Aller au contenu principal

Specifications

Vaultys Protocol is a set of different cryptographic data model handling the lifecycle of Decentralised Digital Identity. Security Model is not about privacy (ie resistant against decryption), but about securing identification (person, servers), making cryptographically hard to steal identity without stealing a cryptographic private a key. In comparison with classical authentication system (User/Password/MFA), the protocol offer a better resistance to the compromission of the communication channel or the guess of passwords based on previous leaked data in a central identification server. Moreover the protocol is designed with extension in mind. Only a subset of the protocol extension is being certified.

In a nutshell, here are the security claims of the protocol:

  • The compromission of the a central identification server does not compromise the identities (only public keys are stored)
  • The P2P ID registration is resistant to passive channel attack
  • The P2P authentication is resistant to passive and active channel attack.

Cryptographic curves used are:

  • Ed25519 for software implementation
  • P256 if using FIDO2 bridge

Resistance means:

  • either fail in case of active channel attack
  • or succeed with the assurance that both legit sides have effectively verified and signed the authentication message

The security of later communications after authentication (like session cookie stealing using replay attack) is outside of the scope of the model.