Digital identities — a statement by our expert Marian Margraf for the German Federal Parliament’s Committee on Digital Affairs

On July 4, 2022, the Committee on Digital Affairs held a public hearing on “Digital identities” at the German Federal Parliament (Bundestag). Our expert Marian Margraf, Head of Secure Systems Engineering at Fraunhofer AISEC and Professor at Freie Universität Berlin, was invited to the event. He addressed in particular the use of the self-sovereign identity (SSI) principle in current solutions, for example in mobile end devices. In addition to the challenges presented by the widespread use of digital identities, he also outlined possible solutions for electronic trust services that are both secure and socially accepted. This blog article is an abridged transcript of his statement.

In principle, I consider the implementation of the self-sovereign identity principles such as inclusion, access, transparency, security, privacy and minimization to be desirable for both digital identities and certificates. However, the solutions currently implemented are still not fully developed from a security perspective.

Criticisms of existing SSI solutions

One major criticism is the lack of distinction between digital identities and certificates (e.g., diplomas). With a digital identity, I can prove that I am Marian Margraf; with my degree certificate, I can only prove that Marian Margraf has a degree. The technical security requirements are therefore different. For example, the holder’s certificates may be copied. However, digital identities linked to the respective person must under no circumstances be copied. Furthermore, I consider the unilateral focus on blockchain technologies to be ineffective. SSI should be researched and developed following a technology-neutral approach.

Other valid criticisms of current SSI solutions are that

a) no security proofs exist for the cryptographic protocols in place;

b) services do not have to authenticate themselves to users;

c) services obtain data including additional information so that it can be proven to third parties that the data is genuine; and

d) there is hitherto no technical solution for implementing digital identities on smartphones that implements the device binding security requirement (to prevent digital identities being copied) without using a unique characteristic (a public key) that is always sent to the service.

However, users can be tracked across different services using this unique characteristic; for example, even if provider A only verifies their age, provider B is sent other identity data such as name and address. This undermines the principles of privacy and minimization.

The aforementioned problems do not exist for the online ID function introduced in 2010.

Implementation of digital identities on mobile end devices

The secure implementation of digital identities on smartphones remains a great challenge. In this respect, the German Federal Office for Information Security (BSI) has already laid the preparatory groundwork and, for example, has set out in Technical Guideline TR-03159 the security requirements for digital identities on mobile end devices that will ensure the assurance level ‘substantial’ in line with the EU eIDAS Regulation on electronic identification and trust services, which is sufficient for most use cases. Specifically, security elements that securely store cryptographic key material and that enable cryptographic algorithms to be carried out securely must be used for this purpose. These are included in most mid- to high-range smartphones and would also be installed in low-range smartphones if appropriate business models are established for smartphone manufacturers (security elements themselves are not expensive). However, it is currently difficult to predict whether smartphone manufacturers would actually allow security elements (including eSIMs) to be used for digital identities. I therefore think that it is sensible to implement digital identities on the basis of the security functions already provided on smartphones and to work with manufacturers to improve their functionality for the use of digital identities. A good example of this is the implementation of the standard for mobile driving licenses (ISO 18013-5) in Apple and Google’s smartphone operating systems.

Vulnerability management for mobile end devices

In contrast to the card-based online ID function for which only a very limited number of security elements (with the corresponding operating system and software) are used, the number of hardware and software versions for mobile end devices is significantly higher. As a result, the possibility of security vulnerabilities being introduced in the future cannot be ruled out, thereby threatening the security of digital identities implemented on mobile end devices. Vulnerability management should therefore be established for these devices, enabling the operator of the overall system to identify and evaluate security vulnerabilities and to introduce appropriate countermeasures, such as excluding individual devices from further use in serious cases.

Prerequisites for the widespread use of digital identities

German citizens will use digital identities if the respective processes are greatly simplified. However, this is also dependent on a wide range of services being available. In this respect, one driver could be the German Online Access Act (OZG), which requires the federal, state and local governments to also provide their administrative services in digital form, although its implementation is significantly delayed. Our studies in this field also support this conclusion: German citizens have a very positive attitude towards digital identities, but they criticize the lack of use cases.

Another essential prerequisite is the harmonization of regulatory requirements regarding digital identities for different sectors, for example healthcare, insurance, finance and public administration. This is the only way to ensure that a great many services can be used with a single digital identity. Harmonization also includes the unambiguous interpretation of attributes. For example, mutual recognition of authenticated digital identities under the eIDAS Regulation is legally binding for all Member States. Databases are planned for semantic definitions of individual attributes. This should be implemented not only for digital identities within the scope of eIDAS but for all digital identities and additionally where certificates are used in an SSI context (e.g., through a voluntary commitment by the solutions provider).

Early involvement of civil society

Parts of civil society are skeptical of the German federal government’s major digitalization projects, partly because the government is pursuing divergent interests. That is why, for example, the introduction of the online ID function in 2010 received a very negative response from the Chaos Computer Club (CCC). Above all, there were fears that the government could use the online ID function to spy on citizens and that it was not capable of designing a secure, privacy-friendly solution. However, critical feedback on such projects should be viewed as an opportunity to involve citizens at an early stage and improve the solution, thereby increasing overall social acceptance, particularly with a view to security and data protection issues.

The entire development process as well as subsequent maintenance and further development should therefore be completely transparent and heavily involve civil society. This means that all implementation concepts (e.g., architecture, crypto and security concepts as well as guidelines for secure software development) must be discussed with the public and made accessible to them from the very start. Proposed amendments should be evaluated and, most importantly, any rejected amendments should be clearly justified. In addition, software development should be structured as an open-source project under a suitable open-source license and the community should be invited to contribute to it. This includes the software components developed as part of the project, smartphone apps and secure element applets.

To that end, an internet portal should be provided — or existing services (e.g., GitHub or GitLab) used — on which all information on the development process, documents and software are listed and the opportunities for participation presented. A key feature of the portal would be the ability of the community to process proposed amendments to documentation and software and the public evaluation of these by project management and the community (acceptance/rejection including justification).

The aforementioned processes and open-source publication in general should meet the standards and best practices of the open-source community (see the publication strategy of the Corona-Warn-App, for example).

Author
Marian_Margraf_Blog_Autor_CybersecurityBlog Fraunhofer AISEC
Marian Margraf

Marian Margraf is a professor of information security at Freie Universität Berlin and a department head at Fraunhofer AISEC. He has more than 15 years of experience in the field of information security. He first started his IT security career as a cryptologist at the German Federal Office for Information Security (BSI), where he worked from 2003 to 2008. He then took up the position of senior government official at the German Federal Ministry of the Interior (BMI) in 2008 and contributed to developing the German federal government’s key strategies for information security. He has been a professor since 2013. His research focuses on cryptography, mobile security and information security management. Marian Margraf heads the Secure Systems Engineering department at Fraunhofer AISEC, which specializes in electronic identities, post-quantum cryptography and the development of secure IT systems as well as the increasingly important topic of usable privacy and security. He is often invited to the German Bundestag as a subject expert, educating members of parliament on different issues concerning information security.

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.

Leave a Reply

You have to agree to the comment policy.

Other Articles

Digital identities — a statement by our expert Marian Margraf for the German Federal Parliament’s Committee on Digital Affairs

On July 4, 2022, the Committee on Digital Affairs held a public hearing on “Digital identities” at the German Federal Parliament (Bundestag). Our expert Marian Margraf, Head of Secure Systems Engineering at Fraunhofer AISEC and Professor at Freie Universität Berlin, was invited to the event. He addressed in particular the use of the self-sovereign identity (SSI) principle in current solutions, for example in mobile end devices. In addition to the challenges presented by the widespread use of digital identities, he also outlined possible solutions for electronic trust services that are both secure and socially accepted. This blog article is an abridged transcript of his statement.

Read More »

Innovating with security: Fraunhofer AISEC launches its cybersecurity blog

The cybersecurity blog goes live: Fraunhofer AISEC’s new blog is presenting exciting topics from the IT security research world in a new format: Expect fascinating content from the areas of trusted AI, trusted electronics, quantum computing and much more. The mega-trend of digitalization is becoming increasingly important to both the economy and society. Networked infrastructures and sensitive data need to be protected, while attacks by cybercriminals must be detected and prevented. More than 100 experts at the Fraunhofer Institute for Applied and Integrated Security AISEC are developing cybersecurity concepts and solutions that are necessary to achieve this. This blog will

Read More »

Putting AI systems to the test with ‘Creation Attacks’

How secure is artificial intelligence (AI)? Does a machine perceive its environment in a different way to humans? Can an algorithm’s assessment be trusted? These are some of the questions we are exploring in the project “SuKI — Security for and with artificial intelligence”. The more AI is integrated into our everyday lives, the more important these questions become: When it comes to critical decisions — be it on the roads, in the financial sector or even in the medical sector — which are taken by autonomous systems, being able to trust AI is vital. As part of our ongoing SuKI project, we have now successfully deceived the state-of-the-art object recognition system YoloV3 [0].

Read More »
Rechtssicherheit Cybersecurity Blog Fraunhofer AISEC

Increased legal certainty for ‘white hat hackers’

Despite taking every precaution, IT-based systems and products are rarely completely free of security vulnerabilities. In order to detect and fix vulnerabilities and attack areas early on, software and hard-ware must endure rigorous security testing. However, cybersecurity researchers who report vulnerabili-ties responsibly and in the interest of common good (so-called “white hat hackers”) are currently at risk of criminal prosecution. The Fraunhofer Institute for Applied and Integrated Security AISEC has responded by developing an internal procedure based on best-practice processes for dealing with vul-nerabilities discovered by its researchers. Fraunhofer AISEC has also collaborated with the Sec4Research interdisciplinary research team to produce a white paper suggesting ways to improve the legal situation of “white hat hackers” from within the research community.

Read More »