Encryption as a Service

Purpose

The Identos Encryption as a Service (EaaS) platform allows an application to strongly credential a user with a cryptographic identity. Credentials are created using a PKI with the express purpose of binding a user account to a cryptographic key providing a strong credential to the user. This credential enables:

• Data Security – secure data encryption key delivery
• Access Control – only authorized user can be delivered a key
• Message Integrity – signature can be verified against the registered user certificate
• User Revocation – administrators can disable a user or specific device to prevent key delivery and clear existing keys from the device

Additionally, the SDK provides several device/application integrity checks to prevent unintended disclosures of data, keys, and passphrases.

 

Environment

EaaS runs on most operating systems/platforms:
• iOS
• Android
• Mac OSX
• Windows 10
• Linux
• Cordova
• Xamarin

EaaS runs with language support for the following:
• C
• OBIC/Swift
• Java
• .NET C#
• Python

 

Functions

Initialize

Prepare the SDK for use. This function will need to be called every time to:
• Get application policies from the IDENTOS server
• Verify the device/application environment

Return

Device status:
• Unregistered
• Registered
• Disabled

Device Registration Token

If the device is Pending Confirmation, this function provides the token the server needs to send to the IDENTOS server to bind this device to an account.

Authenticate

Allows a user to use either passphrase or Touch ID to unlock their cryptographic identity and start a session.

Sequence

This is the typical flow performed by the app to register a device to a users account in the application server.

Encrypt Data

This function will utilize the IDENTOS SDK and server to encrypt specified data.

Input:
• Data
• Optional key identifier – using the optional key identifier allows related data to be secured under the same data encryption key

Output:
• Encrypted data
• Key identifier

Decrypt Data

Data encrypted by the IDENTOS SDK can be decrypted for use. The decrypted data is packaged with the required key identifier. The key is automatically fetched after the user’s access is verified.

Input:
• Encrypted data

Output:
• Decrypted data
• Key identifier

Grant

This function will add a user to the access control list for a key identifier.

Input:
• Key ID
• List of user ID's

Output:
• Success/Failure

SIGN/VERIFY

The Sign/Verify function ensures that a signature can be verified against the registered user certificate.

Sign

Sign any data with a key registered to a user

Input:
• Data

Output:
• Signature

Verify

The signature is packaged with the signer certificate ID. This certificate is fetched from the IDENTOS server to enable the verification of the signature.

Input:
• Data
• Signature

Output:
• Boolean
• Signers identity

OPTIONAL DERIVED CREDENTIAL MODULE

A derived elliptical curve key pair can be implemented in addition to the EaaS identity for use with custom identity protocols (ex. FIDO). This service leverages hardware secure element (SE) if available, more info can be found here:

OPTIONAL FEDERATED IDENTITY (AUTH) MODULE

Allow the registered SDK to provide a Federated SSO to other services, acting as a login credential into other applications. It alllows for a high level of assurance based on 1. possession of the device, 2. biometric authentication (iOS), and 3. knowledge of passphrase. More info can be found here:

 

OPERATING INSTRUCTIONS

The EaaS SDK has the following lifecycle:

START 
    -> INITIALIZED     
        -> AUTHENTICATED
        -> DISABLED

START

• Application start
• Waiting for initialization

There are 5 possible outcomes:
• Error - device didn't pass verification checks
• Unregistered - the user must register before they can use EaaS
• Pending Confirmation - the device has not associated with a user
• Disabled - the device has been remotely disabled by an admin
• Okay - the user can authenticate

Only an AUTHENTICATED user is able to use the cryptographic functionality.

 

GLOSSARY

EaaS - Identos Encryption as a Service
PKI - Public Key Infrastructure