Search form

You are here

Home » Pilots & Software » Demos

Video list

Tuesday 2, October 2018
Privacy-Preserving Attribute Based Access Control (PABAC)

The Identity Consolidator offers “Privacy-Preserving Attribute Based Access Control (PABAC)”, on top of the OpenID Connect specification, with the Credential Management module and taking advantage of the idemix and Uprove Cryptographic credential stacks. PABAC enables SPs that are not aware of our privacy-preserving cryptographic credentials stack to allow end-users to use cryptographic credentials in order to get access to their services and/or resources. To achieve this, we need a cryptographic credential issuing ldp and a verifying ldp. Users can request the issuance of a cryptographic credential for one or more identity attributes from the issuing ldp, which can be the IDC itself that runs the cryptographic credential issuer stack. The verifying IdP acts as an Idemix/U-Prove verifier able to verify cryptographic credentials while the SPs continue to run the vanilla OpenID Connect protocol. In other words, the user requests the issuance of a cryptographic credential of one or more user identity attributes from an issuing IdP (e.g., student and over 21). When the user tries to authenticate to an SP, she triggers a session with a cryptographic credential verifying IdP in order for that Verifying IdP to verify the validity of the cryptographic credential. Subsequently, the verifying IdP assures the SP that the user is a holder of a credential that proves that she is a student and is over 21 years old. After this seamless to the user authentication procedure, the user can have access to the service/resources of the SP, knowing that his anonymity is preserved and no more than the needed identity attributes have been revealed to that SP. Additionally, federated PABAC offers two concepts of anonymity, namely untraceability and unlinkability. This means that that no SP or IdP can track or link any credentials to the user or the other way around. For example, consider the scenario that a user shows a combination of two independent and non-uniquely identifying attributes to an IdP and an SP at time A. If that same user proves the same combination of two cryptographic credentials to another IdP and SP at time B, there is no mechanism that can infer or assure that the user of time A and time B is indeed the same person. This entails untraceability and the users’ credentials cannot be linked. This also means that no IdP or SP can build a complete profile of that user since every issuing and verifying session is different.

Privacy-Preserving Attribute Based Access Control (PABAC) - Κεντρική Εικόνα
Tuesday 2, October 2018
Profile Management Module

The Profile Management Module provides easy browsing and management of the identity attributes that Identity Providers and Service Providers know about a user and informs the user about the risks of involuntary attributes inference. It also allows users to transfer attribute values between different IdPs by extending federated login protocols like OpenID Connect. This module also allows the ReCRED Identity Consolidator to run the federated login protocol OpenID Connect for transferring identity attributes between different IdPs based on the IAL and the AAL of these attributes. In addition, the user is able to review and delete the attributes that a certain Identity Provider knows about him

Profile Management Module - Κεντρική Εικόνα
Tuesday 2, October 2018
Microloan Origination Pilot

Microfinance has a beguiling simplicity and a record of success mostly in promoting financial resilience. The microloan origination pilot is based on an online origination platform that leverages on independently verifiable identity attributes to approve microloan applications. It provides the necessary tools for supporting all the steps of the microloan origination, debt collection and recovery process for financial institutions. In addition, it can be used by financial institutes and banks in order to provide low-interest loans via an entirely online process. The benefits from the deployment of the microloan origination platform will be apparent not only to the service providers (i.e. banks, financial institutes, etc.) but also to its customers. Time and money savings are common for both parties involved in the process. Convenience, easy access, round-the-clock service and speed are some of the advantages that our microloan origination platform provides in comparison with the traditional process followed nowadays by the people visiting the banks. Customers applying for microcredit will use the bVerifier product, which is a tool developed by WEDIA, as a multifactor authentication system that provides increased security for banking environments. Once users establish access to a financial institution’s origination platform through their device, they will upload their financial, and professional credentials which will be certified by reliable authorities (i.e., governmental institutes) or are obtained through trusted identity acquisition. These credentials are loaded to the user device, and can be used to prove the relevant identity attributes to the EXUS Suite running at the microloan company/institute. The financial institution uses an access control policy creation tool, developed by CUT, to specify complex credit approval criteria.

Microloan Origination Pilot - Κεντρική Εικόνα
Tuesday 2, October 2018
Microloan Origination Pilot Access Control Policy Reasoning Tool

The Microloan Origination Pilot proposes an architecture where users will be granted microloans based on their financial state and requirements. For this, the administrators of the Microloan Origination Pilot can access a web-based platform, named “Access Control Policy Reasoning Tool”, in order to manage the access control policies for each resource provided by this Pilot. Using this platform, the administrators can create, view, and delete policies. In addition, the tool is equipped with a specialized Machine Learning policy recommendation system which can recommend to the administrators new policies based on the existing policies and based on the access logs being kept by the system with all the requests of the users. Moreover, the policy recommendation system further facilitates the administrators in managing the policies with the following functionalities.

Microloan Origination Pilot Access Control Policy Reasoning Tool - Κεντρική Εικόνα
Tuesday 2, October 2018
Second device authentication using QR

Another scenario addressed by the ReCRED Wi-Fi and web services access control Pilot permits a trust transfer from the user smart-phone to another device (e.g. laptop), which can be used to access the campus network services. The trust transfer scenario uses QR code scanning along with the ReCRED security stack to authenticate and authorize the second device. In case the user wishes to use an alternate device (e.g., desktop PC) to access the campus Wi-Fi and web services, the service presents a QR code. The user should scan this QR code using the ReCRED application on their mobile device in order to authenticate their alternative device to the service. In this way, the mobile device and the alternate device are associated as belonging to the same user, and the user can use the alternate device to gain access to the Wi-Fi and the web services of the university. The ReCRED Wi-Fi pilot permits the user to authenticate by using biometric solutions such as fingerprint, thus replacing user-name/password credentials.

Second device authentication using QR - Κεντρική Εικόνα
Tuesday 2, October 2018
Student Authentication and Discounts Pilot

The Student Authentication and Discounts Pilot leverages the ReCRED platform to validate the business value of password-less device centric authentication and attribute based access control in a retail discount service model. This Pilot aims to result in increased conversion for retailers offering targeted discounts to their customers, without extra complexity for the customers. The main benefit for students is that they can complete all transactions on their mobile device without invasive requests or extra steps before they can purchase an offer. By using ReCRED to check for specific attributes without disclosing them to the service provider, students can prove their field of study, the university that they study and much more. Students can receive any simple or complex student discount offer. Service providers can increase the likelihood that a customer will purchase an offer by creating more complex targeted offers without increasing the complexity of the transaction. Additionally, service providers will benefit from substitution of physical loyalty cards for mobile apps and thereby obtaining rich purchasing and conversion data for the improvement of their discount offers. They will also see a decrease in the training requirements for staff as well as fraudulent use of discount codes.

Student Authentication and Discounts Pilot - Κεντρική Εικόνα

Pages