The terms “identity”, “credential”, “electronic credential”, “e-credential”, “identity credential”, “web identity”, “online identity”, “digital persona” and “digital identity” have been used, more or less, synonymously in the literature and by practitioners. In the current context, “self-sovereign digital identity” and “self-sovereign identity” specifically denote electronic identities that are tightly controlled by their owners.
The identity crisis caused by concentration and centralization of control over identity by web service providers, excessive capture of personal and private information, and over-dependency on passwords to authenticate users, has led our research for better ways to establish digital identities and use them to enhance user privacy, and secure transactions.
Today, private information is widely scattered to support a patchwork of identity schemes, bridges, add-ons, and protocols for identity access and management. Remote information access and sharing is much too dependent on passwords which can be stolen, lost, cracked, and hacked. Many web-based business models capture enormous volumes of private information while providing inadequate governance, control, and privacy protection. Most consumers/citizens are unaware or oblivious to the risks. The alarming growth of service provider repository breaches, disclosure of private data, fraud, and unattributed information, confirm that the identity crisis has not been solved.
The Internet needs a generative user-centric identity platform whereby users have and control and use richly specified digital identities by means of a single simple protocol across and “identity layer” that everyone implements.
Further, digital identities should be highly intuitive and easy to use, mimicking identity issuance in the real world.
Examples of identity on the web in the context of existing identity technologies and familiar processes used to issue physical identities include passports, driver licenses, bank cards, and credit cards issued to their owners.
Online user access and collaboration continues to be predominately secured by server-centric remote authentication methods including remote access passwords and biometric authenticators-controlled service providers. To overcome the limitations of server-centricity, self-sovereign identity schemes provide digital identities that can be completely controlled by their owners.
FIDO (Fast IDentity Online) is a consortium of companies offering authenticators that employ biometrics, time, counters and PINs to locally authenticate users, remotely binding them to online services by way of public-private key-pairs. Leoutsarakos discloses vulnerabilities in the FIDO protocol including the lack bilateral challenge-response protocol and the use of a single key-pair per online account. The present invention improves upon FIDO by combining user authentication with identity, proofing and attestation of the user, while supporting both online and peer-to-peer (owner-to-owner) secure collaboration.
OpenID Connect specifies protocols whereby web services control the provisioning of identity and access tokens enabling password-authenticated users to grant relying parties access to their web resources. Mladenov and Mainka disclose security flaws in the web server and client-side software and protocols. The present invention overcomes shortcomings by using self-sovereign digital identities to replace or augment passwords, and digitally seal consent tokens managed and controlled directly by their owners.
The Signal Messaging Protocol, formally analyzed by Cohn-Gordon et al. explains that this protocol for peer-to-peer messaging leverages long-term, medium-term, one-time, and ephemeral key-pairs, including key derivation and ratchet functions, to achieve strong forward and future secrecy. Signal's Key Agreement Protocol adapts the Diffie-Hellman method. However, Signal does not deliver identities characterizing collaborating parties, does not support identity proofing and attestation, and does not include methods verifying acquired or presented digital identities of collaborators.
Diffie-Hellman Key Exchange is a method relying on Elliptical Curve (EC) public-private key cryptography that enables collaborating parties to create a shared symmetric key to exchange information across an insecure channel. Hoffstein et. al. of Brown University explain that collaborators can each pick a secret private key, use exponentiation to create their public keys, and independently calculate the same shared secret key without knowing the private key of the other party.
The present invention adapts Diffie-Hellman to exchange self-sovereign digital identities including their embedded public keys.