Skip to main content

From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control

Periodic Reporting for period 1 - ReCRED (From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control)

Reporting period: 2015-05-01 to 2016-04-30

The main idea behind ReCRED is to anchor all access control (AC) needs to mobile devices that users habitually carry along. Following recent Device Centric Authentication (DCA) industry trends (e.g. FIDO alliance), ReCRED mandates that users authenticate locally against their device using short pins, biometrics or combinations. Subsequently the device, which holds the required credentials, becomes a proxy for all access control needs for online services. This concept effectively liberates users from the burden of having to deal directly with multiple passwords, pins and accounts.

ReCRED attempts to address four main problems that plague traditional password-based access control:
• password overload, referring to the inability of users to remember different secure passwords for each one of their accounts;
• identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g. for reputation transfer or to fend off impersonation attacks;
• lack of real-world identity binding to an individual’s legal presence, e.g. ID number, passport, etc.; and
• lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g. age or location).

To address the above, ReCRED offers to end users and administrators the following:
a) solution to the password overload problem: the DCA architecture offers increased security while requiring end-users to memorize at most only one password, which renders Internet-based services more trustworthy, thus yielding growth and innovation;
b) solution to the single point of failure problem: we address FIDO DCA’s main problem, by offering locking and recovery mechanisms in case the device is compromised or lost (or damaged), respectively;
c) solution to the identity fragmentation problem: ReCRED addresses identity fragmentation by leveraging the integration of all access control needs on the mobile device to link accounts and consolidate identity attributes; and
d) account and attribute-based access control in one architecture; ABAC enables applications, such as restricting access to content based on age, without sustaining the overhead of managing accounts.

The overarching goal of ReCRED is to design and implement an integrated next generation access control (AC) solution that satisfies the following properties.
• First, it solves all the aforementioned problems.
• Second, it is aligned with current technological trends and capabilities.
• Third, it offers a unifying access control framework that is suitable for a multitude of use cases that involve online and physical authentication and authorization via an off-the-shelf mobile device.
• Lastly and importantly, it is attainable and productizable under the scope and timeframe of the project.
During the first year of the project, the components of the architecture and the corresponding use cases were clearly laid out and described in various documents including the requirements and architecture deliverables. These documents were used to effectively communicate the architectural vision to all partners. Importantly, they were also used to assign responsibilities to the partners with a fine granularity focusing on the first year's description of work and according to the assigned funded effort. Below we describe an overview of the technical progress.

Business Cases (M03): The design process of ReCRED was initiated by eliciting requirements via an analysis of complementary use cases. These use cases demonstrate the core functionalities of ReCRED’s toolset and what innovative applications can be delivered to the market. Five high-level use cases were considered which are the following; i) mobile device data protection; ii) support to financial services; iii) age verification; iv) campus Wi-Fi and Campus-restricted web services and v) student authentication and offers. The aforementioned use cases consider almost all the functionalities that will be integrated in the final version of the ReCRED platform.

Business and Technical Requirements (M05): The next step of the design process was the evolution of the use cases to user stories. The user stories provide more details than the use cases and describe what the users expect from the ReCRED platform. The user stories approach has the benefit of producing accurate technical requirements without taking into consideration the limitations imposed by the technology at hand. The technical requirements were classified according to the 8 components and services that comprise the ReCRED platform. These are: i) human-to-device authentication; ii) device-to-service authentication; iii) identity consolidation; iv) identity acquisition; v) attribute-based access control cryptographic protocol; vi) access control policy creation and reasoning visual tool; vii) privacy awareness and consent management tool; viii) behavioural multifactor authentication.

Reference Architecture (M07): The work that has been previously done on use cases and user stories led to the more fine-grained definition of ReCRED’s reference architecture. The reference architecture defines and describes the various components of the ReCRED framework architecture, the interaction between them and the technologies that will be used for each component. The ReCRED reference architecture consists of the following five components: i) online services or verifiers; ii) user device; iii) identity providers; iv) ID consolidation service and v) behavioural authentication authorities.

Description of DCA protocols and technology support (M09): ReCRED centers around device centric authentication. Because of this, the next step was to clearly define and describe the Device Centric Authentication (DCA) protocols. Specifically, we described user-to-device and device-to-service interfaces, including the description of needed extensions to the FIDO and OpenID Connect standards in the context of federated authentication and attribute-based authentication. Also, we investigated how the trusted device execution environment can be exploited for human-to-device authentication.

Identity Consolidator Baseline Platform (M10): The Identity Consolidator Platform is one of the key components of the ReCRED architecture. This component plays a major role in most of the use cases of the ReCRED platform and takes place in most of the piloting activities. It enables the seamless integration of the multiple identity attributes of a user, both physical and online, provides access to this information to third parties taking into consideration relevant security, authorization and authentication aspects, and gives the user fine-grained control over his identity aspects and which verifiers and identity providers have knowledge of them.

ReCRED will help in generating a tangible impact on the market since it will focus on demonstrating the viability of Device Centric Authentication as an aggregator for both account-based as well as attribute-based access control with associated very well specified business and exploitation plans. Such solutions, after demonstration and validation in real life environments directly involving end users, will be able to find a wide take up in the market since they will provide a competitive advantage in the market for all industrial and non-industrial players participating in ReCRED as detailed next.

End users: End users are the main beneficiaries from the DCA architecture around mobile devices designed, implemented, and tested in ReCRED for both account and attribute based access control. Benefits for end users include:
- Solution to the password overload problem
- Solution to the single point of failure problem
- Solution to the identity fragmentation problem
- Account and attribute based access control in one architecture

Telecom operators: The mobile sector is the fastest growing sector of telecoms attracting investment and driving revenue. By integrating into the mobile device all access control technologies and making it the gateway and proxy for access control needs, Telcos are improving their position in the end-to-end Internet ecosystem by participating in additional services that go beyond basic data transfer.

Web hosting companies: Web hosting and Digital design agencies like WEDIA are on the forefront of access control problems. They typically host a multitude of web and e-commerce sites each with its own account and password protection issues. Maintaining the security of all those accounts and users is a major cost component for any web hosting company. The integrated DCA approach of ReCRED that eliminates the need for passwords solves automatically many of these problems. For example, web-sites they do not need to spend effort to keep revising the minimum security requirements for passwords, checking for password reuse, etc. Therefore, web hosting companies benefit from ReCRED by simplifying operations while enhancing security for users.

Security technology providers: In ReCRED security technology providers have the opportunity to develop, test and integrate in their products new authentication protocols that go beyond standard passwords. Highlighting and solving password-related problems of access control is expected to bring a wave of innovation, opportunity, and growth to the security sector. Also, ReCRED will provide an important user base and a test-bed for the development of such technologies and products.

Financial sector technology providers: The financial sector suffers from constant attempts for fraud, the vast majority of which is based on impersonation. The total value of fraudulent transactions amounts to 1.33billion Euro.
Furthermore, as new forms of credit such as microcredit become commonplace, there is a requirement for faster, yet credible identification and authentication mechanisms. The ReCRED technology will aid towards that direction since the time from request to origination of a microloan can differentiate two otherwise identical providers. Furthermore, even the traditional ATM cash withdrawal can be made more secure via the capabilities of a mobile-device-centric identification protocol.

Mobile device and OS manufacturers: A final industrial beneficiary of ReCRED is the device and mobile OS sector. Proxying and integrating all access control needs on the mobile device increases even further the value of the sector and brings it closer to several long pursued objectives, e.g. to become the provider of e-identity and e-wallet for citizens. Telefonica and Verizon maintain very close contacts with the entire sector and will collaborate with it for both diffusion of results as well as integration and standardization, e.g. through GSMA.