Home

Awesome

The Horcrux Protocol: A Method for Decentralized Biometric-based Self-sovereign Identity

Most user authentication methods and identity proving systems rely on a centralized database. Such information storage presents a single point of compromise from a security perspective. If this system is compromised it poses a direct threat to users' digital identities. This paper proposes a decentralized authentication method, called the Horcrux1 protocol, in which there is no such single point of compromise. The protocol relies on decentralized identifiers (DIDs) under development by the W3C Verifiable Claims Community Group and the concept of self-sovereign identity. To accomplish this, we propose specification and implementation of a decentralized biometric credential storage option via blockchains using DIDs and DID documents within the IEEE 2410-2017 Biometric Open Protocol Standard (BOPS).

Authors: Asem Othman and John Callahan, Veridium IP Ltd

Keywords: Blockchain, IEEE BOPS, self-sovereign identity, authentication factors, digital identity, distributed authentication architecture

Introduction

Digital transformation, mobility and the proliferation of applications and networks have made traditional forms of information protection increasingly difficult to manage and enforce. Information is everywhere, access is widely distributed, but most security programs are still largely based on archaic, static models that just don't work anymore and it is getting worse.

The latest evidence of this is recent breach disclosed by Equifax [@hume2004identity] that has exposed identity information for over 140 million individuals. Enterprises continue to take on enormous risk by aggregating unnecessary personal data while customers can't manage the massive number of IDs, passwords and data required to interact with every on-line connection.

We believe that the common denominator across most aspects of information protection is identity. An identity is inextricably linked to a person, device, application, system or network and it is the most dependable 'perimeter' we can rely upon to determine how to make information available properly and securely. Identity management will soon have to make the leap from our age-old approaches of multiple user IDs and passwords to a new, secure, privacy-centric means of identity authentication.

An identity ecosystem leverages personas that can both protect privacy (and reduced liability for the enterprise), provide distributed access to authorized services and provide the user a full-control over their identity accessing. User authentication presents one of the basic security requirements in this identity ecosystem. Generally speaking, authentication can be described as a process in which a user offers some form of proof that he is the same user who registered the account. A proof of identity can be any piece of information that an authentication server accepts: something users have in their possession, something they know or something they are (e.g., a biometric).

Traditional Authentication models

In current practice, only one centralized database is in charge of storing the data used for authentication. When the user offers the requested proof of identity, the authentication server evaluates this proof and grants access to the user. For example, when a user tries to access his account on a typical web application he is prompted to enter a password. Traditionally, the web application holds the information about the user's account and his password. When the user submits his password during log-in process, the application compares the stored password to the submitted password. If they match, the user is granted access to the application. In other words, all the information needed to authenticate the user is held on a single system. Even if the authentication system is biometric-based system, most of the deployed systems is still use the same centralized model.

Biometric-based authentication systems [@jain2004introductiontobiometrics] operate in two main stages: enrollment and recognition. The enrollment stage generates a digital representation of an individual's biometric trait and then stores this representation called biometric template in a centralized system database. During the recognition stage, which can be operate in two modes: verification and identification, the system require that the acquired probe biometric template to be matched against a single template (in the verification mode) or all template (in the identification mode) stored in the centralized database.

This makes such systems the single point of compromise for securing digital identities. In other words, in case an attacker gains access to the web application or the biometric centralized database, he can extract enough information to compromise the user's digital identity [@jain2008biometric]. Moreover, since many users tend to use the same password or biometric trait in different applications, revealing their identity on one compromised database can lead to unlawful access into other accounts and services.

In some current implementations, the authentication server can be completely separated from the server running web applications or biometric authentication database . For example, single sign-on (SSO) schemes [@radha2012survey] are based on this concept. SSO schemes rely on a third-party identity provider (IdP) to broker authentication using protocols such as SAML [@hughes2005security] and OpenID Connect [@sakimura2011openid]. Since their introduction in 2002 and 2010 respectively, only 5% of sites use any of over 50 disparate IdP [@vapen2016look] SSO services (e.g., "login with Facebook", "login with Google", etc.). Loopholes in these centralized IdP-based SSO systems are the main reasons for the many hacks of personal information [@hume2004identity] and even loss of biometric data [@zetter2015opm]. Surveys of users show an overwhelming dissatisfaction with single-sign-on (SSO), a feeling of "lack of control" over their data [@innovalor2016; @mertens2015digital; @rose2012value; @satchell2011identity] and a desire to control it themselves. Upcoming legislation, such as the General Data Protection Regulations (GDPR) [@koops2014privacy] and Payment Services Directive II (PSD2) [@cortet2016psd2], are pressuring institutions, both private and public, to place citizen or customer data into the end user's control.

Traditional Identity Proving Methods

Current identity proving methods (see Figure [fig:OldEcoSystem]{reference-type="ref" reference="fig:OldEcoSystem"}) rely on specific parties: an issuer, end-user, verifier, and inspector.

Issuers such as governments associate identity credentials to end-users. Then, the issuer shares personal information and credentials of the end-user with a verifier. If the end-user applies for a bank account, credit card, or car loan, the inspector contacts a verifier to prove the claimed identity by the end-user. Therefore, especially if this process is online, the inspector presents a multiple-choice quiz about past addresses or who financed the user's last car. That's an identity verification service that verifier provides to lenders and others, i.e., inspectors. Based on the answers or prove of holding the credentials, the inspector will verify the claimed identity by the end-user and grantee the required service. This ecosystem has the same security flaw as the traditional authentication systems, end-user personal data (e.g., SSN, addresses, birthdate, etc.) are stored in a centralized database of the verifier.

Traditional Identity Proving Ecosystem.

Our Contribution

The aforementioned security flaws encapsulate perfectly why a new identity ecosystem is so important: identity is the new attack surface [@los2016]. In traditional authentication and identity models, users are forced to relinquish personal information such as credit histories, credentials such as birth certificate, or biometric data such fingerprint template to a third party, with a centralized database.

Self-sovereign identity is a new decentralized ecosystem for private and secure identity management that is being implemented by several projects [@reed2017beyond; @ali2016blockstack; @lundkvist2016uport] as the replacement of the traditional identity proving systems. Self-sovereign identity puts end-users --- not the organizations that traditionally centralize identity --- in charge of decisions about their own privacy and disclosure of their personal information and credentials. Self-sovereign identity utilizes distributed ledgers, i.e., blockchain technology, to establish a web-of-trust [@wot]. These blockchains are a form of databases that is provided cooperatively by a set of organizations, instead of by a central database with a central organization. A single blockchain is copied redundantly in many places, and it accrues transactions orchestrated by many machines. In other words, the new identity model is a reliable, public identity proving system under no single entity's control, robust to system failure and hacking.

In this paper, we discuss the specification and implementation of our Horcrux protocol that combines the decentralized self-sovereign identity ecosystem with 2410-2017 IEEE Biometric Open Protocol Standard (BOPS)[@BOPS-2017]. The BOPS protocol is extensible to a combination of on-device (FIDO UAF [@FIDO-UAF-2014] compatible), server-side or a multi-distribution model that utilizes a secret scheme. Indeed, the standard allows for off-device biometric credentials under user control. The device's local TPM is only one option (though dominant at the moment) for persisting biometric credentials and associated key(s).

The Horcrux protocol allows the end-users of self-sovereign identity to have the control of accessing their identities by giving the consent to this verification process via a biometric authentication process. Moreover, We propose the use of the existing BOPS due to its multi-distribution scheme of storing biometric data. BOPS utilizes a secret scheme to divide the templates into $n \leq 2$ shares as specified in IEEE 2410-2017. Therefore, biometric data used for authentication will be distributed by BOPS and securely stored in decentralized storages and securely referenced to them by blockchains technology. The multiple shares (and potentially redundant shares) could be spread across alternate off-chain storage (like IPFS, Dropbox, Google drive, etc.) as designed in the self-sovereign ecosystem.

This marriage of these two identity models (DIDs and BOPS) is the Horcrux protocol which guarantees the following principles:

The rest of the paper is organized as follows. Sections 2{reference-type="ref" reference="sec:BOPS"} and 3{reference-type="ref" reference="sec:sovereign"} present IEEE Biometric Open Protocol Standard (BOPS) and Self-sovereign identity ecosystem, respectively. Section 4{reference-type="ref" reference="sec:horcrux"} discuss our Horcrux protocol and its implementation. Finally, Section 5{reference-type="ref" reference="sec:con"} summarizes the paper.

BOPS {#sec:BOPS}

Biometric authentication demands high assurance levels such as those required by national and international standards [@nist800633]. The IEEE 2410-2017 Biometrics Open Protocol Standard (BOPS) [@BOPS-2017] defines the following elements to achieve required levels of assurance:

BOPS defines two phases of operation: enrollment and authentication. During enrollment, the remote server generates a public-private key pair (RKP) in which the public key is sent to the mobile device. Then, a biometric template (called the initial biometric vector or "IBV") is collected and paired with a device-generated public-private key pair (LKP) using the local HSM when available. The LKP private key is reserved locally and the LKP public key along with the biometric share(s) are encrypted with the RKP public key for transmission to the server over a two-way TLS connection. The client certificate for the TLS connection is installed a priori via application installation on the mobile device.

Biometric authentication requires collection of a candidate biometric vector (CBV) for comparison to the IBV. BOPS defines three configuration modes for authentication:

The BOPS protocol also uses one-time password and server-based challenges in envelopes to prevent man-in-the-middle (MITM) and replay attacks that might threaten the security of biometric data and other credentials in transit. A recent comparison [@oxfordmc2017] shows that FIDO UAF and BOPS offer rough comparable protection against such threat vectors. In Local configuration mode, BOPS and FIDO UAF are comparable, but BOPS offers additional modes for remote (and sharded) storage and matching. Remote storage and match of biometric data may not be appropriate in some jurisdictions and regulatory regimes, but it depends on each institution's policies, cyber security standards, risk compliance levels and assurance needs.

Self-sovereign identity ecosystem {#sec:sovereign}

Self-sovereign identity is a new identity ecosystem where individuals (or even organization) to whom the identity pertains, control and manage their identities. In this sense the individual is their own identity provider---no external party can claim to "provide" the identity for them because it is intrinsically theirs. In other words, self-sovereign identity is as a digital record or container of identity transactions that end-users control. The end-user can add more data to it, or ask others to do so, reveal some the data or all of it some of the time or all the time.

Moreover, end-users can record their consent to share data with others, and easily facilitate that sharing. It is persistent and not reliant on any single third party. Claims made about an end-user in identity transactions can be self-asserted or asserted by a 3rd party whose authenticity can be independently verified by a relying party. The infrastructure of self-sovereign identity has to reside in an environment of diffuse trust which is not controlled by any single organization or even a small group of organizations. The cryptographically secure blockchain is the breakthrough technology that makes this possible. It enables multiple entities such as organizations and governments to cooperate mutually via distributed consensus to form decentralized blockchains, where data is replicated in multiple locations to be resistant to faults and tampering. While distributed ledger technology has been around for some time, new blockchain applications, such as Bitcoin, have resulted in realizations of its potential, particularly with respect to decentralization and security.

Self-sovereign Identity Ecosystem architecture.

Figure [fig:newEcoSystem]{reference-type="ref" reference="fig:newEcoSystem"} provides an overview of the self-sovereign identity architecture. The followings are the brief descriptions of the architecture entities. Note that in this architecture, the information is no longer centralized and connections are individually permissioned.

The Horcrux Protocol

image

The IEEE 2410-2017 standard allows for interoperablility at several layers including the persistence cluster ([@BOPS-2017] section 7.3.3) provided it satisfies security requirements for storage of encrypted biometric shares. We propose any BOPS server can act as a holder of biometric shares via blockchain using methods outlined in the W3C Decentralized Identity (DID) specification[@didspec1]. A BOPS server can enroll a user by storing biometric share(s) as DID Documents using off-chain storage providers owned by the user. The corresponding DID acts as the identity assertion associated with the enrolled biometric. Figure [fig:enrollhorcrux]{reference-type="ref" reference="fig:enrollhorcrux"} depicts a standard BOPS enrollment flow (adapted from [@BOPS-2017] section 7.2). The user (via a browser user-agent) is prompted to enroll their biometrics with a service provider acting as an issuer. The initial biometric vector (IBV) is encrypted (via visual cryptopraphy) into two shares. One share is reserved on the local mobile device while the second is transmitted to the BOPS server. Instead of an RDBMS or persistence cluster (e.g., SOLR) backend, the BOPS server relies on a blockchain store in this case using a decentralized identitifer (DID)[@didspec1] for persistence. DIDs provide a blockchain-agnostic method for resolving DID Documents much like URIs [@mealling2002report] uniquely characterize web resources via URNs and URLs, but for disparate blockchain ecosystems. The W3C Verifiable Claims Community Working Group has defined DID method specifications [@didspec1] for implementors of CRUD operations specific to a particular blockchain. The BOPS server acts as a resolver given a DID to fetch the corresponding DID Document if possible. The DID and corresponding DID Document are cryptographically associated with each other via blockchain transactons such that any tampering with the DID Document for a given DID would be evident. After persisting the DID document and registering the associated DID on a blockchain, the user is notified of success (or failure) of their enrollment. It should be noted that no biometric shares are stored on any blockchains, only in DID Documents that are persisted "off-chain" via identity hubs or personal storage providers.

image

The encrypted biometric share is still within an encrypted envelope as per [@BOPS-2017] but the share is persisted on a corresponding blockchain with an associated DID. The DID can be used as a claim with another BOPS server acting as a verifier. Again, this is possible because any tampering with the DID Document associated with a given DID will be detectable due to their relationship via a recorded blockchain transaction[@didspec1]. Figure [fig:authhorcrux]{reference-type="ref" reference="fig:authhorcrux"} shows an example of a different BOPS server being used by a verifier. In this example, the user tries to access a resource on a web site (e.g., the service provider) using a mobile client application (MCA) with a DID created by an issuer ([fig:enrollhorcrux]{reference-type="ref" reference="fig:enrollhorcrux"}) and a public key created at enrollment. The service provider relies on a BOPS server to resolve the DID and fetch the corresponding DID Document via a blockchain from the storage provider. If the DID document is a valid claim, the BOPS server checks if the issuer of the claim is known (via its public key in the DID document) and that the enrollment public key matches for this user as well. If valid, the user (via their MCA) is requested for their candidate biometric vector (CBV) and complement share of the IBV as per [@BOPS-2017]. Upon receiving the complementary share and CBV from the client (as described in 2{reference-type="ref" reference="sec:BOPS"} - Remote configuration mode), the enrollment public key is used to decrypt the client's share, combine the IBV shares and match them to the CBV. If successful, the user is authenticated.

In the case of remote authentication, the service provider, acting as a verifier, uses a different BOPS server instance to authenticate the user even though this user has never registered at this service provider. Furthermore, the user and service provider are the only parties needed at authentication time unlike SAML or OAuth that rely on 3rd party identity providers (IdPs) to broker identity claims in traditional single-sign-on (SSO) systems. The Horcrux protocol supports self-sovereign identity [@baars2016towards] by using blockchain technology to secure credentials issued by valid authorities (i.e., issuers) for later use directly by the user who owns the credentials. The user may store such credentials via several personal cloud storage providers such as Dropbox, Google drive, Amazon S3, etc. but delegate management (via OAuth tokens) to a holder such as the BOPS server. The holder can access issued claims like the ecnryoted biometric shares on behalf of the user during authentication, but require biometric authentication as specified in the authenticationCredentials section of the claim [@didspec1].

image

The local configuration mode of BOPS is also available such that a combination of biometric shares occurs on the mobile device. Figure [fig:localhorcrux]{reference-type="ref" reference="fig:localhorcrux"} shows this variation in which the second biometric share is retreived via DID referencing from the corresponding DID document but transmitted to the client by a service provider and its BOPS server. The biometric share is opaque to the service provider and BOPS server in this case, but the server knows that the corresponding share on the mobile device is used for matching due to the HMAC of the encrypted second share. The enrolled share is never sent to the device, but both shares are kept locally as per BOPS local configuration mode. The mobile device must hold the private key associated with the enrolled share for the DID because it computes an HMAC using the share and sends it to the server. The server can compare the HMAC key with the opaque encrypted share from the DID document. It is possible, however, that the user could resolved a given DID, retrieve the corresponding DID document, extract the opaque encrypted share and construct the HMAC thus spoofing possession of that share and falsifying the biometric match. We are in the process of investigating methods for securing DIDs on a mobile device and/or using server-based key mechanism to prevent this attack vector.

The IEEE 2410-2017 standard allows for more than two encrypted shares. Algorithms such as visual cryptography [@ross2011visual] and Shamir secret sharing [@naor1994visual] allow for larger number of shares that. Using DIDs and associated DID documents for more biometric shares across different blockchains and replicating copies of shares could further protect users from compromise and increase availability.

Summary

The self-sovereign identity model provides authority-based issuance of claims and eliminates the need for 3rd-party identity providers during authentication using blockchain technologies to assure exchange of verifiable credentials. The Horcrux protocol is a method for secure exchange of biometric credentials within an existing standard (IEEE 2410-2017 BOPS [@BOPS-2017]) implemented across next-generation blockchain-based self-sovereign identity platforms based on open standards like DIDs and DID Documents [@didspec1]. By using blockchain and off-chain storage as an alternative to the persistent layer in BOPS, we use new blockchain-agnostic standards to enroll via an issuer and authenticate on a verifier that are not part of an real-time trust network. Instead, they rely on user-controlled biometric credentials that are cryptographically encrypted into multiple shares across the user's device and blockchain-linked personal storage providers. The protocol is generalized for two or more biometric shares that can be stored across mobile devices and personal storage providers with redundancy for availability and safety. Future plans include a reference implementation and detailed analysis of the protocol for performance and correctness using TLA+ in a manner similar to the protocol analysis of WPA found in [@narayana2006automatic].

Footnotes

  1. The term "horcrux" comes from the Harry Potter book series in which the antagonist (Lord Voldemort) places copies of his soul into physical objects. Each object is scattered and/or hidden to disparate places around the world. He cannot be killed until all horcruxes are found and destroyed.