-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Threat Modeling for Decentralized Identities #115
Comments
The strategy link issue is 404. There are solutions for dynamic state, that rely on getting a fresh status from the issuer at some interval, but where the holder requests the status, not the verifier. This kind of approach is especially useful for enumerations status values, that are not boolean, since you don't need to do bit logic on the status list, and storing enumerations in cryptographic accumulators can be complicated. |
@OR13 Thank you for the 404 check; it was fixed. And also for the status attestations |
reasoning about the issue, I began to structure a Threat Model, to which I would then apply privacy (or other) techniques |
Nick also mentioned threat model here: w3c/strategy#458 I'm generally supportive of revising the threat model, as the API aligns to support protocols and credential formats. Especially because some threats will be out of scope for the API, but maybe in scope for a protocol or format. It can be helpful to identify what the API can change, and where the API's security or privacy considerations are subject to constraints from the choice of supporting a protocol or format. |
thanks @OR13 I've just update it (and maybe I need to move from an issue to something different). Clarified a bit the scope that I agree it is broader to the API, but for the model I think we need to analyze also the full flow/architeture and then part of the model can be applied to the API. |
@weizman have you some insight as you have experience in the Wallets-in-the-Browsers (even if probably more on high-level than your article and also on user experience? |
by @peppelinux on linkedin
|
by Stephan Engberg on linkedin
|
I updated the model by improving the scope, architectural, and flow analysis parts, then wrote the various prompt lists to brainstorm on. |
this is more of a threat meta-model as the details about the vulnerabilities, costs, mitigations, and justifications are missing. That is ok as a start, although mixing models makes it harder to come up with a single lists of vulnerabilities for the analysis. Or is the point to create the model and then every implementer would build the analysis? One item missing is the verifier proof of identity and purpose. As one example, you don't say that the holder must trust the verifier. There is an implicit assumption here, that the holder is the subject with a slight nod to delegation in "One particularly useful and interesting aspect is that of delegation of a credential (I use the term delegation loosely, as questionies such as Guardianship have a precise legal meaning), which prevents much abuse and identity theft and should be modeled properly as Issuer rules." If you mean this you need much more detail and the separation of the holder from the subject. |
Hi @TomCJones
Yes, it is still a meta-model to be codified in the clear structure "threat>mitigation>residual threat, as in a common final form. There are several "profiles" and elements that change the setup a lot (e.g., I can choose to have formats that do not support selective disclosure, while an output that doesn't come out and has to be used/predilected those). Also, because I didn't find that reasoning, it seemed like a good place to start. The mix between Security and Privacy in this case is given by the fact that I started doing the analysis with the OSSTMM. Still, yes in a later round (the fateful fourth step) the various analyses have to be harmonized.
Great finding, I will update it thank you
Yes, you are right. I added that sentence as my memento since I thought the concept was interesting. Lately, at least in Europe, we talk a lot about government-issued credentials for people, but there are many use cases where the subject is not the holder (animals, supply chain, etc.). Thanks again for your comment! |
In the section that pertains to the Status List revocation approach, it claims the approach discloses personal information, but that doesn't seem accurate. Assuming the revocation document only contains flipped bits at positions that can only be tied a given credential if you'd been privy to disclosure of their association, what personal information does the author of that passage think is contained in this revocation document? |
hi @csuwildcat , thank you for the feedback. i was more thinking of a correlation issues as specified here: https://www.w3.org/TR/vc-bitstring-status-list/#privacy-considerations for sure, I am going to explain better the concept |
We're also started working with Fondazione Bruno Kessler as they have a Threat Model to on the Wallet/Protocol side: https://drive.google.com/drive/folders/1mgwhZ0jTAeGIE8Ewf3kK34dLjPwOTM5L |
One thing I think is missing from the "threat>mitigation>residual threat" form that this is taking is a discussion of the actors/assets/invariants that are useful to describe the assumptions made in constructing the model. That sort of discussion can help us get on common ground, which could be really nice for defining exactly the security/privacy relationship of the wallet and browser. I'm still thinking about how to approach this, but this may be an additional section worth adding. |
@bvandersloot-mozilla I agree with you. it is needed a refinement "numbering" the threats, the mitigation so that we can understand the residial part (and understand what to do) |
By @slistrom and @peppelinux A classification of the Wallet types, considering that each wallet, at a specific level, can have a different Threat Model.
|
Threat Model from here WICG/digital-credentials#115
301 Moved Permanently: The updated version of the Threat Model is in the Threat Model Community Group Repository |
I know it says this work has permanently moved. and I will try contribute in a new CG as well, but just wanted to point to two prior work with a very similar scope that should be taken into account:
|
@Sakurann thank you so much, I moved the Issue text, but here there are still some material needed to moved as issues. For sure these two works needs to be refenreced in the Threat Model! |
Threat Model and analysis by @RByers 👍 Chromium: RWI privacy risk mitigation design to include/reflect |
301 Moved Permanently: The updated version of the Threat Model is in the Threat Model Community Group Repository
Introduction
Status of this document
An outline of the many concerns related to these areas of work, for discussion starting, and initial principles for addressing user considerations.
Editor: Simone Onofri, [email protected]
Scope
This document is the living Threat Model related to Decentralized Identities.
The topic is vast and intricate. Our primary focus is on Decentralized Identities, particularly the cases associated with the proposed Digital Credentials API for the FedID WG.
Considering the four-layered SSI Technology Stack from ToITP, we are starting from Layer 3: "Credentials" and precisely the Credential-Presentation phase, using the architecture related to Verifiable Credentials, which is an open standard and, therefore, can be analyzed by everybody as a reference architecture.
As the Threat Model is a living document, it can be expanded on the other parts of the architecture and at a different level of detail, e.g., going deep into cryptographic aspects of a specific profile.
In any case, particularly when analyzing broader contexts such as Security, Privacy and Harm, the various mitigations and the scope of the analysis also span the other elements of the stack.
It is intended to be a choral analysis. It stems from the need to understand a Threat Model to guide the development of Decentralized Identities in a secure/privacy-preserving way and avoid harm. It will start from the Digital Credentials API from a high-level perspective.
Terminology
For Identity, we can refer to the definition in ISO/IEC 24760-1:2019 "IT Security and Privacy - A framework for identity management".
Identity is “a set of attributes related to an entity”. Where the entity is something "that has recognizably distinct existence" and that can be "l_ogical or physical_" such as "a person, an organization, a device, a group of such items, a human subscriber to a telecom service, a SIM card, a passport, a network interface card, a software application, a service or a website" and the attributes are “characteristics or properties” such as “an entity type, address information, telephone number, a privilege, a MAC address, a domain name”.
We present credentials to claim that we have a certain identity, whether in the physical or digital world. Just as we do not have a one-size-fits-all definition of identity, we also do not have a one-size-fits-all definition of credential in IT, as it changes according to context.
If we use the credential definition from the W3C Verifiable Credentials Data Model (VCDM), it states: “a set of one or more claims made by an issuer.” Its framing is in the Decentralized Identity Model and we can map the ISO’s attributes to VCDM claims.
Taking the example of a person, these characteristics can be physical appearance, voice, a set of beliefs, habits, and so on. It is important to distinguish identity from the identifier (e.g., a user name).
It is usual to think of Digital Credentials as those related to humans and particularly those issued by a government, also known as "Real-world Identities".
This leads to a broader consideration of the Threat Model as it also brings in Privacy as a right and also Harm components.
Related Work
Methodology
Since security is a separation function between the asset and the threat, the threat can have different impacts, such as on security, privacy, or harm.
There are many approaches to Threat Modeling. The first approach we will use is based on Adam Shostack 4 questions frame:
For the central phases, it is possible to can use (as in Risk Management) prompt lists or checklists of either threats, attacks, or controls, for example:
It is useful to frame the analysis with OSSTMM. OSSTMM controls allow both analyses of what can go wrong (e.g., control not present or problem with a control).
Even if it is control-oriented and seems security-oriented, Privacy is an Operational Controls and can glue the different pieces together.
Channel and Vector
OSSTMM is very precise when used to analyze, so it defines a channel and a vector.
For an accurate analysis, We are considering the COMSEC Data Networks Channel in the specific Internet/Web vector for this issue.
Although different digital credentials may have a different channel/vector (e.g., Wireless), they can still be analyzed similarly.
Analysis
What are we building?
To begin to create a good Threat Model, we can first consider the components of the Decentralized Identity architecture (which in this context is synonymous with Self-Sovereign Identity) as defined in W3C's Verifiable Credentials Data Model and how they interact.
Architecture and Actors
Interactions between actors occur normatively through software or other technological mediums. We will generically call Agents such components. One agent might be embedded in a Wallet (the component that contains the Holder's credentials), and another might be a Browser (which, by definition, is a user agent).
Flows
We can consider three general flows, with four "ceremonies" where the various actors interact.
It is important to note that the flow stops here and can be safely continued in several ways. For example, the Holder receives credentials from an Issuer and uses them to identify themself on a Verifier to buy a physical object or ticket to an event. So the Verifier could become an Issuer to issue a certificate of authenticity for good or issue the ticket directly into the Holder's Wallet.
Credential Issuing (CI)
Credential-Presentation (CP)
Credential-Verification (CV)
Credential-Revocation (CR)
Trust and Trust Boundaries
Trust is a key element in threat modeling. In fact, in OSSTMM, it is an element of privileged access to the asset, which, by trusting, lowers the various operational controls.
At the Process level, trust relationships are:
At the Software level, Trust boundaries are documented in the Data Model in section 8.2:
However, from a threat modeling perspective, the issuer, verifier, and holder are external entities, so we have trust boundaries between the parties. This makes sense, and also why we have the concept of (crypto) verification.
Data Model, Formats, Protocols
To modeling Decentralized Identities and Credentials, it is possible to use as a high-level and meta-model using Verifiable Credentials documentation (the list of technology is partial, feel free to extend):
JSONs are enveloped using JSON Object Signing and Encryption (JOSE), and we can find JWT, JWS, and JWK here. JOSE is cryptographically agile (as it can fit different cryptographic primitives) and can also have Selective Disclosure (SD) with SD-JWT (which uses HMAC). New securing mechanisms are coming up, like SD-BLS (which uses BLS) and ongoing efforts to fit BBS#.
CBORs are enveloped using CBOR Object Signing and Encryption (COSE).
Other formats include mdoc and SPICE.
The mechanism to use VCDM with JOSE/COSE is described in Securing Verifiable Credentials using JOSE and COSE.
Assets
Assuming that the main asset is the credentials and information derived during its life cycle, we can consider the protection of its three Privacy Properties, as they were defined by Ben Laurie, as the basis:
These properties were defined in a very specific case of Decentralized Identities. Those related to people, and even more specifically, those issued by governments, are based on the concept of Privacy, specifically for the protection of the Holder.
While we can, therefore, consider the Minimal and Unlinkable properties as elements of the Holder, the Verifiable property is of interest to all. Verifiable means that the Verifier can confirm who issued the credential, that it has not been tampered with, expired, or revoked, contains the required data, and is possibly associated with the holder.
Therefore, The Threat Model wants to start from this specific use case, that of government-issued credentials for people, considering that it is one of the most complex.
Minimization and Unlinkability are generally interrelated (e.g., the less data I provide, the less they can be related). They must coexist with Verifiability (e.g., if I need to know that the credential has been revoked, I usually need to contact the Issuer, who has a list of revoked credentials, but in this way, it is possible to link the credential).
Minimization Scale
To try to qualify Minimization, we can use a scale defined by the various cryptographic techniques developed for Digital Credentials:
Unlinkability Scale
To try to qualify Unlinkability, we can use the Nymity Slider, which classifies credentials by:
Therefore, it might be possible to consider "moving" the slider toward Unlinkable Anonymity, as per the properties.
What can go wrong?
After reasoning about assets, what we can protect and "who" becomes obvious.
Threat Actors
We have mentioned before that one of the key points is the protection of the Holder. Still, by simplifying and referring to the well-known practice of "trust-no-one", we can easily get the list of actors involved:
Holder, Issuer, Verifier, and their agents/software components (e.g., Browser, Wallet, Web Sites). Which of these can be a Threat Actor? To simplify the question, each actor is potentially a Threat Actor for the others. So, all against all. Indeed, one is often also a Threat Actor to oneself (e.g., Alert fatigue).
In addition, although there are trust relationships between the various actors and their software (valid in the various steps), such software can also be malicious. Specifically, it can track the Holders, the type of credential they have, and how and where they use it through telemetry and statistical collection, and it can push the user to certain attitudes.
One must also consider a possible external threat actor, who could also be an observer or use active techniques, and who wants to track the three main actors or their agents, such as Marketers, Data brokers, Stalkers, Identity thieves, intelligence and law enforcement agencies (laws often constrain them), and OSINT investigators.
A further case is the combination of such actors, such as multiple Verifiers in cahoots or a potential collaboration between Issuer and Verifier to track the Holder.
Evil user stories
Using the information we now have, we can create some generic Evil User Stories:
Finding the Threats
One effective though inefficient approach to threat modeling is to cycle the various lists of threats and attacks, controls, and objectives in a brainstorming session to assess how they may affect architecture components, actors, assets, and the flow in general. Using multiple frameworks may repeat some elements.
Ben's Privacy Properties (Objectives)
Verifiable:
Minimal:
Unlinkable:
LINDDUN (Threats)
Linking:
The Verifier should request the following in order: Range Proof, Predicate Proof, Selective Disclosure, and the credential.
Identifying:
The Verifier should request the following in order: Range Proof, Predicate Proof, Selective Disclosure, and the credential.
Non-Repudiation:
Detecting:
Data Disclosure:
The Verifier should request the following in order: Range Proof, Predicate Proof, Selective Disclosure, and the credential.
Unawareness & Unintervenability:
- The Holder must be informed when their credentials is Phoning Home or possible back-channel connections
The Holder must consent to each use of their credential and must identify the Verifier, the Proof Requested (at the moment of request), and which credentials and information are shared with the Verifier after the selection.
Non-Compliance:
The standards and their implementation must contain mitigations for Harms such as Surveillance, Discrimination, Dehumanization, Loss of Autonomy, and Exclusion.
RFC 6973 (Threats)
Surveillance:
Stored Data Compromise:
Intrusion:
Misattribution:
Correlation:
- refer to LINDDUN's Linking, Identifying, Data Disclosure
Identification:
Secondary Use :
Disclosure:
Exclusion:
RFC 3552 (Attacks)
Passive Attacks:
Active Attacks:
STRIDE (Threats)
Spoofing (Threats to Authentication):
Tampering (Threats to Integrity):
Repudiation (Threats to Non-Repudiation):
Information disclosure (Threat to Confidentiality and Privacy):
Denial of service (Threats to Availability and Continuity):
Description: Exhausting resources needed to provide service
Mitigations:
Elevation of privilege (Threats to Authorization):
OSSTMM (Controls)
Visibility:
Access
Trust:
- Analysis: There should be no trusted access in this specific case. However, the whole thing could be triggered when asking permission for powerful features. Consider avoiding or limiting this over time (balancing Trust with Subjugation).
Authentication:
Indemnification:
Description: is a control through a contract between the asset owner and the interacting party. This contract may be a visible warning as a precursor to legal action if posted rules are not followed, specific, public legislative protection, or with a third-party assurance provider in case of damages like an insurance company.
Analysis: This is the agreement between the interacting parties, such as contracts. In this case, Notifications can describe what happens in a "secure" context (e.g., Payments API); all operations must be specifically authorized with Informed Consent. The holder must be notified if the Verifier asks for Full Disclosure, if the Issued Credentials do not support Selective Disclosure, or if it is phoning home.
Note: this can be used as a nudge (famous in Behavioural Economics) and then can be used to educate the Verifiers, Holders, and Issuers to do the right thing.
Resilience:
Subjugation:
Continuity:
Non-Repudiation:
Confidentiality:
Privacy:
Integrity:
Alarm:
Other Threats and Harms
Considering the specific case of government credentials issued to people, it is useful to think about some use cases:
Another scenario is the use of a credential for authentication:
What should you do about those things that can go wrong?
Countermeasures/Features:
did:web
as mentioned in section 2.5.2 where a GET is generated that retrieves a file, effectively exposing the requesting user agent and allowing the Issuer to make statistics.The text was updated successfully, but these errors were encountered: