World e-Id and Cybersecurity Conference Sept. 17 2015

Laurent Henocque - KeeeX - Marseille

How Social Certificates May Help Build Decentralized Trust

The situation

‣ Trusted tiers cannot be trusted to protect our data, which may further be attacked on the air

‣ Certificate authorities may perform a loose job at ensuring who a an emitter is.

‣ Certificates are complex to obtain, expensive, have somehow missed their e-identity market

‣ Certificates expire, they are almost never revoked. Revoking is expensive.

2

Certificate Pyramid / Chain in Short

Trusted Authority Self Signed

Root Certificate

'topaz'

Private key digitally signs the public key of company certificate

Private key digitally signs

the hash ‘topaz’

Company Certificate

Digitally signs

the public key of user certificateThe file has

proven integrity

and certified author

The two functions of a certificate can be distributed

‣ Decentralized, autonomous file integrity is possible (immune to attacks)

‣ Socially enforced certificates allow for a unique e-ID scheme

4

Decentralized Integrity

‣ Solutions exist to embed file integrity in documents

‣ adobe pdf, microsoft office implement this

‣ KeeeX implements this for 250+ file formats

‣ When a file is obtained, it’s integrity can be checked offline, independently from a trusted tier

5

Decentralized Authenticity

‣ The public key of a user needs not be digitally signed by a certificate hierarchy

‣ The public key of a user can be signed by other users!

‣ The signing private/public keypair of a user can be picked by the user himself

‣ The signing private/public keypair of a user can be replaced and revoked at anytime

6

Your public key can be signed by someone who knows you!

…

‘topaz’  +  public  Key  +  signature Private key

digitally signs the hash ‘topaz’

Your public key can be stored inside the file!

The file has proven integrity and certified author

How do you create your own certificate?‣ You create an ECC KeyPair, either randomly, or

from a self defined passphrase

‣ The public key is very short (<40 chars) and easily fits within any file

‣ Then other people will certify your identity by

‣ digitally signing documents that refer to documents that you have signed yourself, or

‣ files that explicitly contain your public key8

For instance use Bitcoin Addresses‣ Public key would be 1Gr8a8XKW…ERTDtya

9

Signatures can be verified offline

10

‣ Below is a valid signature of xirap-no…ox by my real public key: 16VjbG…SaBSA

Conclusion

‣ Solutions exist to achieve the social (peer) certification of user defined e-identities

‣ It is cost effective

‣ It is under control

‣ It can be verified using publicly available tools

11

12

Thanks for listening

Meet us at World Smart WeeeK

Laurent Henocque, laurent@keeex.net, +33 683 88 20 01

KeeeX SAS, RCS Marseille 807 570 148Pôle Média Belle de Mai CS 20038 – 37 Rue Guibal – 13356 Marseille cedex 03

Tel: +33 4 91 05 64 47