Building Trust in Digital Identities - European Commission · Building Trust in Digital Identities...
Transcript of Building Trust in Digital Identities - European Commission · Building Trust in Digital Identities...
Building Trust in Digital Identities
Secure Digital identities for a Digital Single Market in Europe
Frederic Jacobs
What is trust?
“the willingness of a party to be vulnerable to the actions of another party based on the expectation
that the other will perform a particular action important to the trustor, irrespective of the agility to
monitor or control that other party”
(Mayer et al., 1995)
What is trust?
“the willingness of a party to be vulnerable to the actions of another party based on the expectation
that the other will perform a particular action important to the trustor, irrespective of the agility to
monitor or control that other party”
(Mayer et al., 1995)
Major Concerns Related to Online Privacy and Security Risks,
Percent of Households with Internet Users, 2015
Source: NTIA - US Dept of Commerce
Eurobarometer on Data Protection
Source: European Commission Special Eurobarometer 431
Threat Modeling• Is the eventual risk of compromise not outbalancing
the advantages yielded by the trust relationship?
• Can I mitigate misplaced trust?
• Maybe there is an entity I trust enough? (Centralized)
• Maybe trust should be distributed to a quorum? (Federated)
• Maybe trust should be completely distributed without central nodes? (Decentralized)
–Russian proverb taught by Suzanne Massie to Ronald Reagan
“Доверяй, но проверяй” (trust, but verify)
Standards• Security Management Standards
• ISO27K, IETF RFC 2196, NIST 800-53, BSI 100-1, BSI 100-3
• Technical Security Standards
• AES, TLS, RADIUS, OpenID
• Vulnerability Management Standards
• ITU-T X.1520, CVE
• Security Assurance Standards
• ISO 15408
• Regional and Domain-specific Standards
Compliance & Security• Getting compliance on software updates takes
time. Meanwhile .gov or hospitals might be vulnerable
• Data localization doesn’t matter. Where are the keys stored?
• Are standards kept up-to-date?
• Studies show that password policies (rotation, restrictions …) make users less secure
Audits / Penetration Testing
• How effective? Hard to say
• Usually, easy to find the low-hanging fruit. Raising costs for attacker to find vulnerabilities
• Most large tech companies have a “red team” that is constantly looking for vulnerabilities before the “bad guys” find them
Open-Source• Software being open-source enables easier third-
party auditing of the software by security researchers and academics
• Why easier?
• No need for reverse engineering
• Builds can be instrumented for analysis techniques (such as static analysis, fuzzing, constraint solving…)
Funding OSS as critical infrastructure
• Important to identify and support open-source software that constitutes critical infrastructure for the EU
• EU-FOSSA: Pilot Project for auditing of Open Source Software at the European Institutions
Reproducible Builds
• What good is it that the source code of an application is online if it can’t be reproduced?
• Reproducibility efforts supported by (containerized) deterministic build processes
Key Transparency• Certificate transparency
holds certificate authorities accountable
• Can be applied in other areas including software updates, end-to-end encrypted messaging (CONIKS) …
• Distributed ledger community is working on solving similar problems
End-to-end Encryption
✉ “Trust us, we won’t read or mine your chats.”
✉🔒 “You don’t have to trust us, we can’t read your chats”
Formally verified software• Advances in formal methods helps us build safer
software that operates matching a given formal specification
• Still out of reach for large & fast-moving code bases
Proofs and Voting Can we trust them?
• Let’s assume we have a formally verified implementation of a voting protocol that comes with strong security proofs
• Should we be using it?
• Lack of widespread understanding of how the voting system fundamentally works
• “The election is gonna be rigged” feeling
• There might be lower-level attacks
• Does it run in a trusted environment?
• How do we verify the silicon?