Headerbild_CybersecurityBlog_Fraunhofer AISEC_Stellungnahme SSI Marian Margraf_klein

Digital identities — a statement by our expert Marian Margraf for the German Federal Parliament’s Committee on Digital Affairs

On July 4, 2022, the Committee on Digital Affairs held a public hearing on “Digital identities” at the German Federal Parliament (Bundestag). Our expert Marian Margraf, Head of Secure Systems Engineering at Fraunhofer AISEC and Professor at Freie Universität Berlin, was invited to the event. He addressed in particular the use of the self-sovereign identity (SSI) principle in current solutions, for example in mobile end devices. In addition to the challenges presented by the widespread use of digital identities, he also outlined possible solutions for electronic trust services that are both secure and socially accepted. This blog article is an abridged transcript of his statement.

In principle, I consider the implementation of the self-sovereign identity principles such as inclusion, access, transparency, security, privacy and minimization to be desirable for both digital identities and certificates. However, the solutions currently implemented are still not fully developed from a security perspective.

Criticisms of existing SSI solutions

One major criticism is the lack of distinction between digital identities and certificates (e.g., diplomas). With a digital identity, I can prove that I am Marian Margraf; with my degree certificate, I can only prove that Marian Margraf has a degree. The technical security requirements are therefore different. For example, the holder’s certificates may be copied. However, digital identities linked to the respective person must under no circumstances be copied. Furthermore, I consider the unilateral focus on blockchain technologies to be ineffective. SSI should be researched and developed following a technology-neutral approach.

Other valid criticisms of current SSI solutions are that

a) no security proofs exist for the cryptographic protocols in place;

b) services do not have to authenticate themselves to users;

c) services obtain data including additional information so that it can be proven to third parties that the data is genuine; and

d) there is hitherto no technical solution for implementing digital identities on smartphones that implements the device binding security requirement (to prevent digital identities being copied) without using a unique characteristic (a public key) that is always sent to the service.

However, users can be tracked across different services using this unique characteristic; for example, even if provider A only verifies their age, provider B is sent other identity data such as name and address. This undermines the principles of privacy and minimization.

The aforementioned problems do not exist for the online ID function introduced in 2010.

Implementation of digital identities on mobile end devices

The secure implementation of digital identities on smartphones remains a great challenge. In this respect, the German Federal Office for Information Security (BSI) has already laid the preparatory groundwork and, for example, has set out in Technical Guideline TR-03159 the security requirements for digital identities on mobile end devices that will ensure the assurance level ‘substantial’ in line with the EU eIDAS Regulation on electronic identification and trust services, which is sufficient for most use cases. Specifically, security elements that securely store cryptographic key material and that enable cryptographic algorithms to be carried out securely must be used for this purpose. These are included in most mid- to high-range smartphones and would also be installed in low-range smartphones if appropriate business models are established for smartphone manufacturers (security elements themselves are not expensive). However, it is currently difficult to predict whether smartphone manufacturers would actually allow security elements (including eSIMs) to be used for digital identities. I therefore think that it is sensible to implement digital identities on the basis of the security functions already provided on smartphones and to work with manufacturers to improve their functionality for the use of digital identities. A good example of this is the implementation of the standard for mobile driving licenses (ISO 18013-5) in Apple and Google’s smartphone operating systems.

Vulnerability management for mobile end devices

In contrast to the card-based online ID function for which only a very limited number of security elements (with the corresponding operating system and software) are used, the number of hardware and software versions for mobile end devices is significantly higher. As a result, the possibility of security vulnerabilities being introduced in the future cannot be ruled out, thereby threatening the security of digital identities implemented on mobile end devices. Vulnerability management should therefore be established for these devices, enabling the operator of the overall system to identify and evaluate security vulnerabilities and to introduce appropriate countermeasures, such as excluding individual devices from further use in serious cases.

Prerequisites for the widespread use of digital identities

German citizens will use digital identities if the respective processes are greatly simplified. However, this is also dependent on a wide range of services being available. In this respect, one driver could be the German Online Access Act (OZG), which requires the federal, state and local governments to also provide their administrative services in digital form, although its implementation is significantly delayed. Our studies in this field also support this conclusion: German citizens have a very positive attitude towards digital identities, but they criticize the lack of use cases.

Another essential prerequisite is the harmonization of regulatory requirements regarding digital identities for different sectors, for example healthcare, insurance, finance and public administration. This is the only way to ensure that a great many services can be used with a single digital identity. Harmonization also includes the unambiguous interpretation of attributes. For example, mutual recognition of authenticated digital identities under the eIDAS Regulation is legally binding for all Member States. Databases are planned for semantic definitions of individual attributes. This should be implemented not only for digital identities within the scope of eIDAS but for all digital identities and additionally where certificates are used in an SSI context (e.g., through a voluntary commitment by the solutions provider).

Early involvement of civil society

Parts of civil society are skeptical of the German federal government’s major digitalization projects, partly because the government is pursuing divergent interests. That is why, for example, the introduction of the online ID function in 2010 received a very negative response from the Chaos Computer Club (CCC). Above all, there were fears that the government could use the online ID function to spy on citizens and that it was not capable of designing a secure, privacy-friendly solution. However, critical feedback on such projects should be viewed as an opportunity to involve citizens at an early stage and improve the solution, thereby increasing overall social acceptance, particularly with a view to security and data protection issues.

The entire development process as well as subsequent maintenance and further development should therefore be completely transparent and heavily involve civil society. This means that all implementation concepts (e.g., architecture, crypto and security concepts as well as guidelines for secure software development) must be discussed with the public and made accessible to them from the very start. Proposed amendments should be evaluated and, most importantly, any rejected amendments should be clearly justified. In addition, software development should be structured as an open-source project under a suitable open-source license and the community should be invited to contribute to it. This includes the software components developed as part of the project, smartphone apps and secure element applets.

To that end, an internet portal should be provided — or existing services (e.g., GitHub or GitLab) used — on which all information on the development process, documents and software are listed and the opportunities for participation presented. A key feature of the portal would be the ability of the community to process proposed amendments to documentation and software and the public evaluation of these by project management and the community (acceptance/rejection including justification).

The aforementioned processes and open-source publication in general should meet the standards and best practices of the open-source community (see the publication strategy of the Corona-Warn-App, for example).

Author
Marian_Margraf_Blog_Autor_CybersecurityBlog Fraunhofer AISEC
Marian Margraf

Marian Margraf is a professor of information security at Freie Universität Berlin and a department head at Fraunhofer AISEC. He has more than 15 years of experience in the field of information security. He first started his IT security career as a cryptologist at the German Federal Office for Information Security (BSI), where he worked from 2003 to 2008. He then took up the position of senior government official at the German Federal Ministry of the Interior (BMI) in 2008 and contributed to developing the German federal government’s key strategies for information security. He has been a professor since 2013. His research focuses on cryptography, mobile security and information security management. Marian Margraf heads the Secure Systems Engineering department at Fraunhofer AISEC, which specializes in electronic identities, post-quantum cryptography and the development of secure IT systems as well as the increasingly important topic of usable privacy and security. He is often invited to the German Bundestag as a subject expert, educating members of parliament on different issues concerning information security.

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

Fraunhofer AISEC commissioned by the German Federal Office for Information Security (BSI): New study on the synthesis of cryptographic hardware implementations

The study by Fraunhofer AISEC on the security of cryptographic hardware implementations focuses on attacks on physical hardware, such as side-channel attacks and error attacks, as well as measures to defend against them. These protective mechanisms can potentially be compromised by optimizations in the chip design process. The study shows that protective measures should be integrated into complex design processes and taken into account in hardware design synthesis in order to be resilient to hardware attacks. The findings will help hardware designers to develop robust and secure chips.

Read More »

Faster detection and rectification of security vulnerabilities in software with CSAF

The Common Security Advisory Framework (CSAF) is a machine-readable format for security notices and plays a crucial role in implementing the security requirements of the Cyber Resilience Act (CRA): Security vulnerabilities can be detected and rectified faster by automatically creating and sharing security information. Fraunhofer AISEC has now published the software library »kotlin-csaf«, which implements the CSAF standard in the Kotlin programming language.

Read More »

Privacy By Design: Integrating Privacy into the Software Development Life Cycle

As data breaches and privacy violations continue to make headlines, it is evident that mere reactive measures are not enough to protect personal data. Therefore, behind every privacy-aware organization lies an established software engineering process that systematically includes privacy engineering activities. Such activities include the selection of privacy-enhancing technologies, the analysis of potential privacy threats, as well as the continuous re-evaluation of privacy risks at runtime.
In this blog post, we give an overview of some of these activities which help your organization to build and operate privacy-friendly software by design. In doing so, we focus on risk-based privacy engineering as the driver for »Privacy by Design«.

Read More »
Headerbild zum Blogartikel "Neue Studie zu Laser-basiertem Fehlerangriff auf XMSS" im Cybersecurityblog des Fraunhofer AISEC

Fraunhofer AISEC commissioned by the German Federal Office for Information Security (BSI): new study of laser-based fault attacks on XMSS

To ensure the security of embedded systems, the integrity and authenticity of the software must be verified, for example through signatures. However, targeted hardware attacks enable malware to be used to take over the system. What risks are modern cryptographic implementations exposed to? What countermeasures need to be taken? To answer these questions, Fraunhofer AISEC was commissioned by the German Federal Office for Information Security (BSI) to carry out a study of laser-based fault attacks on XMSS. The focus is on a hash-based, quantum-secure scheme for creating and verifying signatures based on the Winternitz One-Time-Signature (WOTS) scheme.

Read More »