MUSAP Project
“MUSAP: “Multiple SSCD with Unified Signature API Library” aims to develop a new software interface called Unified Signature Application Programming Interface (USAPI) Library. MUSAP will act as an intermediary layer that abstracts the complexities of different SSCD technologies and provides a unified API Library for developers.
During OC1 of NGI Trustchain project, 4 key stores are enabled for the end-user with MUSAP, i.e TEE (Android Key store or iOS Secure Enclave), eUICC/UCICC (Mobile ID), Dongle (Yubikey via NFC) and eIDAS Remote Signing. As EDIW progressed, ENISA (European Cybersecurity Agency) has been releasing recommendations related to a need for harmonized interface that allows access to cryptographic operations. Image below incorporates MUSAP scope to act as a secure component API to enable SSCD for end-user.
MUSAP Library (Java/Swift) can be integrated with any Android or iOS app projects. Whereas, MUSAP Link (Servlet component) is delivered as a simple web servlet that can be used with a Java-based web server.
Image taken from: https://github.com/NGI-TRUSTCHAIN/MUSAP_project
-
Motivation for the project: The primary objective of the MUSAP project has been threefold:
1. To develop an open-source API library that streamlines the integration of various Secure Signature Creation Devices (SSCDs) into smartphone applications, thereby facilitating the creation of robust authentication and signature solutions.
2. MUSAP aims to seamlessly integrate with both centralized and decentralized identity management systems, allowing SSCD keys to function effectively in both environments. This approach empowers end-users to access services without being constrained by the specific identity management model in use.
3. To allow support for multiple certificates/credentials in one device. This approach demonstrates MUSAP’s user-centric approach, where giving option to choose which SSCD they want to have their private keys in, and allows end-users to have identities with various level of assurances in use." - Generic use case description: MUSAP project provides (caters) unique use cases, such as: Enable Type 1 (High) and Type 2 (Substantial) configurations of EUDIW in one device Sign any data format (X.509, VC, DID, etc.) Provide multiple keystores/sscds to end-user to choose how they sign/authn Handling Key Management methods and operations Supporting clinet-secret-mode for DIDs to manage cryptographic operations & sign
- Essential functionalities: MUSAP has 10 defined functionalities (as mentioned in D1 and D2). These functionalities are listed below: F1 i.e., Functionality 1 Integration of multiple SSCDs into MUSAP library F2 i.e., Functionality 2 Open Interface for integrating new & multiple SSCDs with APP F3 i.e., Functionality 3 Digital Signatures with different LoAs (High, Substantial) F4 i.e., Functionality 4 Key discovery F5 i.e., Functionality 5: Key lifecycle management (do defined key operations) F6 i.e., Functionality 6: Key Attestation F7 i.e., Functionality 7: Key metadata definition and import/export F8 i.e., Functionality 8: Sign data and cryptographic formats F9 i.e., Functionality 9: MUSAP Link (Servlet component) F10 i.e., Functionality 10: URI Scheme
- How these functionalities can be integrated within the software ecosystem: MUSAP architecture supports both smartphone based apps (iOS or Android) and web servers (remote web wallets). Smartphone support is defined in MUSAP Android Library (https://github.com/methics/musap-android) or MUSAP iOS Library (https://github.com/methics/musap-ios) and web server support is defined in MUSAP Link (java) (https://github.com/methics/musap-link).
- Gap being addressed: According to our research and information there are no publicly known/available APIs for smartphone app developers to connect SSCD functionalities in app and offer multiple types of SSCDs in one device.
-
Expected benefits achieved with the novel technology building blocks: MUSAP, developed during Trustchain NGI OC1, will provide a holistic approach for the NGI community and the Digital Identity landscape to leverage MUSAP for their use. It will provide:
1. Enhancing User-Centric Decentralized Identity Solutions: MUSAP does not interact with blockchain but provides mechanisms to sign. It also provides:
- Improved interoperability: The proposed solution aims to ensure that identities issued will be interoperable across the EU. This means that different identities can be verified and authenticated by other providers, improving the overall interoperability of digital identities.
- Improved Usability
2. Bridge between Centralized and Decentralized identities: Identity services for citizens may use centralized or decentralized identities. Enrolling new identities or Verifiable Credentials (VCs) are independent of the SSCD technology.
3. Enhanced security: The proposed solution will provide robust authentication and verification mechanisms, along with strong security measures, to protect the exchange and storage of data. This will ensure that users' private keys are kept secure and that their sensitive information is protected.
4. Improved user control and privacy: The project will allow users to have multiple digital identities with different levels of assurance for different use cases. This will give users more control over their online presence and enable them to manage their privacy and security more effectively. Users have the flexibility to define their private keys. - Potential demonstration scenario: Methics' focus during the MUSAP project has been to let end-users choose which Secure Software and Communications Device (SSCD) technology they trust more. If they trust one SSCD more than the other, they should have the option to use it. To demonstrate MUSAP, Methics has a threefold approach: Methics demonstrates the complete functionality of MUSAP using a demo/test app and SSCDs provided by Methics' products. Methics shares the complete MUSAP library with the Danubetech team to use in their operations. The Danubetech team uses MUSAP to sign Decentralized Identifiers (DIDs) in the Client-DID project (a two-way collaboration in OC1). Methics demonstrates MUSAP functionality in production systems in Mongolia, where users can select from available SSCDs to sign documents on a document signing service called VSign.
Repositories:
GitHub: https://github.com/NGI-TRUSTCHAIN/MUSAP_project
Currently open to the TrustChain community only. Reach out if you need access.
Team
Jarmo Miettinen
Jarmo is the CEO, consultant and project manager in a wide variety of financial and telecom applications. Particularly interested in security, digital identity, subscriber management and infrastructure.
Matti Aarnio
Matti is the CTO and PKI expert. Leads Methics PKI products design and architecture. As a Crypto best practice advocate, has led the design of best in class Technical training workshops for customers and Government regulators including in Finland, Switzerland, Mongolia and Vietnam.
Eemeli Miettinen
Eemeli is the Software developer with expertise in Java development and PKI. I've worked at Methics for 12 years and have been involved in various PKI and Mobile ID projects.
Ammar Bukhari
Ammar is responsible for delivering international projects and owning products roadmap. Working as a bridge between technology, business and customers to build and ship Identity products across Europe and Asia.
Eeva Järvenpää
Eeva is a second year IT student working as a software developer trainee. Interested in web design and app development.
Atte Walden
Atte is a software developer with expertise in Java backend and Android development.
Teemu Mänttäri
Teemu is passionate software developer with expertise in web and mobile development. Throughout his career he has worked on PKI based authentication and document signing systems and helped in the development of Methics’ Remote Signing app.
Entity
Methics
Methics is a Finnish software company that specializes in delivering standards based identity and signature solutions. Methics support digital identity over a wide variety of authentication mechanisms and security assertions. Methics solutions have been delivered to customers in many countries in Europe ans Asia for national identity management solutions and critical business environments. With over 20 years of experience in Identity industry, Methics aims to offer a bridge between traditional PKI and W3C decentralized identity projects to provide identity and signing services.
Website: www.methics.fi