JLR, Tozny, and DHS 2016-05-18 Isaac Potoczny-Jones ijones@tozny.com http://tozny.com

Design Approach Standards: Existing open standards wherever possible Best practices where open standards aren’t available Level of detail: Overall approach agreed on for the purpose of proposal Low level and detailed design once funding is available

Initial ideas to spur discussion and surface requirements About Straw Man Ideas: Caveats Initial ideas to spur discussion and surface requirements You’ve already done a lot of thinking about this! We may be duplicating your ideas We might misunderstand your needs We may be suggesting things you’ve already rejected

Straw Man for User Auth

User Auth and Onboarding Goals Flexible for verification approaches Email, SMS, in-person, in-vehicle Flexible for authentication approaches Key-based, password-based, etc. Support multiple key authorities Decentralized identity management Demo system with easy to use, password-free experience Onboarding with SMS and login with keys

User Authentication Focus on IdM, not just authentication OpenID Connect (OIDC) Lean on OIDC to build a standard approach to IdM OIDC is widely deployed and well understood It’s flexible enough to support a wide variety of auth Specify a set of attributes that are required for use cases Attesting authority (e.g. JLR, others) User unique identifier (e.g. unique ID) User verified attributes (e.g. phone number) How attributes verified (e.g. SMS one-time password)

Agenda

Straw Man for Key Exchange

Disconnected Claim & Key Exchange Between 2 phones, between phone & vehicle, etc. Protected resource has public/private key pair Use JWTs as claims signed by protected resource Vehicle can create a “claim” - signed by private key Not by identity – any entity carrying claim has authz Claim can be used to enroll identity

Disconnected Claim Exchange Example 1a. Vehicle signs “unlock doors” claim – sends to phone 1b. Owner signs “operate vehicle” claim – sends to phone 2. Friend can now operate vehicle

Disconnected Key Exchange Example Vehicle signs “enroll key” claim Phone sends claim along with public key (now has identity) Vehicle signs key and returns it

Straw Man for CRLs

Vehicle is parked for an extended period without net connection Certificate Revocation List - Problems Vehicle is parked for an extended period without net connection De-authorized friend’s Key Owner authorizes friend to operate vehicle Owner revokes friend’s authorization Friend can still operate vehicle because its CRL isn’t updated Compromised root key Attacker signs their own key to operate the vehicle Key is revoked, but CRL in vehicle isn’t updated Attacker can still operate vehicle

Certificate Revocation List - Approach CRL is signed by root cert and signature is updated daily CRLs can include root and per-vehicle / protected resource keys Phone connects periodically and receives relevant CRLs CRL expires after fixed time window (e.g. 1 week) Phone relays CRL to vehicle from various authenticated actions If phone has been connected within window, CRL is updated Example Owner authorizes friend to operate (disconnected) vehicle Owner revokes authorization, friend’s key added to CRL Friend’s phone connects and gets CRL Authenticated action includes revocation for its own key!

Thank You! Isaac Potoczny-Jones ijones@tozny.com http://tozny.com