The term “digital identity” is not clearly defined. In principle, we create a new digital identity every time we register for an online service, and in many applications, it is irrelevant whether this corresponds to the real identity of a user. Most internet users have an e-mail address that is not based on their real name and in forums, social media sites like Twitter and Instagram or in online dating pseudonyms are the norm, writes Malte Pollmann, pictured, of the cybersecurity and compliance product company Utimaco.
Today, however, the Internet is no longer a pure communication and entertainment medium, but more and more areas of everyday life are taking place online, some of them extremely sensitive. Online contracts, banking transactions or sensitive information like medical records – all of this requires a secure link between online identity and real identity, and how to establish that link is the key question in this field. For example, if you want to open an account with an online bank today, you usually have the choice of showing your identity card at a branch, uploading a picture or even speaking to a member of staff via video call. This creates the link between the real and online identities.
The UK government already issues Biometric Residence Permits to immigrants and is moving ahead with a framework that would allow private companies to create digital identity systems. Although they have now been taken off the table, a hypothetical ‘vaccine passport’ would also bridge the gap between analogue and digital identities. Analogue identity checks are based on a document with a high level of protection against forgery which is issued by a trustworthy authority – a passport or driver’s license for example. How can we create something just as trustworthy and secure in the digital space?
Creating secure digital identities
The transfer of an analogue proof of identity into the digital space is only one of the challenges with electronic identities. The other is to protect eIDs against misuse and data leaks. This means that there must be a simple way for a verifying authority to determine whether an eID presented to it is genuine. Under the new UK digital identity plans linked to above, the authority that issues and manages the digital identity plays a major role here: your integrity is guaranteed either by the fact that it is issued by government institution or through certification and audit procedures if it is a private company.
The checking authority knows which issuers of certificates that confirm the digital identity are considered trustworthy and will generally only accept such certificates – in the UK they will have to follow a trust framework. However, it still remains to be clarified whether the certificate is genuine. This requires a process that guarantees a very high level of protection against forgery as well as easy verifiability and can be automated.
This is where asymmetric cryptography comes into play: the method is based on a private and a public key connected to each other using mathematical operations that are difficult to reverse, such as the multiplication of large prime numbers. Generating the public key from the private key is therefore trivial but getting to the private key from the public key is extremely difficult. The public key can therefore be made available to everyone. If this matches a certificate that was created with the corresponding private key, the certificate is considered authentic. A current example of the use of asymmetric cryptography for authentication purposes are vaccination certificates with QR codes. This code is created with a private key and the public key for verification can be stored in an app. This means that the system also works offline.
Keeping private keys secret
But there is also an Achilles’ heel to this procedure: the private keys must absolutely remain secret. Regardless of whether they are private trust service providers or state institutions, anyone who offers identity services based on asymmetric cryptography must ensure that the private keys are optimally protected. Hardware security modules (HSMs) are the ideal choice for generating and securely storing strong private keys. Compared to software solutions, they have the advantage that the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely. The HSMs from Utimaco also have a real random number generator – important for generating top-quality keys.
Digital identity documents are likely to become more common, despite the pushback they get when they are proposed, because they solve one of the key issues in the digital world: being able to tell that somebody is who they say they are. For this reason, they need to be secured to the very highest standards, and the level of security that is possible with modern hardware security modules will be a key way in achieving this.
About the author
Malte Pollmann is CSO at Utimaco. He has been a member of the Utimaco Management Board since 2008 and CEO from 2011 until 2019. He currently holds the position as CSO (Chief Strategy Officer). Previously, he was Product Director and Business Unit Leader at Lycos Europe NV (a Bertelsmann company). With a master’s degree in Physics from the Universities of Paderborn and Kaiserslautern in Germany, Malte also received a general management education at INSEAD in Fontainebleau, France. He serves on the Supervisory Board of the International School of IT Security – isits AG in Bochum. Visit http://www.utimaco.com.
