1. JLR, Tozny, and DHS 2016-05-18 Isaac Potoczny-Jones ijones@tozny.com

2. Design Approach Standards: Existing open standards wherever possible
Best practices where open standards aren’t available
Level of detail:
Overall approach agreed on for the purpose of proposal
Low level and detailed design once funding is available

3. Initial ideas to spur discussion and surface requirements
About Straw Man Ideas: Caveats
Initial ideas to spur discussion and surface requirements
You’ve already done a lot of thinking about this!
We may be duplicating your ideas
We might misunderstand your needs
We may be suggesting things you’ve already rejected

4. Straw Man for User Auth

5. User Auth and Onboarding Goals
Flexible for verification approaches
, SMS, in-person, in-vehicle
Flexible for authentication approaches
Key-based, password-based, etc.
Support multiple key authorities
Decentralized identity management
Demo system with easy to use, password-free experience
Onboarding with SMS and login with keys

6. User Authentication Focus on IdM, not just authentication
OpenID Connect (OIDC)
Lean on OIDC to build a standard approach to IdM
OIDC is widely deployed and well understood
It’s flexible enough to support a wide variety of auth
Specify a set of attributes that are required for use cases
Attesting authority (e.g. JLR, others)
User unique identifier (e.g. unique ID)
User verified attributes (e.g. phone number)
How attributes verified (e.g. SMS one-time password)

7. Agenda

8. Straw Man for Key Exchange

9. Disconnected Claim & Key Exchange
Between 2 phones, between phone & vehicle, etc.
Protected resource has public/private key pair
Use JWTs as claims signed by protected resource
Vehicle can create a “claim” - signed by private key
Not by identity – any entity carrying claim has authz
Claim can be used to enroll identity

10. Disconnected Claim Exchange Example
1a. Vehicle signs “unlock doors” claim – sends to phone
1b. Owner signs “operate vehicle” claim – sends to phone
2. Friend can now operate vehicle

11. Disconnected Key Exchange Example
Vehicle signs “enroll key” claim
Phone sends claim along with public key (now has identity)
Vehicle signs key and returns it

12. Straw Man for CRLs

13. Vehicle is parked for an extended period without net connection
Certificate Revocation List - Problems
Vehicle is parked for an extended period without net connection
De-authorized friend’s Key
Owner authorizes friend to operate vehicle
Owner revokes friend’s authorization
Friend can still operate vehicle because its CRL isn’t updated
Compromised root key
Attacker signs their own key to operate the vehicle
Key is revoked, but CRL in vehicle isn’t updated
Attacker can still operate vehicle

14. Certificate Revocation List - Approach
CRL is signed by root cert and signature is updated daily
CRLs can include root and per-vehicle / protected resource keys
Phone connects periodically and receives relevant CRLs
CRL expires after fixed time window (e.g. 1 week)
Phone relays CRL to vehicle from various authenticated actions
If phone has been connected within window, CRL is updated
Example
Owner authorizes friend to operate (disconnected) vehicle
Owner revokes authorization, friend’s key added to CRL
Friend’s phone connects and gets CRL
Authenticated action includes revocation for its own key!

15. Thank You!
Isaac Potoczny-Jones