PRIVÈ : Privacy Respecting Identity Verification Enabler for Digital Identity Wallets
PRIVÈ empowers entities to establish trust by providing strong verifiable evidence and assurances on the origin and integrity of the presented verifiable credentials. This is achieved by building an open-source library that can be added as an extension to any SSI wallet on the Holder side to enable the use of hardware-based keys. This offers the possibility to bind Verifiable Credentials (VCs) to the wallet of the holder and transfer the root of trust of the SSI ecosystem purely to the digital wallet by considering an underlying Trusted Component as part of the wallet, without making any assumptions on the trustworthiness of the other layers. This enables digital identity wallets to align with emerging regulations and standards like eIDAS that require higher level of assurances for services.
Use Case Scenario: “Sustainability for inter-Mobility”; Image taken from: https://github.com/NGI-TRUSTCHAIN/PRIVE
- Motivation for the project: In a basic SSI architecture, one core challenge is the verification of the integrity and origin of the presented Verifiable Credentials (VCs): How can someone be sure that the presented VCs (for a specific DID) realy belong to the claimed entity? Of particular interest is the case of the Holder, since SSI brings users in the center and gives them full control over their identity (selective disclosure). On a technical level, this translates to users having control of their own VCs and DIDs through their Wallets which can ensure that credentials and (private) keys can only become available to this user or another actor that acts on behalf of this principal. However, since it is only the user (as the Identity Owner) that knows the (private) key associated with a DID, the level of control and assurance over a DID (and a VC) relies solely on possessing a software-based key, creating trustworthiness issues: How can a Verifier be sure of the correctness of the User/Holder that presents a VC that the respective key has not been compromised?
- Generic use case description: As a user wishing to participate in any form of online transaction prior to which user authentication needs to take place based on disclosing only a specific set of identifying attributes. This requires access to an efficient and seamless management of credentials (with enhanced privacy guarantees) when registering to use a specific service or data resource.
-
Essential functionalities: Creating a software library that brings novel cryptographic trust anchors for generating HW-based keys to be binded to a Holder’s Wallet that can provide verifiable evidence and assurances about the presented VC’s origin and integrity. Our PRIVÈ Bridge extension shifts the root of trust on the user digital Wallet, thus, achieving the privacy-enabling property of selective disclosure while also capturing the requirement of higher LoA for credential management. The real innovation is the trusted layer between Holders and Issuers and/or Verifiers for providing cryptographically secure and privacy-preserving platform authentication, trusted transferring of credentials while being agnostic on the Wallet’s implementation (achieving interoperability).
To enable this functionality, we leverage Attribute-based Direct Anonymous Attestation (DAA-A) for ensuring the following properties:
- Proof of Knowledge: Proof that the wallet that produced the VC belongs to the intended holder, thus, ensuring that the presented VC really belongs to the claimed entity;
- Proof of Integrity: Proof that the Holder device (where the wallet resides) has not been compromised when producing a VC or a subsequent Verifiable Presentation selectively disclosing some attributes; and,
- Proof of unforgeability: Proof that a produced Verifiable Presentation is presented by the correct Holder to whom the VC was issued. - How these functionalities can be integrated within the software ecosystem: Due to the nature of software at hand, user can benefit from the PRIVÈ Wallet built that incorporates such advanced security controls. The necessary apk is provided to run in Android mobile devices. Furthermore, the PRIVÈ Bridge extension is also provided as a separate library that can be integrated to any other Wallet. Since this library is agnostic to the implementation of the wallet and the type of the VC Data Model considered (e.g. W3C or Indy), multiple SSI ecosystems can interoperate in a trustworthy manner.
- Gap being addressed: Transfer the root of trust of the SSI ecosystem purely on the digital wallet by considering an underlying Trusted Component as part of the wallet, without making any assumptions on the trustworthiness of the other layers.
- Expected benefits achieved with the novel technology building blocks: With PRIVÈ, other SSI technology providers can build on our extension to integrate hardware-based keys and bring trust to the Holder’s wallets, thus, enabling the vision of a decentralized data protected approach for Self-Sovereign Identity (SSI).
- Potential demonstration scenario: With the help of the ecosystem, we expect to achieve our exposure, allowing VC Wallet solutions to build on top of our security library and advanced trust anchors which will help us refine any of the provided functionalities. There will be an example demonstration within the context of sustainability for inter-EU mobility. The aim of this use case is to demonstrate the effectiveness of the PRIVÈ-enhanced Wallet in the everyday lives of EU citizens, particularly in the efficient and seamless management of credentials when registering as a resident to another country and seeking a new job. It is important to enable users to present accurate and valid certificates, and to selectively choose the credentials they need (even issued by multiple issuers) and construct Verifiable Presentations based on their needs. For example, when a user interacts with a financial institution and needs to present a birth certificate, tax identification number, and documentation related to existing bank accounts and assets, the PRIVÈ-enhanced Wallet should facilitate this process while allowing the user to "hide" other sensitive information, such as health-related data. Still, in other scenarios, such as registering in the healthcare system of the other member state, the health-related information may be necessary, while the financial information can remain private. It is evident that the interplay between various attributes issued by multiple issuers could result in a multi-functional Wallet, capable of supporting various use cases and scenarios.
Repositories:
GitHub: https://github.com/NGI-TRUSTCHAIN/PRIVE
Currently open to the TrustChain community only. Reach out if you need access.
Team
Thanassis Giannetsos
Dr. Giannetsos is the Head of Digital Security and Trusted Computing Group in UBITECH Ltd and his main research interests lie into the design of secure and privacy-preserving protocols for Next-Generation Systems-of-Systems.
Thanassis Bouras
Thanassis Bouras is the Research Director of UBITECH Ltd with vast experience in leading EU research projects. His research interest lies in distributed systems with a focus on secure virtualization and efficient mechanisms capable of enhancing the Level of Assurance of such complex ecosystems.
Panagiotis Gouvas
Dr. Panagiotis Gouvas is the Research Director & Architect of UBITECH Ltd focusing on designing novel secure network mechanisms to enable the ongoing transformation vision of edge computing.
Ioannis Krontiris
Dr. Ioannis Krontiris is a Senior Security and Privacy Expert with experience in various facets of privacy-related aspects – from differential privacy algorithms to privacy-respecting identity management.
Elpida Vamvaka
Elpida Vamvaka, co-founder of Homo Digitalis, is a lawyer in Greece specializing in the domains of privacy, data protection, and intellectual property law.
Eleftherios Chelioudakis
Eleftherios Chelioudakis is a laywer admitted to practice in Greece with expertise on a wide range of topics related to privacy, data protection and e-commerce.
Stefanos Vitoratos
Stefanos Vitoratos is a lawyer admitted to practice in Greece with a specialization on Law & New Technologies. He is a member of the EDPB's (European Data Protection Board) Pool of Experts and recognized as Fellow of Information Privacy (FIP) by the IAPP (International Association of Privacy Professionals).
Konstantinos Kakavoulis Konstantinos Kakavoulis is a lawyer specialized n Law & New Technologies. He is a founding partner of Digital Law Experts, a niche law firm specialized in Digital Law, and co-founder of Homo Digitalis, the first digital rights organization in Greece.
Entities
They cover fields of expertise relevant to TrustChain project and Open Calls: DLT & blockchain related expertise, Self-sovereign ID, Peer-to-Peer, decentralised and Cloud, Fog, and Edge computing systems, business models, NGI business models, Security for decentralised network, and Human Centred Approach for innovative technology design.
GIOUMPITEK MELETI SCHEDIASMOS YLOPOIISI KAI POLISI ERGON PLIROFORIKIS ETAIREIA PERIORISMENIS EFTHYNI (UBITECH)
UBITECH is a leading, highly-innovative Research Institute and Software House focusing on enabling the long-term transformation of decentralized environments with security solutions that can cover all layers of the deployed application stack.
Website: www.ubitech.eu
Homo Digitalis (HOMO)
Homo Digitalis is the only digital rights civil society organization in Greece. Our goal is the protection of human rights and freedoms in the digital age, such as the rights to privacy, data protection, etc.
Website: www.ubitech.eu