“We hope that the old paradigm of only hardware-based security is over.”
A need for a secure convenience pushed towards the new developments
This year, Smart-ID celebrated its 5th anniversary. Launched in 2017 and powered by Cybernetica patented SplitKey technology, Smart-ID has rapidly raised a user base of over 3 million users in the Baltics and in Iceland for a secure, tokenless authentication method used widely by banks, e-commerce enterprises, government agencies and others. Each second, 80 transactions are executed. So, the impact on companies, government agencies, as well as regular shoppers and citizens has been huge.
At the time, European Central Bank was introducing regulations regarding stronger customer authentication. Due to that, banks were looking into a solution that could replace existing possession-based authentication factors, like physical one-time code-cards, with something harder to copy, steal and replicate.
Additionally, banks wanted their customers to still have a convenient user experience and incorporate smart phones into the processes. Yet, smart phones were not, and still aren’t, entirely trusted to provide possession-factor elements by manufacturers themselves.
Cybernetica was trusted by our partner SK ID Solutions to look for alternative solutions that would solve the banks’ challenges. We were able to try out an interesting cryptographic technique which studies situations where the control over the cryptographic key has been divided or the cryptographic key itself is shared between multiple parties. This is called the threshold cryptosystem and by itself, it is a well-known idea since the early days of military applications and has been further developed in 90s. Cybernetica applied this to a bit different situation and we were combined the knowledge-based authentication factor (PIN codes only known to the user) and a possession-based authentication factor (user’s smartphone) into a single cryptosystem with novel security properties. And thus, our patented SplitKey technology was born. It was immediately put into good use inside the Smart-ID as the basis of the authentication and electronic signature technology.
Other companies have applied similar technology to secure Bitcoin wallets, however, SK and Cybernetica focused on digital identity.
A new era of digital identity
During that time, trustworthy authentication and electronic signature means still had to use trusted hardware. Either hardware inside a citizen’s ID-card or hardware inside the mobile phone’s SIM-card. These were the only solutions accepted in Europe. SK and Cybernetica planned to change that paradigm. We took the same security requirements and security policies that are applied to the hardware-based solutions and rigorously explained to independent evaluators how the SplitKey-based Smart-ID system is able to fulfil those requirements. The process was called Common Criteria certification and it was first time in Estonia where this kind of evaluation result was attempted and achieved.
The world of digital identity is conservative, slow-moving and new solutions are naturally viewed with scepticism. We hope that other countries have already taken the time to look into both SplitKey technology and Smart-ID. As Europe is engaged with discussions about wallet-based digital identity solutions, we are excited to see the application of SplitKey-like technology for new purposes.
We are once again working with SK and with other companies in the EU to study the requirements and experiment which crypto systems that might be required there. We hope that the old paradigm of only hardware-based security is over.
Accustoming to tech developments lies ahead
A big challenge for Smart-ID and SplitKey will be post-quantum computers. If they will become powerful enough, they might be able to break the existing cryptographic algorithms. Due to that, the world is already looking for new alternatives for encryption and signature algorithms. Just a month ago, the NSA announced the roadmap for the US government agencies to start switching to new algorithms. In order for Smart-ID and SplitKey technology to work in a PQ-world, we will need to update our algorithms, too.
But we cannot just take those selected by NIST – we have to modify and improve them in order to retain those nice threshold cryptosystem properties, which we have at the moment.
Luckily, we have just the right people already working on this – Nikita Snetkov, Jelizaveta Vakarjuk, Jan Villemson and Peeter Laud – experimenting and proposing new ideas. Read their published researches here and here.
Check out SK's in-depth video about Smart-ID!