Digital identities — a statement by our expert Marian Margraf for the German Federal Parliament’s Committee on Digital Affairs

On July 4, 2022, the Committee on Digital Affairs held a public hearing on “Digital identities” at the German Federal Parliament (Bundestag). Our expert Marian Margraf, Head of Secure Systems Engineering at Fraunhofer AISEC and Professor at Freie Universität Berlin, was invited to the event. He addressed in particular the use of the self-sovereign identity (SSI) principle in current solutions, for example in mobile end devices. In addition to the challenges presented by the widespread use of digital identities, he also outlined possible solutions for electronic trust services that are both secure and socially accepted. This blog article is an abridged transcript of his statement.

In principle, I consider the implementation of the self-sovereign identity principles such as inclusion, access, transparency, security, privacy and minimization to be desirable for both digital identities and certificates. However, the solutions currently implemented are still not fully developed from a security perspective.

Criticisms of existing SSI solutions

One major criticism is the lack of distinction between digital identities and certificates (e.g., diplomas). With a digital identity, I can prove that I am Marian Margraf; with my degree certificate, I can only prove that Marian Margraf has a degree. The technical security requirements are therefore different. For example, the holder’s certificates may be copied. However, digital identities linked to the respective person must under no circumstances be copied. Furthermore, I consider the unilateral focus on blockchain technologies to be ineffective. SSI should be researched and developed following a technology-neutral approach.

Other valid criticisms of current SSI solutions are that

a) no security proofs exist for the cryptographic protocols in place;

b) services do not have to authenticate themselves to users;

c) services obtain data including additional information so that it can be proven to third parties that the data is genuine; and

d) there is hitherto no technical solution for implementing digital identities on smartphones that implements the device binding security requirement (to prevent digital identities being copied) without using a unique characteristic (a public key) that is always sent to the service.

However, users can be tracked across different services using this unique characteristic; for example, even if provider A only verifies their age, provider B is sent other identity data such as name and address. This undermines the principles of privacy and minimization.

The aforementioned problems do not exist for the online ID function introduced in 2010.

Implementation of digital identities on mobile end devices

The secure implementation of digital identities on smartphones remains a great challenge. In this respect, the German Federal Office for Information Security (BSI) has already laid the preparatory groundwork and, for example, has set out in Technical Guideline TR-03159 the security requirements for digital identities on mobile end devices that will ensure the assurance level ‘substantial’ in line with the EU eIDAS Regulation on electronic identification and trust services, which is sufficient for most use cases. Specifically, security elements that securely store cryptographic key material and that enable cryptographic algorithms to be carried out securely must be used for this purpose. These are included in most mid- to high-range smartphones and would also be installed in low-range smartphones if appropriate business models are established for smartphone manufacturers (security elements themselves are not expensive). However, it is currently difficult to predict whether smartphone manufacturers would actually allow security elements (including eSIMs) to be used for digital identities. I therefore think that it is sensible to implement digital identities on the basis of the security functions already provided on smartphones and to work with manufacturers to improve their functionality for the use of digital identities. A good example of this is the implementation of the standard for mobile driving licenses (ISO 18013-5) in Apple and Google’s smartphone operating systems.

Vulnerability management for mobile end devices

In contrast to the card-based online ID function for which only a very limited number of security elements (with the corresponding operating system and software) are used, the number of hardware and software versions for mobile end devices is significantly higher. As a result, the possibility of security vulnerabilities being introduced in the future cannot be ruled out, thereby threatening the security of digital identities implemented on mobile end devices. Vulnerability management should therefore be established for these devices, enabling the operator of the overall system to identify and evaluate security vulnerabilities and to introduce appropriate countermeasures, such as excluding individual devices from further use in serious cases.

Prerequisites for the widespread use of digital identities

German citizens will use digital identities if the respective processes are greatly simplified. However, this is also dependent on a wide range of services being available. In this respect, one driver could be the German Online Access Act (OZG), which requires the federal, state and local governments to also provide their administrative services in digital form, although its implementation is significantly delayed. Our studies in this field also support this conclusion: German citizens have a very positive attitude towards digital identities, but they criticize the lack of use cases.

Another essential prerequisite is the harmonization of regulatory requirements regarding digital identities for different sectors, for example healthcare, insurance, finance and public administration. This is the only way to ensure that a great many services can be used with a single digital identity. Harmonization also includes the unambiguous interpretation of attributes. For example, mutual recognition of authenticated digital identities under the eIDAS Regulation is legally binding for all Member States. Databases are planned for semantic definitions of individual attributes. This should be implemented not only for digital identities within the scope of eIDAS but for all digital identities and additionally where certificates are used in an SSI context (e.g., through a voluntary commitment by the solutions provider).

Early involvement of civil society

Parts of civil society are skeptical of the German federal government’s major digitalization projects, partly because the government is pursuing divergent interests. That is why, for example, the introduction of the online ID function in 2010 received a very negative response from the Chaos Computer Club (CCC). Above all, there were fears that the government could use the online ID function to spy on citizens and that it was not capable of designing a secure, privacy-friendly solution. However, critical feedback on such projects should be viewed as an opportunity to involve citizens at an early stage and improve the solution, thereby increasing overall social acceptance, particularly with a view to security and data protection issues.

The entire development process as well as subsequent maintenance and further development should therefore be completely transparent and heavily involve civil society. This means that all implementation concepts (e.g., architecture, crypto and security concepts as well as guidelines for secure software development) must be discussed with the public and made accessible to them from the very start. Proposed amendments should be evaluated and, most importantly, any rejected amendments should be clearly justified. In addition, software development should be structured as an open-source project under a suitable open-source license and the community should be invited to contribute to it. This includes the software components developed as part of the project, smartphone apps and secure element applets.

To that end, an internet portal should be provided — or existing services (e.g., GitHub or GitLab) used — on which all information on the development process, documents and software are listed and the opportunities for participation presented. A key feature of the portal would be the ability of the community to process proposed amendments to documentation and software and the public evaluation of these by project management and the community (acceptance/rejection including justification).

The aforementioned processes and open-source publication in general should meet the standards and best practices of the open-source community (see the publication strategy of the Corona-Warn-App, for example).

Author
Marian_Margraf_Blog_Autor_CybersecurityBlog Fraunhofer AISEC
Marian Margraf

Marian Margraf is a professor of information security at Freie Universität Berlin and a department head at Fraunhofer AISEC. He has more than 15 years of experience in the field of information security. He first started his IT security career as a cryptologist at the German Federal Office for Information Security (BSI), where he worked from 2003 to 2008. He then took up the position of senior government official at the German Federal Ministry of the Interior (BMI) in 2008 and contributed to developing the German federal government’s key strategies for information security. He has been a professor since 2013. His research focuses on cryptography, mobile security and information security management. Marian Margraf heads the Secure Systems Engineering department at Fraunhofer AISEC, which specializes in electronic identities, post-quantum cryptography and the development of secure IT systems as well as the increasingly important topic of usable privacy and security. He is often invited to the German Bundestag as a subject expert, educating members of parliament on different issues concerning information security.

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

ChatGPT — the hot new tool for hackers?

ChatGPT is the AI software that supposedly does it all: It’s expected to compose newspaper articles and write theses — or program malware. Is ChatGPT developing into a new tool for hackers and cyber criminals that makes it even easier for them to create malware? Institute director Prof. Dr. Claudia Eckert and AI expert Dr. Nicolas Müller give their opinion on the potential threat to digital security posed by ChatGPT.

Read More »

So you want to play with Wi-Fi? It’s dangerous to make frames alone. Take this.

While Wi-Fi communication encryption faces much scrutiny, programming errors in drivers and firmware of embedded devices lack third-party pentesting. In this blog article, our Embedded Security expert Katharina Bogad provides insights in automatic (fuzz) testing of 802.11 firmware and drivers, explains why it is necessary to arbitrarily alter a wireless connection and explores the hardware and software requirements to do so. Further she discusses how to use the monitor mode for passive listening and frame injection and closes with a section of assorted pitfalls.

Read More »

AI – All that a machine learns is not gold

Machine learning is being hailed as the new savior. As the hype around artificial intelligence (AI) increases, trust is being placed in it to solve even the most complex of problems. Results from the lab back up these expectations. Detecting a Covid-19 infection using X-ray images or even speech, autonomous driving, automatic deepfake recognition — all of this is possible using AI under laboratory conditions. Yet when these models are applied in real life, the results are often less than adequate. Why is that? If machine learning is viable in the lab, why is it such a challenge to transfer it to real-life scenarios? And how can we build models that are more robust in the real world? This blog article scrutinizes scientific machine learning models and outlines possible ways of increasing the accuracy of AI in practice.

Read More »

Digital twins and their potential for OT security

A digital twin is a virtual representation of a real system or device. It accompanies its physical counterpart during its entire life cycle. Tests, optimization procedures and bug hunting can be carried out on the twin first without involving the real device (that may not even exist at that moment). In this article, I want to give you some recommendations on how to harness that potential for improving upon the state of OT security (Operational Technology Security), e.g., within manufacturing or building automation.

Read More »