Towards Digital Credentials
by Stefan Brands
Digital Credentials are the digital equivalent of paper documents and other tangible objects traditionally used for establishing a person's privileges, characteristics, identity, and so on. Since they are just cryptographically protected binary strings, they can be electronically transferred and can be verified with 100 percent accuracy by computers. Digital Credentials preserve the key privacy properties of paper-based documents and plastic tokens, but offer much greater security. They are entirely feasible, as R&D work during the 1990s has shown. Several academic prototypes have been developed recently, and a new Canadian company, Credentica, is now commercializing Digital Credentials.
Often at least one of the parties in a transaction needs to know whether the other party is authorized to perform a certain action. Typically, authorization is granted on the basis of a person's privileges, personal characteristics, reputation, identity, membership to a group, willingness to provide value in exchange, and so on. In all these cases, the verifying party must rely on the inspection of one or more tangible objects issued by trusted third parties. Examples of such 'credentials' are coins and bank notes, stamps, medical prescriptions, cinema tickets, voting ballots, membership cards, access tokens, diplomas, passports, and drivers' licenses.
Physical credentials are increasingly prone to counterfeiting, however, and cannot be transferred by mobile devices, personal computers, and chipcards. Well-known cryptographic techniques, such as digital identity certificates and message authentication codes, are not a solution:
To overcome these fundamental drawbacks, a transition to cryptographically protected digital forms of credentials is inevitable. (See S. Brands: "Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy," with a foreword by Ronald L. Rivest. August 2000, MIT Press, ISBN 0-262-02491-8, http://www.credentica.com/technology/book.html; and "A Technical Introduction To Digital Credentials," International Journal on Information Security, ed. Moti Yung, to appear in the August 2002 issue, http://www.credentica.com/ technology/overview.pdf.) It is entirely feasible to design Digital Credentials that address the complete spectrum of security, liability, and privacy risks for all parties involved. Digital Credentials preserve the key privacy properties of paper-based documents and plastic tokens, but offer much greater security and functionality:
Digital Credentials are suitable for any communication or transaction system that needs to protect the transfer and storage of information. Examples are access control systems (for VPNs, subscription-based services, Web sites, databases, buildings, and so on); privacy-enhanced national ID cards; public transport tickets; electronic voting; e-health systems; financial securities trading; digital copyright protection; road-toll pricing; and electronic money.
The practicality of Digital Credentials has been well-established. Notably, last year Zeroknowledge Systems in Montreal developed a wireless prototype for RIM's Blackberry as well as a software development toolkit suitable for a wide variety of applications. Also, from 1993 until 1999, CAFE and OPERA, two major European consortiums co-funded by the European ESPRIT Programme, implemented and extensively tested a chipcard-based electronic cash system based on the Digital Credentials technology. (See Rafael Hirschfeld: "OPERA - Open Payments European Research Association", ERCIM News no.30, July 1997, http://www.ercim.eu/publication/Ercim_News/enw30/hirschfeld.html.) Furthermore, several computer science graduates in Europe and America have independently developed academic prototypes.
In January 2002, a new company called Credentica was founded to commercialize Digital Credentials. Incorporated in Quebec, Credentica's mission is to deliver multi-party secure solutions for applications that involve the electronic transfer of sensitive information. Credentica leverages the Digital Credentials technology and its specialized R&D expertise to develop tailored software and services for the providers of Internet, wireless, and chipcard applications.