Top

Published in:

2020 | OriginalPaper | Chapter

A Protocol for Decentralized Biometric-Based Self-Sovereign Identity Ecosystem

Authors : Asem Othman, John Callahan

Published in: Securing Social Identity in Mobile Platforms

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Most user authentication methods and identity proving systems rely on centralized databases. Such information storage presents a single point of compromise from a security perspective. If this system is compromised, it poses a direct threat to a significant number of users’ digital identities. A recent example of compromised data includes the Equifax breach, which affected 140 million people. The other issue with these centralized systems that individuals don’t have a control of how much of their Personal Identifying information (PII) is shared in different contexts.

This chapter discusses a decentralized biometric-based authentication protocol for identity ecosystems, called the Horcrux (The term “Horcrux” comes from the Harry Potter book series in which the antagonist (Lord Voldemort) places copies of his soul into physical objects. Each object is scattered and/or hidden to disparate places around the world. He cannot be killed until all Horcruxes are found and destroyed.) protocol, in which there is no such single point of compromise. The Horcrux protocol is founded on the principle that an individual should have a control over the use of their own PII. The decentralization of control over the components of individual identities will allow them proof of their PII – secured by blockchains and cryptography – to governmental and private-sector entities. Meanwhile, BOPS will enable these entities to undertake an advanced risk assessment, verify identities and provide seamless access through secure mobile biometric recognition technology. All of this can be achieved without the need to store PII in one central database and pose too great a risk for stakeholders. Horcrux protocol relies on decentralized identifiers (DIDs) under development by the W3C Verifiable Claims Community Group and the concept of self-sovereign identity. In this chapter, we discuss the specification and implementation of a decentralized biometric credential storage option via blockchains using DIDs and DID documents within the IEEE 2410–2017 Biometric Open Protocol Standard (BOPS).

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Iris Recognition on Mobile: Real-Time Feature Extraction and Matching in the Wild

next chapter Towards Wider Adoption of Continuous Authentication on Mobile Devices

Personal Identifying information are Data about an individual which considered to be sensitive and thus subject to security and privacy protections such as biometric and demographic data.

The enrollment stage of most of the deployed biometric systems generates a digital representation of an individual’s biometric trait that is stored in the system storage database [14].

The private key is used to respond to the PKI challenge and never leaves the mobile device.

https://www.ftc.gov/equifax-data-breach (2020)

2410–2017 IEEE biometric open protocol standard (BOPS). https://standards.ieee.org/findstds/standard/2410-2017.html

European union general data protection regulation (GDPR) (2020) https://gdpr-info.eu/

Public key infrastructure (2020) https://en.wikipedia.org/wiki/Public_key_infrastructure

FIDO UAF Protocol Specification v1.0 Proposed Standard (2014) https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html

Ali M, Nelson JC, Shea R, Freedman MJ (2016) Blockstack: a global naming and storage system secured by blockchains. In: USENIX annual technical conference, pp 181–194

Armerding T (2018) The 17 biggest data breaches of the 21st century. https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html

Baars D (2016) Towards self-sovereign identity using blockchain technology. Master’s thesis, University of Twente

Caronni G (2000) Walking the web of trust. In: IEEE 9th international workshops on enabling technologies: infrastructure for collaborative enterprises (WET ICE 2000). Proceedings. IEEE, pp 153–158

10.

Cortet M, Rijks T, Nijland S (2016) PSD2: the digital transformation accelerator for banks. J Paym Strateg Syst 10(1):13–27

11.

Ekberg JE, Kostiainen K, Asokan N (2013) Trusted execution environments on mobile devices. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 1497–1498

12.

Hughes J, Maler E (2005) Security assertion markup language (saml) v2. 0 technical overview. OASIS SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08, pp 29–38

13.

Hume M (2018) Identity theft cited as threat after equifax security breach. The Globe and Mail, Toronto A, 7

14.

Jain A, Ross A, Prabhakar S (2004) An introduction to biometric recognition. IEEE Trans Circuits Syst Video Technol 14(1):4–20CrossRef

15.

Koops BJ, Leenes R (2014) Privacy regulation cannot be hardcoded. Intl Rev Law Comput Technol 28(2):159–171CrossRef

16.

Los R (2016) The emergence of identity as an enterprise attack surface. CSO Online

17.

Lundkvist C, Heck R, Torstensson J, Mitton Z, Sena M (2016) Uport: a platform for self-sovereign identity

18.

Mealling M, Denenberg R (2002) Report from the joint W3C/IETF URI planning interest group: uniform resource identifiers (URIs), URLs, and uniform resource names (URNs): Clarifications and recommendations. Technical report

19.

Mertens W, Rosemann M (2015) Digital identity 3.0: The platform for people

20.

Nagar A, Nandakumar K, Jain A (2010) Biometric template transformation: a security analysis. In: Proceedings of the of SPIE, electronic imaging, media forensics and security XII, San Jose

21.

Naor M, Shamir A (1994) Visual cryptography. In: Workshop on the theory and application of cryptographic techniques. Springer, pp 1–12

22.

Narayana P, Chen R, Zhao Y, Chen Y, Fu Z, Zhou H (2006) Automatic vulnerability checking of IEEE 802.16 wimax protocols through TLA+. In: 2nd IEEE workshop on secure network protocols, 2006. IEEE, pp 44–49

23.

Othman A, Ross A (2015) De-identifying biometric images by decomposition and mixing. In: Ngo D, Teoh A, Hu J (eds) Biometric security. Cambridge Scholars Publishing, Newcastle upon Tyne

24.

Radha V, Reddy HD (2012)s A survey on single sign-on techniques. Procedia Technol 4:134–139

25.

Reed D, Sporny M (2017) W3C decentralized identifiers (dids) 1.0. https://w3c-ccg.github.io/did-spec/

26.

Reveilhac M, Pasquet M (2009) Promising secure element alternatives for NFC technology. In: First international workshop on near field communication, 2009. NFC’09. IEEE, pp 75–80

27.

Rose J, Rehse O, Röber B (2012) The value of our digital identity. The Boston Consulting Group, New York

28.

Ross A, Othman A (2011) Visual cryptography for biometric privacy. IEEE Trans Inf Forensics Secur 6(1):70–81CrossRef

29.

Sakimura N, Bradley J, Jones M, Medeiros B, Jay E (2011) Openid connect standard 1.0. [online] http://openid.net/specs/openid-connect-standard-1_0-21.html. Accessed 30 Mar 2013

30.

Sanger DE (2015) Hackers took fingerprints of 5.6 million U.S. workers, government says. The New York Times

31.

Satchell C, Shanks G, Howard S, Murphy J (2011) Identity crisis: user perspectives on multiplicity and control in federated identity management. Behav Inform Technol 30(1):51–62CrossRef

32.

Vapen A, Carlsson N, Mahanti A, Shahmehri N (2016) A look at the third-party identity management landscape. IEEE Internet Comput 20(2):18–25CrossRef

33.

Zhang Y, Chen Z, Xue H, Wei T (2015) Fingerprints on mobile devices: abusing and leaking. In: Black hat conference, Las Vegas

Title: A Protocol for Decentralized Biometric-Based Self-Sovereign Identity Ecosystem
Authors: Asem Othman
John Callahan
Publisher: Springer International Publishing
Book: Securing Social Identity in Mobile Platforms
Print ISBN: 978-3-030-39488-2

Electronic ISBN: 978-3-030-39489-9

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-39489-9_12

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner