Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ANONYMITY, TRUST, ACCOUNTABILITY
Romek Szczesniak
Eleanor McHugh
Cryptographer
PKI & AppSec
Physicist
System Architecture
1998 InterClear CA
2003 ENUM
2006 Telnic
2011 Malta E-ID
2012 HSB...
DIGITAL IDENTITY - THE GRAIL QUEST
➤ can we create a global identity system that:
➤ nobody owns
➤ cannot be subverted
➤ wo...
CURRENT SOLUTIONS
➤ PKI
➤ SSO
➤ OpenID
➤ IAM
➤ passwords
➤ biometrics
COMMON LAW CONTRACTS & TRANSACTIONS
➤ at least one party makes an offer
➤ all parties must then reach mutual assent
➤ and h...
MOBILE DEVICES SEEM RESTRICTED
BUT THEY CAN BE ANCHORED TO A TRUSTED SERVER
A NAIVE APPROACH TO SHARING IDENTITY
➤ conventional client-server architecture
➤ A must trust B and B must trust Server
➤ ...
REDUCING IDENTITY TO A CLEAN TRANSACTION
➤ unidirectional data-flow architecture
➤ B doesn't contact Server, and V doesn't ...
IMMUTABLE PROFILES
➤ PKI certificate information - too heavy
➤ Attributes – too many, changeable
➤ SSO – not enough informa...
MANAGING A PERSON'S IDENTITIES
➤ anchor documents
➤ passport, driving licence, identity card, ...
➤ biometric stream
➤ suc...
MANAGING A PERSON'S IDENTITIES
RECEIPTS CONFIRM TRANSACTIONS
A FINE-CHAINED DISTRIBUTED LEDGER TRACKS RECEIPTS
PRODUCING A COMPLETE TRANSACTIONAL IDENTITY SYSTEM
APPLICATION: AGE VERIFICATION
APPLICATION: AGE VERIFICATION WITH SECURE CHANNEL
PATENTS
➤ US2016239658 Digital Identity
➤ US2016239653 Digital Identity
➤ US2016241532 Authentication of Web Content
➤ US2...
Upcoming SlideShare
Loading in …5
×

Anonymity, trust, accountability

242 views

Published on

A case study in digital identity system design using the uPass system as an example of trade-offs and design decision.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Anonymity, trust, accountability

  1. 1. ANONYMITY, TRUST, ACCOUNTABILITY Romek Szczesniak Eleanor McHugh
  2. 2. Cryptographer PKI & AppSec Physicist System Architecture 1998 InterClear CA 2003 ENUM 2006 Telnic 2011 Malta E-ID 2012 HSBC GC 2014 YOTI
  3. 3. DIGITAL IDENTITY - THE GRAIL QUEST ➤ can we create a global identity system that: ➤ nobody owns ➤ cannot be subverted ➤ works on desktop, mobile & IoT ➤ embraces anonymity rather than pseudonymity ➤ anchors to real-world identity documents ➤ embraces UK common law ➤ scales to global needs ➤ transacts in < 500ms
  4. 4. CURRENT SOLUTIONS ➤ PKI ➤ SSO ➤ OpenID ➤ IAM ➤ passwords ➤ biometrics
  5. 5. COMMON LAW CONTRACTS & TRANSACTIONS ➤ at least one party makes an offer ➤ all parties must then reach mutual assent ➤ and have an intention to create legal relations ➤ an exchange of sufficient consideration must then occur ➤ identification of the parties is implicit ➤ and my be put to the test in court
  6. 6. MOBILE DEVICES SEEM RESTRICTED
  7. 7. BUT THEY CAN BE ANCHORED TO A TRUSTED SERVER
  8. 8. A NAIVE APPROACH TO SHARING IDENTITY ➤ conventional client-server architecture ➤ A must trust B and B must trust Server ➤ each link involves a request-response over HTTPS links ➤ this is noisy and each link is an attack point for flow analysis
  9. 9. REDUCING IDENTITY TO A CLEAN TRANSACTION ➤ unidirectional data-flow architecture ➤ B doesn't contact Server, and V doesn't contact B ➤ Server contacts both B and V ➤ each link is less susceptible to flow analysis
  10. 10. IMMUTABLE PROFILES ➤ PKI certificate information - too heavy ➤ Attributes – too many, changeable ➤ SSO – not enough information ➤ we need a Goldilocks solution… ➤ fixed collections of one or more attributes ➤ change attributes by creating new profiles ➤ each profile links to its antecedent ➤ use cryptography to secure the version chain
  11. 11. MANAGING A PERSON'S IDENTITIES ➤ anchor documents ➤ passport, driving licence, identity card, ... ➤ biometric stream ➤ successions of biometric captures for the person ➤ profile set ➤ a choice of user profiles ➤ credentials ➤ large ephemeral random identifiers ➤ assigned to the [user | device | profile]
  12. 12. MANAGING A PERSON'S IDENTITIES
  13. 13. RECEIPTS CONFIRM TRANSACTIONS
  14. 14. A FINE-CHAINED DISTRIBUTED LEDGER TRACKS RECEIPTS
  15. 15. PRODUCING A COMPLETE TRANSACTIONAL IDENTITY SYSTEM
  16. 16. APPLICATION: AGE VERIFICATION
  17. 17. APPLICATION: AGE VERIFICATION WITH SECURE CHANNEL
  18. 18. PATENTS ➤ US2016239658 Digital Identity ➤ US2016239653 Digital Identity ➤ US2016241532 Authentication of Web Content ➤ US2016241531 ConfidenceValues ➤ US2016239657 Digital Identity System

×