跳转到主要内容

🍺 Developers

Vaultys Protocol is a set of different cryptographic data model handling the lifecycle of Decentralised Digital Identity. Security Model is not about privacy (ie resistant against decryption), but about securing identification (person, servers), making cryptographically hard to steal identity without stealing a cryptographic private a key. In comparison with classical authentication system (User/Password/MFA), the protocol offer a better resistance to the compromission of the communication channel or the guess of passwords based on previous leaked data in a central identification server. Moreover the protocol is designed with extension in mind. Only a subset of the protocol extension is being certified.

In a nutshell, here are the security claims of the protocol:

  • The compromission of the a central identification server does not compromise the identities (only public keys are stored)
  • The P2P ID registration is resistant to passive channel attack
  • The P2P authentication is resistant to passive and active channel attack.

Cryptographic curves used are:

  • Ed25519 for software implementation
  • P256 if using FIDO2 bridge

Resistance means:

  • either fail in case of active channel attack
  • or succeed with the assurance that both legit sides have effectively verified and signed the authentication message

The security of later communications after authentication (like session cookie stealing using replay attack) is outside of the scope of the model.

Definitions

Users' Smartphones: Each user has a smartphone where they have the Smartlink app installed. This app generates and manages the user's Decentralized ID (VaultysID). VaultysID Generation: The VaultysID is created securely on the user's smartphone using cryptographic algorithms. This ID serves as a decentralized identifier for the user. Authentication Protocol: When a user wants to connect to the Smartlink service, the app initiates an authentication request. The Smartlink server sends an authentication challenge to the app, which includes a unique authentication message. User Authentication: The Smartlink app securely signs the authentication message using the user's VaultysID and sends it back to the Smartlink server. App Verification: The user's app verifies the authenticity of the Smartlink server's message using the server's public key. Authenticated Connection: Once both sides have successfully verified each other's identities, an authenticated connection is established between the user's app and the Smartlink server. Decentralized Security: The decentralized nature of the VaultysID system ensures that user identities are securely managed on their smartphones without relying on a central authority. This enhances security and privacy for both users and the Smartlink service.