passwordless authentication on mobile using bitrupee framework and decentralized protocol

Created by Muellners Foundation
Apr 03, 2024

Long Form Research Report

Open Constitution AI network - passwordless security and authentication on mobile using bitrupee framework and decentralized protocol

 

Abstract: 

In this digital day and age, passwords are no longer adequate. Users worldwide are victims of multiple malfeasances like brute force attacks, injection attacks, phishing, unsafe credentials, and data theft, among others. To replace this conventional but antiquated protocol with a secure alternative would be Passwordless Authentication. 

Downloadable Zero Trust key-based Security Profile to onboard and enable privacy-focused data residency of user-owned Intellectual property content such as pixelated data on local device storage, i.e. mobile devices for accessing a peer-to-peer exchange network. The virtual privacy-focused digital commons network can be used for, for example, accessing low-cost bio-informatics intelligence or open learning management. 

BitRupee is a secure passwordless authentication protocol that uses cryptography, which presents one’s identity with anonymity. 

This type of multi-factor authentication layer approves a sign-in only after two or more verification factors (that are secured with a cryptographic key pair) are authorised. 

The BitRupee system is decentralised and only stores a public key in the database.

 The system creates a public and private key, which the user is only able to access through the private key. 

Further, after signing the key, the user sends the information over the API to the server, where it checks its validity with the public key and grants access accordingly.

 

Zero trust architecture adapts to dynamic modern work paradigms with stringent access controls, continuous monitoring, and data-centric security, providing more robust and more adaptive, proactive defences against insider threats, as well as the breadth of today's advanced cyberattack techniques.

 

Implementation is an antonym for a centralised ID prover solution and extends Cloud Hardware Security Modules and Key Management for identity assurance, e.g., Google Cloud Identity and AWS IAM.

 

Challenges: 

The primary technical challenge lies in this project’s action in deploying the bitrupee protocol research outcome for Identity assurance by making this available on users’ mobile devices, which are generally more prone to different kinds of security attacks than stationary computing devices.

Zero Trust protocol for trustless systems is where the need for trust is eliminated by using a cryptographic design principle in a multimodal network using transparency, immutability, and verifiability of tokenisation between two distant nodes.

Zero Trust protocol is deployed when any node. 

Any node can be node 0, i.e. a node nearer to the receiver node.

Nodes hold trustless tokens or zero trust tokens with a uniquely identifiable value with node 0.

Each node holds a trustless token or zero trust token with its closest peer/node(neighbouring node or network-linked node or subnet).

Tokenised ‘Zero Trust Social Contract’ where Node 1 and Node 2 can communicate any information signal ( NPPI - non-public personal information ). 

E.g. 

Prover to a verifier or sender to receiver or T1 to T2 information signal without a handshake, i.e. ever meeting or transmitting the information. This happens when the transmitter node visits the closest node to the receiver node. 

If the protocol is deployed and enabled on a network, the network effect translates to all nodes having a trustless social contract with each other without ever requiring a handshake.

 

Ecosystem for research pilot: The Open Constitution AI network has an ecosystem where startups become E-tenant projects, and contributors become E-residents, manage data residency of their I.P. contributions and deploy artefacts using the TRL upgrade proposals through a P2P governance framework accessible on a virtual private cloud. 

 

The dissemination of the research and development results is essential to take place through a public release of source code, and running a pilot case study by deploying the solution for E-residency and e-tenancy access to the network’s cloud infrastructure through service accounts.

literature review and 

Presentation and participation in technical conferences with FOSS themes. 

 

About Pilot:

Privacy-Focused Open Constitution AI Network is a virtual private network where AI services are deployed using a peer-to-peer framework.  Muellners Foundation is the maintainer not for-profit organisation.

Open Constitution AI network is a digital commons infrastructure. 

 

Market Comparisons: This use case implementation is similar to an advanced implementation of a mobile service similar to MitID in Denmark, where citizens download a security profile either on a mobile app(  https://www.mitid.dk/en-gb/ )

 

Electronic ID authentication is the primary mode of authenticator for accessing digital commons infrastructure and is intended for a smartphone and/or tablet. 

E-resident ID is a digital ID and is designed to help ensure that a member/citizen can safely navigate the internet and access the digital commons infrastructure. An e-resident ID is a digital ID that can be used for various purposes - logging into public self-service solutions and digital commons infrastructure. e.g. to avail of beneficiary services, sign contributions off into a program, receive payouts from a cooperative network, or simply post a text or social media message on any peer-to-peer messenger service

The electronic signature(Qualified electronic signature (QES) compliant with the EU’s eIDAS Regulation) type that can be achieved when signing with the E-resident ID services is: E-resident ID complies with the latest international security standards and is also modular and flexibly designed. On Unstructured Supplementary Service Data (“USSD”) protocol-based real-time session for electronic authentication, when the device lacks access to the internet or mobile app failure on the phone.

Literature Review:

 

  1. USSD based token authentication

 

https://patents.google.com/patent/US20210044975A1/en

 

  1. Comparison with local solution - MitID, Denmark which the Foundation uses to sign contracts, access public mailboxes, etc., for its own statutory needs.

 

‘’We also have recommendations regarding access to information concerning MitID. Initially, we contacted the Danish Agency for Digital Government to gain insights into the technical details of MitID, specifically the cryptographic protocols applied in the solution. Their answer was a refusal to help, and it contained no information on the solution, even though the requested information was publicly available on Broker websites – a fact we realized later on. Also, a new law on MitID has been passed, which will likely prevent further research concerning the security in MitID unless NDAs are involved (Retsinformation, 2021, chapter 14). As a national solution for digital identities, it seems highly problematic that this information is not readily available to be scrutinized by researchers as it encompasses the entire national digital infrastructure. Hence, we recommend revising the legal framework in favor of transparency in the design decisions and allowing legitimate security research to be performed without legal obstacles (Mercuri and Neumann, 2003)’’

Cite:

https://pure.au.dk/portal/en/publications/user-centric-security-analysis-of-mitid-the-danish-passwordless-d

https://www.sciencedirect.com/science/article/pii/S0167404823002869?via%3Dihub

 

  1. Overview of pre-notified and notified eID schemes under eIDAS

 

  1. Guidance on Conventions Used in Research and Development: