Cryptographic Secret Recovery: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 7: Line 7:
*In a decentralized [[Identity Management]] architecture individuals, organizations, and things create and manage their own cryptographic keys without reliance on a central authority or intermediary other than a pointer to the method used for resolving identifiers into public keys that can be used for authentication purposes.
*In a decentralized [[Identity Management]] architecture individuals, organizations, and things create and manage their own cryptographic keys without reliance on a central authority or intermediary other than a pointer to the method used for resolving identifiers into public keys that can be used for authentication purposes.
*In a distributed [[Identity Management]] architecture the identifiers do not come with any built in resolution to any kind of resolver and so have full responsibility for any recovery of loss of access to identifiers.
*In a distributed [[Identity Management]] architecture the identifiers do not come with any built in resolution to any kind of resolver and so have full responsibility for any recovery of loss of access to identifiers.
Note that one existing system that has addressed this problem is the


==Problems==
==Problems==

Revision as of 17:58, 1 June 2020

Full Title or Meme

Recovery of Identifiers that are bound to secrets, like private keys, are complex if access the the private key is lost.

Context

Any viable Identity Management architecture must address secrets or private key management used in user authentication.

  • In a centralized Identity Management architecture the identifier is created by the IdP and so that IdP can handel recovery entirely within their own organization. Some do it well.
  • In a decentralized Identity Management architecture individuals, organizations, and things create and manage their own cryptographic keys without reliance on a central authority or intermediary other than a pointer to the method used for resolving identifiers into public keys that can be used for authentication purposes.
  • In a distributed Identity Management architecture the identifiers do not come with any built in resolution to any kind of resolver and so have full responsibility for any recovery of loss of access to identifiers.

Note that one existing system that has addressed this problem is the

Problems

  • When a user is in control of creating their own identifiers then they have the power to wield private keys that control DIDs, they can also lose everything connected to those DIDs if they can’t retain and secure them.
  • By definition, in a decentralized identity system, there is no centralized service to provide an “I forgot my password” button.

That is the starting condition. It is certainly possible to build safeguards and recovery mechanisms into a decentralized identity system.

Solutions

  • Recovry mechanisms can be as simple as creating a backup of a wallet that holds cryptographic keys or writing down a seed number on a piece of paper.
  • Many key recovery techniques that are popular in the cryptocurrency community can also be applied to decentralized identity. Some of the better-known approaches are mnemonic seed phrases or Shamir’s Secret Sharing algorithm.

Decentralized Identifiers Foundation

The DIF Identifiers & Discovery Working Group has announced an open call for contributions and development of new secret recovery schemes, and implementations. To kick off work in this area, Microsoft, a member of the DIF I&D WG, will be contributing a scheme called ‘Fuzzy Vault,’ which incorporates many desirable, human-friendly features into a single recovery scheme. Daniel Buchner of Microsoft will be posting soon to detail their contribution to the ‘Fuzzy Vault’ scheme to this DIF I&D WG initiative. The whitepaper for the ‘Fuzzy Vault’ scheme will be published in this DIF repository: https://github.com/decentralized-identity/fuzzy-vault. The code implementation and any specifications required for ‘Fuzzy Vault’ will be developed within the DIF I&D WG.

Another approach DIF participants have worked on is a mnemonic scheme encoded as a 3D experience, called Seed Quest. This scheme uses geo-temporal-spatial inputs, which are more human-friendly than traditional word inputs. The scheme provides 128 bits of entropy for seed recovery with a mnemonic sequence that requires minimal rehearsal: https://github.com/reputage/seedQuest. DIF members have recently discussed ways to combine these schemes to maximize UX and recoverability.

Call for full solutions

These two efforts are just the beginning of DIF’s work in the area of secret retention and recovery. Any interested party is encouraged to contribute their ideas, code, and insights to this vital work. For more information about participating in this new initiative, and the DIF I&D WG in general, view its Meeting Page, read the group’s Charter, and join DIF!

References