On Identity, Trust & Digital Security

There are a myriad of solutions looking to address the security aspects of the Internet of Things. The majority of which are focused on the same old concerns from when the internet became a commercial entity.

These concerns are usually: Perimeter security using Firewalls, VPN, Denial of Service prevention policies and procedures, CTO/CISO, budget and focus, employee training, review and update of network architecture and client confidentiality.

While these are all good practices, they are basically reactive to those things we learned from an earlier era and are designed by committee and often by people who have grown up with the Internet rather than those for whom the Internet has always been there.

Personal identification of the citizen resides at the heart of many forms of service delivery, both from a governmental view as well as financial services to perform KYC. Historically and archetypically, such identification has been undertaken through manual form filling, coupled to the verification of personal identity through paper-based authentication processes. Despite much innovation such as the UK governments digital ID approach much of this still remains paper based.

Credits Protocol believe that the greater adoption of blockchain technology will allow a greater and more rapid consolidation of “identity” information to the benefit of all involved.

Definition of Trust
Every security system depends on trust, in one shape or another, amongst the users of the service/system. In network security solutions there are generally two forms: third – party trust and direct trust.

Third-party trust refers to a situation in which two individuals implicitly trust each other even though they have not previously established a personal relationship. In this situation, two individuals implicitly trust each other because they each share a relationship with a common third party, and that third party vouches for the trustworthiness of the two people.

Third-party trust is a fundamental requirement for any large-scale implementation of a network security product based on public-key cryptography.

Direct trust refers to a situation in which two individuals have established a trusting relationship between themselves. In network security, direct trust is required when individuals from separate CA domains (not cross-certified) exchange keying information to secure their communications. Because the respective CA’s of these users have not established a trust relationship (through cross certification), the users must trust each other on a personal basis. Without personal trust in this scenario, exchanging keying information is of no value because the keying information itself should not be trusted. When direct trust is applied to secure communications, it is solely the responsibility of each of the parties to ensure that they are comfortable with their level of personal trust in the other party.

How has identity and digital security been addressed

Ignoring paper based methods such as a utility bill, the most common underlying approach to security is PKI which is the comprehensive system required to provide public-key encryption and digital signature services. To be effective businesses need to implement the following to provide a transparent PKI service:-

  • public key certificates
  • a certificate repository
  • certificate revocation
  • key backup and recovery
  • support for non-repudiation of digital signatures
  • automatic update of key pairs and certificates
  • management of key histories
  • support for cross-certification
  • client-side software interacting with all of the above in a secure, consistent, and trustworthy manner.

All of these requirements must also be met to have an automatic, transparent, and usable PKI.

PKI and SSL certificates
For public-key cryptography to be valuable, users must be assured that the other parties with whom they communicate are “safe”—that is, their identities and keys are valid and trustworthy. To provide this assurance, all users of a PKI must have a registered identity. These identities are stored in a digital format known as a public key certificate.
Certification Authorities (CAs) represent the people, processes, and tools to create digital certificates that securely bind the names of users to their public keys. In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust the millions of certificates issued by the CA each year.

An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a web server (and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to activate a secure session between a browser and the web server hosting the SSL Certificate. In order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must contain the domain name of website using it, be issued by a trusted CA, and not have expired.

SSL is one of the most prevalent security technologies in use today and it is estimated that there are over 5m SSL certificates in use for public facing websites.

PKI & Trust Hierarchies

Browsers and devices trust a CA by accepting the Root Certificate into its root store – essentially a database of approved CAs that come pre-installed with the browser or device. Windows operates a root store, as does Apple, Mozilla (for its Firefox browser) and typically each mobile carrier also operates its own root store.
The Apple OSX store of trusted Root Certificates

CAs use these pre-installed Root Certificates to issue Intermediate Root Certificates and end entity Digital Certificates. The CA receives certificate requests, validates the applications, issues the certificates, and publishes the ongoing validity status of issued certificates so anyone relying on the certificate has a good idea that the certificate is still valid. CAs usually create a number of Intermediate CA (ICA) Root Certificates to be used to issue end entity certificates, such as SSL Certificates. This is called a trust hierarchy.

Cross certification

One of the major challenges has been has been the “walking a chain of trust”. The “chain” refers to a list of cross-certificate validations that are “walked” (or traced) from the CA key of the verifying user to the CA key required to validate the other user’s certificate. When walking a chain of cross-certificates, each cross-certificate be checked to ensure that it is still trusted. User certificates must be able to be revoked; so must cross-certificates. This requirement is frequently overlooked in discussions regarding cross-certification.

From digital commerce to Internet of Things

Several industries lead the way when it comes to securing transactions, validating identities, and orchestrating authentication and trust, such as the financial services industry. Recent advances in hardware rooted security, tokenization, Host Card Emulation (HCE), and the more promising advances in software rooted security are promising. As an example, Apple Pay uses some of these new advances and enables your finger to be scanned by your phone which then talks to the cashiers point of sales system, which in turn starts a quick conversation with both your bank and the merchant’s bank. Through the channels of Visa Amex or Master Card, in milliseconds identities are verified, devices are authenticated, accounts are checked, limits are analysed, rates are set, fees are deducted and finally a digital transaction is concluded. However, the service is still open to fraud as Banks are reportedly getting hit with a growing number cases which has more to do with identity theft than breaking into Apple’s encrypted biometric enabled payment service. Criminals are setting up new iPhones with stolen credit card information, then impersonating the victim using other information easily found online, thus tricking the bank into thinking they are the authorized user in order to verify the new card.

A new connectivity paradigm, a new security paradigm

The key is to secure the original identity better at the “back end” rather than the delivery device itself.

For all these devices coming out of different industries to converse, new protocols and standards have to be developed, a new vocabulary needs to be created, or at least, new extensions to an existing set needs to be in place. Expect to see many players trying to position themselves for this new paradigm. Many in digital commerce are actually well positioned to do so.

For global security to work it has to have ubiquity, transportability across devices and operating systems, as well as freedom of ownership, where freedom of ownership is a crucial part. For this to work security has to be mostly in software that is common across devices or at least has a standard set of common APIs across such devices.

Does Blockchain hold the key?

by Michael King, Chairman, Credits.vision

Michael has more than thirty years experience in the international finance arena across multiple disciplines and is a partner in various consultancy and software companies. He has a proven track record in devising and executing business strategy combined with strong leadership and motivational skills.
Michael’s expertise extends to virtually all financial services, payment services and systems, electronic marketplaces, e-commerce and market infrastructures. Before joining Pythia, Michael worked at SWIFT in multiple leadership capacities in Europe, Asia and the US.

About Michael King