Mobile Device Attribute Validation (MDAV) is an innovative mobile solution for proving the qualifications and provenance of data for First Responders.
Decentralized Digital Credentials with P2P sharing in environments lacking network connectivity
Secure and Validated
Cryptographically Prove Provenance of Attributes, Devices and Issuers
Easy to Implement
Proven, Mature, Scalable, Standards-based technology stack
Requires no changes at all to a credential issuer's business rules or membership processes
What is MDAV?
Peer-to-Peer Decentralized Sharing of Cryptographic Validated Data Capsules that Minimize Information Disclosure of the Subject (e.g. a First Responder) while providing a Relying Party (e.g. Field Officer) with Proof of Provenance of the Individual, Device and Attribute Authority. This technology enables you to do things without needing to exchange plastic identification. It reduces the need to carry plastic, reduces fraud, increases security and protects privacy through minimization of information disclosure. Provenance is the key. Through the exchange of Data Capsules you are able to prove that the credential (i.e. attribute) is signed by a trusted Attribute Authority and that the Data Capsule is owned by the Individual (i.e. the subject of the credential) and is bound to the device that was produced and is now presenting the data capsule.
Key Innovations Include
Re-imagining Traditional PKI
MDAV creates and manages an Issuer Ecosystem of Attribute Authorities (Emergency Responder federal, state and local organizations) to issue and manage validated entitlements (qualifications, certifications, and security clearances) in a loose and effective network with state of the art ease of use.
The Provenance Triangle
The Lockstep logical triangle provides provenance of the individual, device and attribute in the form of cryptographically secure digital certificates represented as CAPSULES.
This innovation logically binds the individual, device and attribute by holding metadata on each element to assure the provenance of the attribute which is encrypted in the Lockstep CAPSULE and controlled by the users private key.
Lockstep Technologies' Stepwise creates a strong virtual triangle joining an attribute to an individual via an authentication device under their control. The structure of the triangle can be proven and relied upon without revealing any extraneous personal details. When a transaction is digitally signed using the Lockstep capsule, the capsule explicitly conveys the attribute, but no other personal details of the individual. A trusted process ensures that the Lockste capsule was issued to a genuine device under the individual's control, the signature proves that a certain user truly created the transaction, without revealing their identity. The triangle is preserved but the individual is masked.
Secure Device Key Management
Reproducing traditional credentials in a mobile phone is a significant technical challenge. The visual indicators used to add integrity to plastic cards inspected by eye need to be replaced by cryptographic provenance. Lockstep uses a simple but innovative reconfiguration of standard PKI certificates, to carry attributes instead of identifying information.
MDAV uses Lockstep capsule to encapsulate First Responder credentials in a mobile wallet, and attach indelible information about the attribute issuer and users device, and present them securely to a reader. MDAV provides simple, fast, secure and private proof of a First Responder’s credentials, including which bodies issued the credentials, and what mobile device has been used to carry them safely. It will enhance the trustworthiness and reliability of First Responders in low networked environment. Government-grade tamper resistance and integrity are achieved through standard public key cryptography in the secure element of approved classes of phone. Stepwise capsules cannot be cloned or counterfeited.
First Responder Application
First Responders attending emergencies must present their permits, licenses or other credentials, relevant to the situation. Across Homeland Security communities, there are thousands of recognized qualifications, usually carried on plastic cards or pieces of paper. It has long been expected that mobile phone technology would solve the problem of carrying and presenting them, but until now,integrity and authenticity - in other words, provenance - has been missing.
First Responders must carry digital versions of their professional qualifications, ideally on a mobile phone, and reliably present them in the field. The field environment is typically demanding, with little or no network connectivity. Yet credentials need to be verified by field officers, quickly and accurately. Provenance is vital, in several respects. Field officers need to know that visitors' credentials are genuine, that each was issued by a recognized organization, and each was safeguarded in an approved mobile device.
The MDAV Unique Proposition
Electronic credentialing systems usually introduce novel security procedures and overhead, with extra registration steps and/or new intermediaries, in the process of converting an organization's credentials from paper or plastic to digital formats. The hidden cost of switching to digital identity management solutions, and the extra Business Process Reengineering efforts often prove fatal to a credentialing project. MDAV uniquely minimizes both business impact and technology risk, involving no changes to a credential issuer's business rules or membership processes. It is easy to implement and, unlike other newer technologies, uses a proven, mature, scalable, and standards-based technology stack.
MDAV is the only credentialing solution that preserves the provenance of an individual's credentials in a mobile phone. MDAV allows users to prove the origins of their credentials and other details, as well as the approval status of their devices, peer-to-peer, with low or zero network connectivity. The essential fact that a First Responder has certain credentials is accurately replicated in MDAV capsules, without any change to existing credentialing processes at issuing organizations.
MDAV in Action
The licensed MDAV mobile app holds a digital wallet of First Responder capsules, each holding a validated attribute or credential, and specifying the issuer of the attributes.
Successful presentation of an MDAV capsule proves that the credential it contains is genuine, originated from a recognized issuing organization, and has been safeguarded in an approved mobile device. Unlike traditional PKI, MDAV places no new demands on First Responder organizations' issuance processes. MDAV attributes cannot be counterfeited or tampered with, nor copied from one device to another; the issuance process prevents capsules being loaded to a non-approved device. Capsules are presented directly from one MDAV app to another, and cryptographically verified locally, with no network dependencies or communication with centralized servers. Verification is secure, private, fast and accurate.
Stepwise capsules need not contain any identifying information; MDAV supports strong anonymity or pseudonymity, important in particularly sensitive applications, such as healthcare or national security.
A seamless registration process recognizes the status of the First Responder with each credential issuing organization, and faithfully carries that over to independent capsules in the individual's mobile phone.
MDAV has been designed and built by a team including Australian and US identity technology innovators, Lockstep Technologies and IDI LLC, and funded through a three-phase DHS Science & Technology innovation contract. It is being developed by Lockstep Technologies and IDI under the Kantara Initiative Identity and Privacy Incubator, funded by the US Department of Homeland Security Science & Technology Directorate, to meet the highly demanding needs of authentication during emergencies.
Call for Expression of Interest
The next phase of MDAV development is underway to develop commercial-ready applications for many industries and use cases. MDAV for First Responders is just the first of a wide range of exciting use cases for Lockstep's unique data protection architecture. Suitable use cases include:
- Emergency Responder Authentication
- Local and Edge Data Stores or Wallets
- Card Not Present Internet Payments
- Electronic Travel Documentation
- Digital Driver Licensing
- National ID infrastructure
- Internet of Things
Information in this report is based on research funded by the U.S. Department of Homeland Security Science & Technology Directorate (DHS S&T). Any opinions contained herein are those of the performer and do not necessarily reflect those of DHS S&T.
Contact us for more information: firstname.lastname@example.org