Abstract
Most user authentication methods and identity proving systems rely on centralized databases. Such information storage presents a single point of compromise from a security perspective. If this system is compromised, it poses a direct threat to a significant number of users’ digital identities. A recent example of compromised data includes the Equifax breach, which affected 140 million people. The other issue with these centralized systems that individuals don’t have a control of how much of their Personal Identifying information (PII) is shared in different contexts.
This chapter discusses a decentralized biometric-based authentication protocol for identity ecosystems, called the Horcrux (The term “Horcrux” comes from the Harry Potter book series in which the antagonist (Lord Voldemort) places copies of his soul into physical objects. Each object is scattered and/or hidden to disparate places around the world. He cannot be killed until all Horcruxes are found and destroyed.) protocol, in which there is no such single point of compromise. The Horcrux protocol is founded on the principle that an individual should have a control over the use of their own PII. The decentralization of control over the components of individual identities will allow them proof of their PII – secured by blockchains and cryptography – to governmental and private-sector entities. Meanwhile, BOPS will enable these entities to undertake an advanced risk assessment, verify identities and provide seamless access through secure mobile biometric recognition technology. All of this can be achieved without the need to store PII in one central database and pose too great a risk for stakeholders. Horcrux protocol relies on decentralized identifiers (DIDs) under development by the W3C Verifiable Claims Community Group and the concept of self-sovereign identity. In this chapter, we discuss the specification and implementation of a decentralized biometric credential storage option via blockchains using DIDs and DID documents within the IEEE 2410–2017 Biometric Open Protocol Standard (BOPS).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Personal Identifying information are Data about an individual which considered to be sensitive and thus subject to security and privacy protections such as biometric and demographic data.
- 2.
The enrollment stage of most of the deployed biometric systems generates a digital representation of an individual’s biometric trait that is stored in the system storage database [14].
- 3.
The private key is used to respond to the PKI challenge and never leaves the mobile device.
References
2410–2017 IEEE biometric open protocol standard (BOPS). https://standards.ieee.org/findstds/standard/2410-2017.html
European union general data protection regulation (GDPR) (2020) https://gdpr-info.eu/
Public key infrastructure (2020) https://en.wikipedia.org/wiki/Public_key_infrastructure
FIDO UAF Protocol Specification v1.0 Proposed Standard (2014) https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html
Ali M, Nelson JC, Shea R, Freedman MJ (2016) Blockstack: a global naming and storage system secured by blockchains. In: USENIX annual technical conference, pp 181–194
Armerding T (2018) The 17 biggest data breaches of the 21st century. https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
Baars D (2016) Towards self-sovereign identity using blockchain technology. Master’s thesis, University of Twente
Caronni G (2000) Walking the web of trust. In: IEEE 9th international workshops on enabling technologies: infrastructure for collaborative enterprises (WET ICE 2000). Proceedings. IEEE, pp 153–158
Cortet M, Rijks T, Nijland S (2016) PSD2: the digital transformation accelerator for banks. J Paym Strateg Syst 10(1):13–27
Ekberg JE, Kostiainen K, Asokan N (2013) Trusted execution environments on mobile devices. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 1497–1498
Hughes J, Maler E (2005) Security assertion markup language (saml) v2. 0 technical overview. OASIS SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08, pp 29–38
Hume M (2018) Identity theft cited as threat after equifax security breach. The Globe and Mail, Toronto A, 7
Jain A, Ross A, Prabhakar S (2004) An introduction to biometric recognition. IEEE Trans Circuits Syst Video Technol 14(1):4–20
Koops BJ, Leenes R (2014) Privacy regulation cannot be hardcoded. Intl Rev Law Comput Technol 28(2):159–171
Los R (2016) The emergence of identity as an enterprise attack surface. CSO Online
Lundkvist C, Heck R, Torstensson J, Mitton Z, Sena M (2016) Uport: a platform for self-sovereign identity
Mealling M, Denenberg R (2002) Report from the joint W3C/IETF URI planning interest group: uniform resource identifiers (URIs), URLs, and uniform resource names (URNs): Clarifications and recommendations. Technical report
Mertens W, Rosemann M (2015) Digital identity 3.0: The platform for people
Nagar A, Nandakumar K, Jain A (2010) Biometric template transformation: a security analysis. In: Proceedings of the of SPIE, electronic imaging, media forensics and security XII, San Jose
Naor M, Shamir A (1994) Visual cryptography. In: Workshop on the theory and application of cryptographic techniques. Springer, pp 1–12
Narayana P, Chen R, Zhao Y, Chen Y, Fu Z, Zhou H (2006) Automatic vulnerability checking of IEEE 802.16 wimax protocols through TLA+. In: 2nd IEEE workshop on secure network protocols, 2006. IEEE, pp 44–49
Othman A, Ross A (2015) De-identifying biometric images by decomposition and mixing. In: Ngo D, Teoh A, Hu J (eds) Biometric security. Cambridge Scholars Publishing, Newcastle upon Tyne
Radha V, Reddy HD (2012)s A survey on single sign-on techniques. Procedia Technol 4:134–139
Reed D, Sporny M (2017) W3C decentralized identifiers (dids) 1.0. https://w3c-ccg.github.io/did-spec/
Reveilhac M, Pasquet M (2009) Promising secure element alternatives for NFC technology. In: First international workshop on near field communication, 2009. NFC’09. IEEE, pp 75–80
Rose J, Rehse O, Röber B (2012) The value of our digital identity. The Boston Consulting Group, New York
Ross A, Othman A (2011) Visual cryptography for biometric privacy. IEEE Trans Inf Forensics Secur 6(1):70–81
Sakimura N, Bradley J, Jones M, Medeiros B, Jay E (2011) Openid connect standard 1.0. [online] http://openid.net/specs/openid-connect-standard-1_0-21.html. Accessed 30 Mar 2013
Sanger DE (2015) Hackers took fingerprints of 5.6 million U.S. workers, government says. The New York Times
Satchell C, Shanks G, Howard S, Murphy J (2011) Identity crisis: user perspectives on multiplicity and control in federated identity management. Behav Inform Technol 30(1):51–62
Vapen A, Carlsson N, Mahanti A, Shahmehri N (2016) A look at the third-party identity management landscape. IEEE Internet Comput 20(2):18–25
Zhang Y, Chen Z, Xue H, Wei T (2015) Fingerprints on mobile devices: abusing and leaking. In: Black hat conference, Las Vegas
Acknowledgements
The authors would like to thank Ward Rosenberry for his help in editing and proofreading the chapter.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Othman, A., Callahan, J. (2020). A Protocol for Decentralized Biometric-Based Self-Sovereign Identity Ecosystem. In: Bourlai, T., Karampelas, P., Patel, V.M. (eds) Securing Social Identity in Mobile Platforms. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-39489-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-39489-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39488-2
Online ISBN: 978-3-030-39489-9
eBook Packages: Computer ScienceComputer Science (R0)