SlideShare a Scribd company logo

Attacking Decentralized Identity.pdf

S
ssuser264cc11

Talk given at DEFCON 31 at the Crypto & Privacy Village on Attacking Decentralized Identity.

Engineering
1 of 49
Download to read offline
Attacking Decentralized Identity Gabe Cohen, TBD / Block Brent Zundel, Gen Crypto & Privacy Village, DEFCON 31 August 11, 2023
What is Decentralized Identity, anyway? 2
The Evolution of Digital Identity Identity Model Centralized Federated Decentralized Technology ● ID/Password ● Multi-factor Auth ● SSO ● OAuth ● OpenID ● SAML ● Secure Personal Storage ● SIOP, Web5 ● Cryptographically driven auth Characteristics ● Identity fragmented across many service providers ● Corps have full control of user data ● Centralized data providers at risk for attack ● Rely on a single/set of centralized identity providers ● Identity information fragmented between IdPs ● Centralized data providers at risk for attack ● Identity portable across ecosystems ● User controlled data on-device or user-controlled cloud ● Users are in control of their data
4 SSI Principles ● Existence – Users must have an independent existence ● Control – Users must control their identities ● Access – Users must have access to their own data ● Transparency – Systems and algorithms must be transparent ● Persistence – Identities must be long lived ● Portability – Information and services about identity must be transportable ● Interoperability – Identities should be as widely usable as possible ● Consent – Users must agree to the use of their identity ● Minimalization – Disclosure of claims must be minimized ● Protection – The rights of users must be protected
Why Decentralize? 5
6 SSI Standards Landscape
W3C Verifiable Credentials (VCs) A Verifiable Credential is a W3C standard mechanism of expressing claims about an individual on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. A VC is inherently independently verifiable – which means a verifier will never need to go back to the issuer to conduct or complete verification. 7 Claims can include, but aren’t limited to, the same claims in traditional credentials such as health cards, passports, university degrees, or business licenses.
Holder The entity controlling a VC. This entity is usually the subject of the VC, though not always. There are scenarios where the entity may have been issued a VC, but is not the subject of the VC. 8 Issuer The issuing entity of a VC. This entity asserts claims about the subject of the VC and issues it to a Holder. Verifier The entity to which a VC is presented to as proof of a claim or set of claims. This entity might request a VC, and then verify that the VC satisfies their requirements. Actors in Decentralized Identity Systems
W3C Decentralized Identifiers (DIDs) A Decentralized Identifier W3C standard for a type of user- or business-controlled identifier that enables verifiable, decentralized digital identity on the Web. DIDs are URIs that associate a DID subject with a DID document allowing trustable interactions with that subject. DID documents contain public keys and other data. 9 A DID can refer to any subject, including a person, organization, thing, data model, abstract entity, etc.
10 An Ecosystem of Decentralized Interactions
Cool cool. Who’s using this stuff? 11
Decentralized Identity: In the Numbers 60+ Public & private companies building in the space 40+ Countries using some form of Decentralized Identity 12 3B+ Verifiable Credentials Issued
13 Decentralized Identity: In the Logos
75%+ of the world will be using decentralized identity tech within the next 5 years 14
“ “Decentralized identity is important for confirming user identities and securely storing them. It offers numerous advantages separate of the greater identity autonomy it delivers to customers.”1 “…passkeys do not protect our privacy or give us complete control of our online identities. For that to happen, we need to look at self-sovereign identity (SSI).”3 “Individuals can own and manage their own tamper-proof credentials for applications such as personal health, education, and voting records in an encrypted digital wallet on their personal devices.”2
Attack Surface 16 Service Providers Networks User Agents Individual Entities Companies like Microsoft, Ping Identity, Okta, MATTR, Trinsic, and more. Their service offering = your opportunity! EBSI, Velocity, Sovrin, Indicio, Cheqd, and others. Networks are forming to standardize, monetize, and facilitate identity Your phone, your computer, your applications. You thought being your own bank was hard, how about being your own IdP? You, your mom, your dog, your employer, your trustworthy local politician. In a world of decentralized trust, each entity is an entrypoint for exploit.
That vulnerability is just my type! 17
18 Vuln #1: Gimme That Data! ● In a world with verifiable data, any data can be requested by anyone at any time… ○ Why is this data being requested? Is there other less sensitive data that would suffice? ○ Is the requester who they claim to be? How do you know? ○ Is the requester the right entity to receive and handle this data? ○ What can be done with this data in other contexts? What’s protecting the data from unauthorized usage?
Attack #1: Abuse of Trust 19 Alice goes to the store… 1. Store requests proof that Alice is over 18 2. Alice scans a QR code with her digital identity app 3. Alice selects which credential matches the request 4. Alice has an option to submit
Attack #2: Confused Trust Alice goes to open a bank account… 1. Alice navigates to a bank’s website and clicks “sign up” 2. Alice is asked for a few pieces of information a. Government issued ID b. Proof of employment c. Proof of funds to open the account The website appears legitimate, and her app thinks so too, does Alice send over the data? 20
21 Vuln #2: You thought distributed systems were hard… ● In a distributed systems, usually… ● You’re aware of all nodes in the system ● Consistency ensures that all nodes in the system have the same up-to-date view of data In a decentralized system… ● There is no one method of decentralized consistency ○ Strongly consistent (BTC) ○ Eventually consistent (IPNS) ● Even with consistency, you may not always know if you have the latest state
Attack #3: Data (Un)availability Bob goes to verify a credential 22
did:jwk (+) Self-resolving key that always has the latest state (-) No updates (-) No way to signal compromise did:web (+) Domain based method (+) Supports updates (-) Relies on TLS certs (-) Relies on DNS / domain registrars (-) No historical state resolution 23 did:ion (+) Supports any DLT and Content-Addressable Storage (+) Permissionless + full featured (update, recovery, deactivation) (-) Complex architecture (-) Uncertain if you have the latest state / pinning risk Attack #4: DIDn’t I tell you?
Vuln #3: You want to do WHAT with your data?
Attack #5: Heated Seat Subscriptions 25 What You See What They See
Attack #6: Oops I centralized again Areas for Centralization ● DIDs ● Data storage / replication ● Verification of credentials ○ Status checks ○ Schema checks ● Wallets/agents ● Permissioned networks ● Payment networks ● SSI Suites (issuance/verification services) ● Everywhere! 26
27 Vuln #4,5,6: Oh yeah, those too…
Attack #7: The Semantic Web Strikes Back 28
Attack #8: (Don’t) Roll Your Own Crypto 29
Attack #9: Is AI going to destroy decentralized trust? 30
Attack #10: Why are you hitting yourself? 31
OK, now what? 32
Mitigation #1: Smart Agents Digital Bodyguards = Freedom Centralize When Necessary ● Trust needs to start somewhere ● Trusted issuers/verifiers → centralized trust registries ○ What are they trusted for? ○ What have their last x interactions been like? ○ Are there transparent reviews? ● Trusted vendors ○ Agents/wallets ○ Personal data stores Take Privacy-First Stances ● Are you disclosing as little as possible? ● What rights do you enforce after you share? 33
Mitigation #2: More than a green checkmark Establish Trust; Minimize Disclosure ● Alice’s smart agent has a built-in Trust Registry, and can now verify that requests are legitimate ● Alice’s smart agent is able to advocate for a privacy-preserving presentation mechanism, selective disclosure ● ZKPs are coming! ● Make sure to authenticate, always Is this enough? 34
Mitigation #3: Start From First Principles Decentralize where it matters most ● DID Method → If your DID method isn’t decentralized and feature rich, you’ve boxed yourself in ● DIDs → Use a mix of public/long-lived and private/ephemeral DIDs ● Providers → Make sure your data isn’t locked to a single provider; beware of single vendor solutions Assert your rights ● Is it clear what you’re signing? ● What could go wrong? ● What are you giving up? ● Is there another path? 35
More Mitigations ● Build flexible, privacy-promoting standards + software ● User-defined terms of service/use to enforce fair data usage ● Decentralized trust scoring mechanisms (verified Google Reviews/Yelp) ● Use of open source software ● Use of open networks and ecosystems–say no to walled gardens! ● More interactive protocols that enable user negotiation & optionality 36 I m p l e m e n t e r s Individuals O r g a n i z a t i o n s
Embracing Decentralization For Dummies 37
Choose Your Own Adventure 38 User Control Centralization Risk (decreasing) UX (worsening) Nerd Tools Grandma Tools Land of Opportunity
Not Your Keys, Not Your Coins → Not Your DID, Not Your Data 39
Remember where we’re headed 40
Gabe Cohen : @decentralgabe : gabe@tbd.email https://tbd.website Brent Zundel : @brent_zundel : brent.zundel@gendigital.com https://www.gendigital.com Standards Links ● VCs w3.org/TR/vc-data-model/ ● DIDs w3.org/TR/did-core/ ● DID JWK github.com/quartzjer/did-jwk/ ● DID Web w3c-ccg.github.io/did-method-web/ ● Sidetree identity.foundation/sidetree/spec/ ● Presentation Exchange identity.foundation/presentation-exchange/ ● Trust Establishment identity.foundation/trust-establishment/ ● SD-JWT datatracker.ietf.org/doc/draft-terbu-sd-jw t-vc/02/ ● JWP datatracker.ietf.org/wg/jwp/about/ ● BBS datatracker.ietf.org/doc/draft-irtf-cfrg-b bs-signatures/ Get Involved ● DIF identity.foundation ● W3C VCWG w3.org/groups/wg/vc/ ● W3C DIDWG w3.org/groups/wg/did/ ● DIF Discord discord.gg/ZHxa4FQubB ● TBD Discord discord.gg/tbd ● Gen Twitter twitter.com/GenDigitalInc ● TBD Twitter twitter.com/TBD54566975 Slides: tinyurl.com/defcon31attackingdid
Attacking Decentralized Identity
● What is Decentralized Identity anyway? ● That vulnerability is just my type ● Showing some real vulnerability ● Is nothing safe? ● Deployments ● Fin
What is Decentralized Identity Anyway? ● SSI Principles ● Verifiable Credentials ● Decentralized Identifiers ● Why would I even want that? ●
That vulnerability is just my type ● Private key compromise ● Validity vs verifiability ● Fake News! ● Blockchain problems ● Key management is hard ● Lack of Review
Showing some real vulnerability ● Some examples of attacks in the real world ● Ledger data breach ● How attackers might exploit vulnerabilities in decentralized identity systems ● The potential consequences of successful attacks ● Examples of real-world attacks on DIDs and verifiable credentials
Is nothing safe? ● Cryptographic techniques and key management practices to strengthen security ● Best practices for designing and implementing decentralized identity systems ● Examples of successful mitigation strategies
Deployments ● Existing open-source software ● Standards bodies, active work, specifications, and participants
Fin ● The importance of addressing vulnerabilities in decentralized identity systems ● The potential impact of successful attacks on individuals and organizations ● The need for continued research and development to improve security and resilience in decentralized identity systems

Recommended

Blockchain in Banking: A Measured Approach
Blockchain in Banking: A Measured ApproachBlockchain in Banking: A Measured Approach
Blockchain in Banking: A Measured ApproachCognizant
 
Blockchain Explained
Blockchain ExplainedBlockchain Explained
Blockchain ExplainedShermin Voshmgir
 
Blockchain for Land Records and Real Estate
Blockchain for Land Records and Real EstateBlockchain for Land Records and Real Estate
Blockchain for Land Records and Real EstateJohn Mirkovic
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
A technical Introduction to Blockchain.
A technical Introduction to Blockchain.A technical Introduction to Blockchain.
A technical Introduction to Blockchain.Dev
 
Blockchain
BlockchainBlockchain
BlockchainKMI - Knowledge Media Institute, The Open University, UK.
 
Blockchain and international trade, trade finance, and supply chain (1)
Blockchain and international trade, trade finance, and supply chain (1)Blockchain and international trade, trade finance, and supply chain (1)
Blockchain and international trade, trade finance, and supply chain (1)Sunny Sian
 
Blockchain Technology Fundamentals
Blockchain Technology FundamentalsBlockchain Technology Fundamentals
Blockchain Technology FundamentalsExperfy
 

Recommended

Blockchain in Banking: A Measured Approach
Blockchain in Banking: A Measured ApproachBlockchain in Banking: A Measured Approach
Blockchain in Banking: A Measured ApproachCognizant
 
Blockchain Explained
Blockchain ExplainedBlockchain Explained
Blockchain ExplainedShermin Voshmgir
 
Blockchain for Land Records and Real Estate
Blockchain for Land Records and Real EstateBlockchain for Land Records and Real Estate
Blockchain for Land Records and Real EstateJohn Mirkovic
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
A technical Introduction to Blockchain.
A technical Introduction to Blockchain.A technical Introduction to Blockchain.
A technical Introduction to Blockchain.Dev
 
Blockchain
BlockchainBlockchain
BlockchainKMI - Knowledge Media Institute, The Open University, UK.
 
Blockchain and international trade, trade finance, and supply chain (1)
Blockchain and international trade, trade finance, and supply chain (1)Blockchain and international trade, trade finance, and supply chain (1)
Blockchain and international trade, trade finance, and supply chain (1)Sunny Sian
 
Blockchain Technology Fundamentals
Blockchain Technology FundamentalsBlockchain Technology Fundamentals
Blockchain Technology FundamentalsExperfy
 
Blockchain
BlockchainBlockchain
BlockchainSai Nath
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchainCeline George
 
EmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - ConsilienceEmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - ConsilienceEmergentXDigitalAsse
 
OpenSea willzs
OpenSea willzsOpenSea willzs
OpenSea willzsWilliamZhangSam
 
Webinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchainWebinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchainKaleido
 
Blockchain and Real Estate
Blockchain and Real EstateBlockchain and Real Estate
Blockchain and Real EstateMaka De Lameillieure
 
What is Blockchain Technology?
What is Blockchain Technology?What is Blockchain Technology?
What is Blockchain Technology?Pragmatic Coders
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3asasdasd5
 
Block chain 101 what it is, why it matters
Block chain 101 what it is, why it mattersBlock chain 101 what it is, why it matters
Block chain 101 what it is, why it mattersPaul Brody
 
Blockchain Technology In IOT
Blockchain Technology In IOTBlockchain Technology In IOT
Blockchain Technology In IOTStacey Roberts
 
Blockchain+IOT
Blockchain+IOTBlockchain+IOT
Blockchain+IOTMatthew David
 
Hedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors ListHedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors ListYigal Behar
 
Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use CasesCapgemini
 
Asset tokenization Real Estate Reinvented
Asset tokenization Real Estate ReinventedAsset tokenization Real Estate Reinvented
Asset tokenization Real Estate ReinventedJongseung Kim
 
Blockchain untuk Big Data
Blockchain untuk Big DataBlockchain untuk Big Data
Blockchain untuk Big DataDony Riyanto
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - OverviewFIWARE
 
Blockchain - blockchain
Blockchain - blockchainBlockchain - blockchain
Blockchain - blockchainMaczker Chotpipatwong
 
Blockchains and databases a new era in distributed computing
Blockchains and databases a new era in distributed computingBlockchains and databases a new era in distributed computing
Blockchains and databases a new era in distributed computingInfinIT - Innovationsnetværket for it
 
What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022Moon Technolabs Pvt. Ltd.
 
Decentralized finance research
Decentralized finance researchDecentralized finance research
Decentralized finance researchdecentralizedfinance
 
Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect idLessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect idDavid Kelts, CIPT
 
How to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' DataHow to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' DataHellmuth Broda
 

More Related Content

What's hot

Blockchain
BlockchainBlockchain
BlockchainSai Nath
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchainCeline George
 
EmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - ConsilienceEmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - ConsilienceEmergentXDigitalAsse
 
Webinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchainWebinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchainKaleido
 
What is Blockchain Technology?
What is Blockchain Technology?What is Blockchain Technology?
What is Blockchain Technology?Pragmatic Coders
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3asasdasd5
 
Block chain 101 what it is, why it matters
Block chain 101 what it is, why it mattersBlock chain 101 what it is, why it matters
Block chain 101 what it is, why it mattersPaul Brody
 
Blockchain Technology In IOT
Blockchain Technology In IOTBlockchain Technology In IOT
Blockchain Technology In IOTStacey Roberts
 
Hedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors ListHedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors ListYigal Behar
 
Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use CasesCapgemini
 
Asset tokenization Real Estate Reinvented
Asset tokenization Real Estate ReinventedAsset tokenization Real Estate Reinvented
Asset tokenization Real Estate ReinventedJongseung Kim
 
Blockchain untuk Big Data
Blockchain untuk Big DataBlockchain untuk Big Data
Blockchain untuk Big DataDony Riyanto
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - OverviewFIWARE
 
What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022Moon Technolabs Pvt. Ltd.
 

What's hot (20)

Blockchain
BlockchainBlockchain
Blockchain
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchain
 
EmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - ConsilienceEmergentX Digital Asset Outlook 2022 - Consilience
EmergentX Digital Asset Outlook 2022 - Consilience
 
OpenSea willzs
OpenSea willzsOpenSea willzs
OpenSea willzs
 
Webinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchainWebinar digitally transforming healthcare with blockchain
Webinar digitally transforming healthcare with blockchain
 
Blockchain and Real Estate
Blockchain and Real EstateBlockchain and Real Estate
Blockchain and Real Estate
 
What is Blockchain Technology?
What is Blockchain Technology?What is Blockchain Technology?
What is Blockchain Technology?
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3
 
Block chain 101 what it is, why it matters
Block chain 101 what it is, why it mattersBlock chain 101 what it is, why it matters
Block chain 101 what it is, why it matters
 
Blockchain Technology In IOT
Blockchain Technology In IOTBlockchain Technology In IOT
Blockchain Technology In IOT
 
Blockchain+IOT
Blockchain+IOTBlockchain+IOT
Blockchain+IOT
 
Hedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors ListHedge Fund Alert - Vendors List
Hedge Fund Alert - Vendors List
 
Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use Cases
 
Asset tokenization Real Estate Reinvented
Asset tokenization Real Estate ReinventedAsset tokenization Real Estate Reinvented
Asset tokenization Real Estate Reinvented
 
Blockchain untuk Big Data
Blockchain untuk Big DataBlockchain untuk Big Data
Blockchain untuk Big Data
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - Overview
 
Blockchain - blockchain
Blockchain - blockchainBlockchain - blockchain
Blockchain - blockchain
 
Blockchains and databases a new era in distributed computing
Blockchains and databases a new era in distributed computingBlockchains and databases a new era in distributed computing
Blockchains and databases a new era in distributed computing
 
What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022What is an nft the informative guide for beginners in 2022
What is an nft the informative guide for beginners in 2022
 
Decentralized finance research
Decentralized finance researchDecentralized finance research
Decentralized finance research
 

Similar to Attacking Decentralized Identity.pdf

Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect idLessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect idDavid Kelts, CIPT
 
How to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' DataHow to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' DataHellmuth Broda
 
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221David Wood
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Blockchain Perspective - Internet of Memorable Things
Blockchain Perspective - Internet of Memorable ThingsBlockchain Perspective - Internet of Memorable Things
Blockchain Perspective - Internet of Memorable ThingsTim Lackey
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy ExamLisa Olive
 
Blockchain in Identity Management - An Overview.pdf
Blockchain in Identity Management - An Overview.pdfBlockchain in Identity Management - An Overview.pdf
Blockchain in Identity Management - An Overview.pdfJamieDornan2
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYDEEPAK948083
 
Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance
 
INTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITORINTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITORInfosec Train
 
Blockchain use cases in health and education
Blockchain use cases in health and educationBlockchain use cases in health and education
Blockchain use cases in health and educationNetcetera
 
Distributed data protection and liability on the blockchain
Distributed data protection and liability on the blockchainDistributed data protection and liability on the blockchain
Distributed data protection and liability on the blockchainAlexandra Giannopoulou
 
Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Kaliya "Identity Woman" Young
 
Crypto Valley Conference 2019 - CULedger
Crypto Valley Conference 2019 - CULedgerCrypto Valley Conference 2019 - CULedger
Crypto Valley Conference 2019 - CULedgerDarrell O'Donnell
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 
Web 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with SchellmanWeb 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with Schellmansaastr
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationWill My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationSnag
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
DWeb and Civil Society: An Introduction For Makers
DWeb and Civil Society: An Introduction For MakersDWeb and Civil Society: An Introduction For Makers
DWeb and Civil Society: An Introduction For MakersTechSoup
 

Similar to Attacking Decentralized Identity.pdf (20)

Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect idLessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect id
 
How to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' DataHow to Organize Patient Information to Protect Patients' Data
How to Organize Patient Information to Protect Patients' Data
 
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Blockchain Perspective - Internet of Memorable Things
Blockchain Perspective - Internet of Memorable ThingsBlockchain Perspective - Internet of Memorable Things
Blockchain Perspective - Internet of Memorable Things
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
Blockchain in Identity Management - An Overview.pdf
Blockchain in Identity Management - An Overview.pdfBlockchain in Identity Management - An Overview.pdf
Blockchain in Identity Management - An Overview.pdf
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
 
Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017
 
INTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITORINTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITOR
 
Blockchain use cases in health and education
Blockchain use cases in health and educationBlockchain use cases in health and education
Blockchain use cases in health and education
 
Trust and inclusion
Trust and inclusionTrust and inclusion
Trust and inclusion
 
Distributed data protection and liability on the blockchain
Distributed data protection and liability on the blockchainDistributed data protection and liability on the blockchain
Distributed data protection and liability on the blockchain
 
Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon
 
Crypto Valley Conference 2019 - CULedger
Crypto Valley Conference 2019 - CULedgerCrypto Valley Conference 2019 - CULedger
Crypto Valley Conference 2019 - CULedger
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
 
Web 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with SchellmanWeb 3.0 – From Buzzword to Security with Schellman
Web 3.0 – From Buzzword to Security with Schellman
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationWill My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
DWeb and Civil Society: An Introduction For Makers
DWeb and Civil Society: An Introduction For MakersDWeb and Civil Society: An Introduction For Makers
DWeb and Civil Society: An Introduction For Makers
 

Recently uploaded

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...Call girls in Ahmedabad High profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Recently uploaded (20)

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 

Attacking Decentralized Identity.pdf

  • 1. Attacking Decentralized Identity Gabe Cohen, TBD / Block Brent Zundel, Gen Crypto & Privacy Village, DEFCON 31 August 11, 2023
  • 3. The Evolution of Digital Identity Identity Model Centralized Federated Decentralized Technology ● ID/Password ● Multi-factor Auth ● SSO ● OAuth ● OpenID ● SAML ● Secure Personal Storage ● SIOP, Web5 ● Cryptographically driven auth Characteristics ● Identity fragmented across many service providers ● Corps have full control of user data ● Centralized data providers at risk for attack ● Rely on a single/set of centralized identity providers ● Identity information fragmented between IdPs ● Centralized data providers at risk for attack ● Identity portable across ecosystems ● User controlled data on-device or user-controlled cloud ● Users are in control of their data
  • 4. 4 SSI Principles ● Existence – Users must have an independent existence ● Control – Users must control their identities ● Access – Users must have access to their own data ● Transparency – Systems and algorithms must be transparent ● Persistence – Identities must be long lived ● Portability – Information and services about identity must be transportable ● Interoperability – Identities should be as widely usable as possible ● Consent – Users must agree to the use of their identity ● Minimalization – Disclosure of claims must be minimized ● Protection – The rights of users must be protected
  • 7. W3C Verifiable Credentials (VCs) A Verifiable Credential is a W3C standard mechanism of expressing claims about an individual on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. A VC is inherently independently verifiable – which means a verifier will never need to go back to the issuer to conduct or complete verification. 7 Claims can include, but aren’t limited to, the same claims in traditional credentials such as health cards, passports, university degrees, or business licenses.
  • 8. Holder The entity controlling a VC. This entity is usually the subject of the VC, though not always. There are scenarios where the entity may have been issued a VC, but is not the subject of the VC. 8 Issuer The issuing entity of a VC. This entity asserts claims about the subject of the VC and issues it to a Holder. Verifier The entity to which a VC is presented to as proof of a claim or set of claims. This entity might request a VC, and then verify that the VC satisfies their requirements. Actors in Decentralized Identity Systems
  • 9. W3C Decentralized Identifiers (DIDs) A Decentralized Identifier W3C standard for a type of user- or business-controlled identifier that enables verifiable, decentralized digital identity on the Web. DIDs are URIs that associate a DID subject with a DID document allowing trustable interactions with that subject. DID documents contain public keys and other data. 9 A DID can refer to any subject, including a person, organization, thing, data model, abstract entity, etc.
  • 12. Decentralized Identity: In the Numbers 60+ Public & private companies building in the space 40+ Countries using some form of Decentralized Identity 12 3B+ Verifiable Credentials Issued
  • 14. 75%+ of the world will be using decentralized identity tech within the next 5 years 14
  • 15. “ “Decentralized identity is important for confirming user identities and securely storing them. It offers numerous advantages separate of the greater identity autonomy it delivers to customers.”1 “…passkeys do not protect our privacy or give us complete control of our online identities. For that to happen, we need to look at self-sovereign identity (SSI).”3 “Individuals can own and manage their own tamper-proof credentials for applications such as personal health, education, and voting records in an encrypted digital wallet on their personal devices.”2
  • 16. Attack Surface 16 Service Providers Networks User Agents Individual Entities Companies like Microsoft, Ping Identity, Okta, MATTR, Trinsic, and more. Their service offering = your opportunity! EBSI, Velocity, Sovrin, Indicio, Cheqd, and others. Networks are forming to standardize, monetize, and facilitate identity Your phone, your computer, your applications. You thought being your own bank was hard, how about being your own IdP? You, your mom, your dog, your employer, your trustworthy local politician. In a world of decentralized trust, each entity is an entrypoint for exploit.
  • 18. 18 Vuln #1: Gimme That Data! ● In a world with verifiable data, any data can be requested by anyone at any time… ○ Why is this data being requested? Is there other less sensitive data that would suffice? ○ Is the requester who they claim to be? How do you know? ○ Is the requester the right entity to receive and handle this data? ○ What can be done with this data in other contexts? What’s protecting the data from unauthorized usage?
  • 19. Attack #1: Abuse of Trust 19 Alice goes to the store… 1. Store requests proof that Alice is over 18 2. Alice scans a QR code with her digital identity app 3. Alice selects which credential matches the request 4. Alice has an option to submit
  • 20. Attack #2: Confused Trust Alice goes to open a bank account… 1. Alice navigates to a bank’s website and clicks “sign up” 2. Alice is asked for a few pieces of information a. Government issued ID b. Proof of employment c. Proof of funds to open the account The website appears legitimate, and her app thinks so too, does Alice send over the data? 20
  • 21. 21 Vuln #2: You thought distributed systems were hard… ● In a distributed systems, usually… ● You’re aware of all nodes in the system ● Consistency ensures that all nodes in the system have the same up-to-date view of data In a decentralized system… ● There is no one method of decentralized consistency ○ Strongly consistent (BTC) ○ Eventually consistent (IPNS) ● Even with consistency, you may not always know if you have the latest state
  • 22. Attack #3: Data (Un)availability Bob goes to verify a credential 22
  • 23. did:jwk (+) Self-resolving key that always has the latest state (-) No updates (-) No way to signal compromise did:web (+) Domain based method (+) Supports updates (-) Relies on TLS certs (-) Relies on DNS / domain registrars (-) No historical state resolution 23 did:ion (+) Supports any DLT and Content-Addressable Storage (+) Permissionless + full featured (update, recovery, deactivation) (-) Complex architecture (-) Uncertain if you have the latest state / pinning risk Attack #4: DIDn’t I tell you?
  • 24. Vuln #3: You want to do WHAT with your data?
  • 25. Attack #5: Heated Seat Subscriptions 25 What You See What They See
  • 26. Attack #6: Oops I centralized again Areas for Centralization ● DIDs ● Data storage / replication ● Verification of credentials ○ Status checks ○ Schema checks ● Wallets/agents ● Permissioned networks ● Payment networks ● SSI Suites (issuance/verification services) ● Everywhere! 26
  • 28. Attack #7: The Semantic Web Strikes Back 28
  • 29. Attack #8: (Don’t) Roll Your Own Crypto 29
  • 30. Attack #9: Is AI going to destroy decentralized trust? 30
  • 31. Attack #10: Why are you hitting yourself? 31
  • 33. Mitigation #1: Smart Agents Digital Bodyguards = Freedom Centralize When Necessary ● Trust needs to start somewhere ● Trusted issuers/verifiers → centralized trust registries ○ What are they trusted for? ○ What have their last x interactions been like? ○ Are there transparent reviews? ● Trusted vendors ○ Agents/wallets ○ Personal data stores Take Privacy-First Stances ● Are you disclosing as little as possible? ● What rights do you enforce after you share? 33
  • 34. Mitigation #2: More than a green checkmark Establish Trust; Minimize Disclosure ● Alice’s smart agent has a built-in Trust Registry, and can now verify that requests are legitimate ● Alice’s smart agent is able to advocate for a privacy-preserving presentation mechanism, selective disclosure ● ZKPs are coming! ● Make sure to authenticate, always Is this enough? 34
  • 35. Mitigation #3: Start From First Principles Decentralize where it matters most ● DID Method → If your DID method isn’t decentralized and feature rich, you’ve boxed yourself in ● DIDs → Use a mix of public/long-lived and private/ephemeral DIDs ● Providers → Make sure your data isn’t locked to a single provider; beware of single vendor solutions Assert your rights ● Is it clear what you’re signing? ● What could go wrong? ● What are you giving up? ● Is there another path? 35
  • 36. More Mitigations ● Build flexible, privacy-promoting standards + software ● User-defined terms of service/use to enforce fair data usage ● Decentralized trust scoring mechanisms (verified Google Reviews/Yelp) ● Use of open source software ● Use of open networks and ecosystems–say no to walled gardens! ● More interactive protocols that enable user negotiation & optionality 36 I m p l e m e n t e r s Individuals O r g a n i z a t i o n s
  • 38. Choose Your Own Adventure 38 User Control Centralization Risk (decreasing) UX (worsening) Nerd Tools Grandma Tools Land of Opportunity
  • 39. Not Your Keys, Not Your Coins → Not Your DID, Not Your Data 39
  • 41. Gabe Cohen : @decentralgabe : gabe@tbd.email https://tbd.website Brent Zundel : @brent_zundel : brent.zundel@gendigital.com https://www.gendigital.com Standards Links ● VCs w3.org/TR/vc-data-model/ ● DIDs w3.org/TR/did-core/ ● DID JWK github.com/quartzjer/did-jwk/ ● DID Web w3c-ccg.github.io/did-method-web/ ● Sidetree identity.foundation/sidetree/spec/ ● Presentation Exchange identity.foundation/presentation-exchange/ ● Trust Establishment identity.foundation/trust-establishment/ ● SD-JWT datatracker.ietf.org/doc/draft-terbu-sd-jw t-vc/02/ ● JWP datatracker.ietf.org/wg/jwp/about/ ● BBS datatracker.ietf.org/doc/draft-irtf-cfrg-b bs-signatures/ Get Involved ● DIF identity.foundation ● W3C VCWG w3.org/groups/wg/vc/ ● W3C DIDWG w3.org/groups/wg/did/ ● DIF Discord discord.gg/ZHxa4FQubB ● TBD Discord discord.gg/tbd ● Gen Twitter twitter.com/GenDigitalInc ● TBD Twitter twitter.com/TBD54566975 Slides: tinyurl.com/defcon31attackingdid
  • 43. ● What is Decentralized Identity anyway? ● That vulnerability is just my type ● Showing some real vulnerability ● Is nothing safe? ● Deployments ● Fin
  • 44. What is Decentralized Identity Anyway? ● SSI Principles ● Verifiable Credentials ● Decentralized Identifiers ● Why would I even want that? ●
  • 45. That vulnerability is just my type ● Private key compromise ● Validity vs verifiability ● Fake News! ● Blockchain problems ● Key management is hard ● Lack of Review
  • 46. Showing some real vulnerability ● Some examples of attacks in the real world ● Ledger data breach ● How attackers might exploit vulnerabilities in decentralized identity systems ● The potential consequences of successful attacks ● Examples of real-world attacks on DIDs and verifiable credentials
  • 47. Is nothing safe? ● Cryptographic techniques and key management practices to strengthen security ● Best practices for designing and implementing decentralized identity systems ● Examples of successful mitigation strategies
  • 48. Deployments ● Existing open-source software ● Standards bodies, active work, specifications, and participants
  • 49. Fin ● The importance of addressing vulnerabilities in decentralized identity systems ● The potential impact of successful attacks on individuals and organizations ● The need for continued research and development to improve security and resilience in decentralized identity systems