssuanceDates: InitialValidityDate: 2018-04-20/12:00 EndValidityDate: 2023-04-20/12:00 Issuer: IssuerURL: IssuerURL IssuerAlastriaID: IssuerProxyAddress IssuerPubKey: CurrentIssuerPubKey IssuerSignature: IssuerSignature • Multi standard support for Attribute Names. • Mandatory Subject’s Alastria Id • Level of Assurance • Single attribute recommended. • Multiple attribute supported. • Mandatory Initial Validity Date. • Optional End Validity Date. • Optional Issuer revocation URL • Mandatory Issuer’s AlastriaId. • [Optional] current Issuer Public Key • Mandatory Issuer Signature (with current Private Key) Attestation Info: 16SSIMeetup.org
  17. 17. IssuerSignature: IssuerSignature ClaimDates: InitialClaimDate: 2018-04-20/12:00 EndClaimDate: 2023-04-20/12:00 Recipient: RecipientAlastriaID: RecipientProxyAddress Purpose: ProcessHash: Hash of the process name & description Signature: SubjectPubKey: CurrentSubjectPubKey SubjectSignature: SubjectSignature Attestation N IssuerSignature: IssuerSignature Attestation … Alastria Id – Claims ClaimAttestation 1Header: @context: http://schema.org @type: Person Subject: SubjectAlastriaID: SubjectProxyAddress AttributeData: @LevelOfAssurance: 2 address: @type: PostalAddress, addressLocality: Seattle, addressRegion: WA, postalCode: 98052, streetAddress: 20341 Whitworth Institute IssuanceDates: InitialValidityDate: 2018-04-20/12:00 EndValidityDate: 2023-04-20/12:00 Issuer: IssuerURL: IssuerURL IssuerAlastriaID: IssuerProxyAddress IssuerPubKey: CurrentIssuerPubKey IssuerSignature: IssuerSignature • Much more than a simple Attestation list. • 1 to N attestations from (different) issuers, including their original digital signatures. • Mandatory Claim Initial Validity Date. • ¿Mandatory? Claim End Validity Date • Mandatory Service Provider Alastria ID. • Business Process Name & Description Hash linking the consent to a specific business process or purpose. • [Optional] current Subject’s Public Key. • Mandatory Subject’s Signature (with current Private Key). 17SSIMeetup.org
  18. 18. • Subject should be able to register (the hash of) an attestation. • Registration is made on the Blockchain by the Registry Smart Contract using the AlastriaId. • Subject should be able to mark an attestation as deleted in the Registry. • Everybody must stop using the attestation and delete their copies. • Issuer should be able to revoke attestations on the blockchain. • Third parties should not be able to realize any Issuer- Subject relationship from the above actions. • Alastria Id will use a couple of hashes derived from the attestation. • AttestationHash (aka dataHash): used to register and delete the attestation. • RevocationHash: used to revoke the attestation. • The relationship between both hashes and the attestation is only know to those having produced or received the attestation off chain. • Issuer. • Subject (sent by the Issuer). • Service Provider (sent by the Subject). Private Attestation Revocation and Deletion 18SSIMeetup.org
  19. 19. AttestationHash & Revocation Hash: Dual Hashing •AttestationHash Uses complete attestation (including Issuer signature) Header: @context: http://schema.org @type: Person Subject: SubjectAlastriaID: SubjectProxyAddress AttributeData: @LevelOfAssurance: 2 address: @type: PostalAddress, addressLocality: Madrid, addressRegion: Spain, postalCode: 28001, streetAddress: Alfonso XI, 6 IssuanceDates: InitialValidityDate: 2018-04-20/12:00 EndValidityDate: 2023-04-20/12:00 Issuer: IssuerAlastriaID: IssuerProxyAddress IssuerURL: AskIssuerURL IssuerSignature: IssuerSignature •RevocationHash Complete attestation + Issuer signature Header: @context: http://schema.org @type: Person Subject: SubjectAlastriaID: SubjectProxyAddress AttributeData: @LevelOfAssurance: 2 address: @type: PostalAddress, addressLocality: Madrid, addressRegion: Spain, postalCode: 28001, streetAddress: Alfonso XI, 6 IssuanceDates: InitialValidityDate: 2018-04-20/12:00 EndValidityDate: 2023-04-20/12:00 Issuer: IssuerAlastriaID: IssuerProxyAddress IssuerURL: AskIssuerURL IssuerSignature: IssuerSignature IssuerSignature: IssuerSignature Properties & Relationship • Both are easily calculated from attestation. • Not guessable without attestation. • Unique pair (revocation hash and attestation hash) from attestation. • Issuer signature is included once in the AttestationHash and twice in the Revocation Hash • The pair of hashes could be used to privately update Blockchain information about the attestation. • Only available for those having shared the attestation or a claim including the attestation. • Attestation could be marked as deleted (by the Subject) or revoked (by the Issuer) in the blockchain. 19
  20. 20. Service Provider Signed Attestation (LoA) Who am I? How am I? What can I do? ALASTRIA ID AttHash & RevHash Subject Alastria Blockchain 20 Set AttHash, Valid Set AttHash, Deleted Set RevHash, Revoked Proxy MetaIdMngr Registry MetaIdMngr Proxy GetStatus AttHash, RevHash Signed Claim (1..n attestations) Authentication: This is me Claim:I am (attributes) I can do it Attestation Issuers SSIMeetup.org
  21. 21. AlastriaId generation Sesion Manager ¿CAS – Hydra? WebApp Alastria Id User Password Private/Public Keys GateWay 2 2a 5 3 6 4 BlockChain IdMngr Proxy Registry 6 Process 1. Private/Public Key generation mobile phone 2. Authentication by the current member WebApp. Members Pushes or shows QR with: a. JSON Alastria Token (AT) b. Requiring KPub 3. Signed Alastria ID Creation (AIC) sent to the GW with: a. Signed raw transaction From: Subject To: MetaIdentityManager. Function: CreateIdentity b. Alastria Token (AT) c. Public Key 4. El GW verifies parameters, OAuth session and Public Key. 5. El GW sends transaction to IdentityManager 6. GW returns created AlastriaId to member and subject. 7. Member links AlstriaId to Subject preexistent Id. 1 6 2b 7 21SSIMeetup.org
  22. 22. Alastria Id Authentication Sesion Manager ¿CAS – Hydra? WebApp Alastria Id Usuario Password Private/Public Keys GateWay 2 4 BlockChain MIdMngr Proxy Registry 7 Process 1. User connects to WebApp and selects Alastria Id. 2. Member or shows QR signed JSOpushes N with: a. Alastria Token b. Requiring Subject’s AlastriaId & PubKey 3. Alastria App picks member’s Public Key (Hash) trough GW. 4. Step 2 signature is checked. 5. User sends Signed Alastria Session with: a. Alastria Token b. AlastriaId + PubKey 6. Member picks subject’s Public Key (Hash) trough GW 7. Step 5 signature is checked 8. First time AlastriaId authentication requires traditional authentication or reliable attestation. AlastriaId must be linked to preexistent Id. 9. Session token is sent to WebApp. 1 6 3 9 3 1 5 6 8 22SSIMeetup.org
  23. 23. Gateway •In a permissioned network as Alastria, only permissioned nodes run by members can have direct Blockchain access. •A Gateway is required to give access to personal users, affiliated service providers that are not members not members and members not running a node. •Public functions • Alastria Identity Creation • Registry: PublicKeys, Attestation and Claims • SendRawTransaction for signed transactions • Generic not signed not transactional invocations (view functions) 23SSIMeetup.org
  24. 24. Alastria Digital Identity: the Spanish Blockchain solution for SSI Carlos Pastor - Alastria Digital Identity Commission Leader June 2018

×