Community Research and Development Information Service - CORDIS

H2020

ReCRED Report Summary

Project ID: 653417
Funded under: H2020-EU.3.7.

Periodic Reporting for period 1 - ReCRED (From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control)

Reporting period: 2015-05-01 to 2016-04-30

Summary of the context and overall objectives of the project

The main idea behind ReCRED is to anchor all access control (AC) needs to mobile devices that users habitually carry along. Following recent Device Centric Authentication (DCA) industry trends (e.g., FIDO alliance), ReCRED mandates that users authenticate locally against their device using short pins, biometrics or combinations. Subsequently the device, which holds the required credentials, becomes a proxy for all access control needs for online services. This concept effectively liberates users from the burden of having to deal directly with multiple passwords, pins and accounts.

ReCRED attempts to address four main problems that plague traditional password-based access control:
• password overload, referring to the inability of users to remember different secure passwords for each one of their accounts;
• identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g., for reputation transfer or to fend off impersonation attacks;
• lack of real-world identity binding to an individual’s legal presence, e.g., ID number, passport, etc.; and
• lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g., age or location).

To address the above, ReCRED offers to end users and administrators the following:
a) solution to the password overload problem: the DCA architecture offers increased security while requiring end-users to memorize at most only one password, which renders Internet-based services more trustworthy, thus yielding growth and innovation;
b) solution to the single point of failure problem: we address FIDO DCA’s main problem, by offering locking and recovery mechanisms in case the device is compromised or lost (or damaged), respectively;
c) solution to the identity fragmentation problem: ReCRED addresses identity fragmentation by leveraging the integration of all access control needs on the mobile device to link accounts and consolidate identity attributes; and
d) account and attribute-based access control in one architecture; ABAC enables applications, such as restricting access to content based on age, without sustaining the overhead of managing accounts.

The overarching goal of ReCRED is to design and implement an integrated next generation access control (AC) solution that satisfies the following properties.
• First, it solves all the aforementioned problems.
• Second, it is aligned with current technological trends and capabilities.
• Third, it offers a unifying access control framework that is suitable for a multitude of use cases that involve online and physical authentication and authorization via an off-the-shelf mobile device.
• Lastly and importantly, it is attainable and productizable under the scope and timeframe of the project.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

During the first year of the project, the components of the architecture and the corresponding use cases were clearly laid out and described in various documents including the requirements and architecture deliverables. These documents were used to effectively communicate the architectural vision to all partners. Importantly, they were also used to assign responsibilities to the partners with a fine granularity focusing on the first year's description of work and according to the assigned funded effort. Below we describe an overview of the technical progress.

Business Cases (M03): The design process of ReCRED was initiated by eliciting requirements via an analysis of complementary use cases. These use cases demonstrate the core functionalities of ReCRED’s toolset and what innovative applications can be delivered to the market. Five high-level use cases were considered which are the following; i) mobile device data protection; ii) support to financial services; iii) age verification; iv) campus Wi-Fi and Campus-restricted web services and v) student authentication and offers. The aforementioned use cases consider almost all the functionalities that will be integrated in the final version of the ReCRED platform.

Business and Technical Requirements (M05): The next step of the design process was the evolution of the use cases to user stories. The user stories provide more details than the use cases and describe what the users expect from the ReCRED platform. The user stories approach has the benefit of producing accurate technical requirements without taking into consideration the limitations imposed by the technology at hand. The technical requirements were classified according to the 8 components and services that comprise the ReCRED platform. These are: i) human-to-device authentication; ii) device-to-service authentication; iii) identity consolidation; iv) identity acquisition; v) attribute-based access control cryptographic protocol; vi) access control policy creation and reasoning visual tool; vii) privacy awareness and consent management tool; viii) behavioural multifactor authentication.

Reference Architecture (M07): The work that has been previously done on use cases and user stories led to the more fine-grained definition of ReCRED’s reference architecture. The reference architecture defines and describes the various components of the ReCRED framework architecture, the interaction between them and the technologies that will be used for each component. The ReCRED reference architecture consists of the following five components: i) online services or verifiers; ii) user device; iii) identity providers; iv) ID consolidation service and v) behavioural authentication authorities.

Description of DCA protocols and technology support (M09): ReCRED centers around device centric authentication. Because of this, the next step was to clearly define and describe the Device Centric Authentication (DCA) protocols. Specifically, we described user-to-device and device-to-service interfaces, including the description of needed extensions to the FIDO and OpenID Connect standards in the context of federated authentication and attribute-based authentication. Also, we investigated how the trusted device execution environment can be exploited for human-to-device authentication.

Identity Consolidator Baseline Platform (M10): The Identity Consolidator Platform is one of the key components of the ReCRED architecture. This component plays a major role in most of the use cases of the ReCRED platform and takes place in most of the piloting activities. It enables the seamless integration of the multiple identity attributes of a user, both physical and online, provides access to this information to third parties taking into consideration relevant security, authorization and authentication aspects, and gives the user fine-grained control over his identity aspects and which verifiers and identity providers have knowledge of them.

Specification and initial design of ABAC (M11): Attribute-based access control (ABAC) plays a major role in the ReCRED platform. Thus, we investigated the state of the art of ABAC platforms that should be integrated in the ReCRED platform. Specifically, we pay particular attention to anonymous credential systems like Idemix and U-Prove with the final target of integrating and deploying such technologies in the ReCRED platform. We considered the results of the ABC4Trust and FIWARE projects as a primary reference for the deployment and integration of privacy-preserving ABAC solutions. Furthermore, since the ReCRED project aims to provide Device Centric Authentication (DCA) together with ABAC features, we investigated also technologies that integrate ABAC inside the user’s devices like the IRMA project and discussed the implementation of ABAC technologies in a secure and trusted environment inside the device.

Initial system design and prototyping (M11): One of the goals of the consortium is to have an initial first integrated system prototype consisting of the initial small scale pilot deployment (Campus –wide Wi-Fi and web services access control). Although not all the technical possibilities have been completely explored, this initial prototype enables the partners to setup a preliminary trial for initial validation and assessment. Furthermore, the partners are able to gather user experience feedback that will be leveraged in the second design iteration. The consortium’s plan is to sacrifice completeness and extensiveness of the supported functionalities but have an early real-world system up and running at month 12 so as to detect and comprehend issues early on in the project’s lifetime. This prototype facilitates the aim of creating and testing an integrated platform that allows the partners to design, develop, interconnect, deploy and test together technical components.

Security and Privacy Assessment (M12): As of month 12, we have the first integrated system and our aim is to evaluate the security of the proposed architecture and its compliance with current privacy directives 95/46/EC, 2002/58/EC and 2006/24/EC. The corresponding legislation is examined in order to assess the compliance or possible non-conformity with the existing design. Specific existing laws are investigated and a first evaluation is being performed, showing that ReCRED is compliant with the EU legislation. We performed a first assessment of ReCRED’s initial architecture in the legal framework of data privacy and security describing also the possible threat models and the very important process of code review and penetration testing that will be followed in order to deliver secure software and services.

Campus Wi-Fi and Web Services Pilot (M12): The aim of the pilot is to demonstrate the availability and viability of the proposed architecture in the early stages of the project. The design of the pilot was realized in WP6 and it combines the work realized in WP2, WP3, WP4, and WP5. The initial version of the pilot allows the consortium to have a first integrated version of the work performed in different work packages. The missing functionalities and the updated security posture will be addressed in the next version.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

ReCRED will help in generating a tangible impact on the market since it will focus on demonstrating the viability of Device Centric Authentication as an aggregator for both account-based as well as attribute-based access control with associated very well specified business and exploitation plans. Such solutions, after demonstration and validation in real life environments directly involving end users, will be able to find a wide take up in the market since they will provide a competitive advantage in the market for all industrial and non-industrial players participating in ReCRED as detailed next.

End users: End users are the main beneficiaries from the DCA architecture around mobile devices designed, implemented, and tested in ReCRED for both account and attribute based access control. Benefits for end users include:
- Solution to the password overload problem
- Solution to the single point of failure problem
- Solution to the identity fragmentation problem
- Account and attribute based access control in one architecture

Telecom operators: The mobile sector is the fastest growing sector of telecoms attracting investment and driving revenue. By integrating into the mobile device all access control technologies and making it the gateway and proxy for access control needs, Telcos are improving their position in the end-to-end Internet ecosystem by participating in additional services that go beyond basic data transfer.

Web hosting companies: Web hosting and Digital design agencies like WEDIA are on the forefront of access control problems. They typically host a multitude of web and e-commerce sites each with its own account and password protection issues. Maintaining the security of all those accounts and users is a major cost component for any web hosting company. The integrated DCA approach of ReCRED that eliminates the need for passwords solves automatically many of these problems. For example, web-sites they do not need to spend effort to keep revising the minimum security requirements for passwords, checking for password reuse, etc. Therefore, web hosting companies benefit from ReCRED by simplifying operations while enhancing security for users.

Security technology providers: In ReCRED security technology providers have the opportunity to develop, test and integrate in their products new authentication protocols that go beyond standard passwords. Highlighting and solving password-related problems of access control is expected to bring a wave of innovation, opportunity, and growth to the security sector. Also, ReCRED will provide an important user base and a test-bed for the development of such technologies and products.

Financial sector technology providers: The financial sector suffers from constant attempts for fraud, the vast majority of which is based on impersonation. The total value of fraudulent transactions amounts to 1.33billion Euro.
Furthermore, as new forms of credit such as microcredit become commonplace, there is a requirement for faster, yet credible identification and authentication mechanisms. The ReCRED technology will aid towards that direction since the time from request to origination of a microloan can differentiate two otherwise identical providers. Furthermore, even the traditional ATM cash withdrawal can be made more secure via the capabilities of a mobile-device-centric identification protocol.

Mobile device and OS manufacturers: A final industrial beneficiary of ReCRED is the device and mobile OS sector. Proxying and integrating all access control needs on the mobile device increases even further the value of the sector and brings it closer to several long pursued objectives, e.g. to become the provider of e-identity and e-wallet for citizens. Telefonica and Verizon maintain very close contacts with the entire sector and will collaborate with it for both diffusion of results as well as integration and standardization, e.g. through GSMA.

Related information

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top