Meet Eliza & Marvin

 

We hereby confirm that:

 

  • pi-lar GmbH is not under liquidation or is not an enterprise under difficulty according to the Commission Regulation No 651/2014, art. 2.18
  • The project neuropil is based on the original works and going forward any foreseen developments are free from third party rights, or they are clearly stated
  • It is not excluded from the possibility of obtaining EU funding under the provisions of both national and EU law, or by a decision of both national or EU authority,
  • All statements embodied in the Declaration of honour have been understood and accepted.

 

Cologne, 27.12.2020

We hereby confirm that:

 

  • pi-lar GmbH and its team member are willing to interact with other participants in eSSIF-Lab to further concretize a common SSI vision.

 

Cologne, 27.12.2020

Security of the Past: Limitations

only protection of bilateral IP connections

 

not protecting different data objects, but apis

 

unsuited for rapid change of data owners or data channels

static design: build once, run forever

 

new requirements vs. security design

 

introduce security exceptions on change

Security of the Future: ZeroTrust

trust perimeter has changed

 

fragmented information (flows) need protection

 

authn/authz must be possible everywhere

 

data objects governed by attribute-based access policies (ABAC)

define trust levels for data objects / entities

 

fine grained access to objects possible

 

more insights means minimizing risk

 

Never trust, always verify

Security for Ecosystems:

Zero Trust / Access Policies

data object interactions main driver for future IT architecture

 

devices produce and consume data at the same time

 

respect different data owners per device

 

if one fails, all suffer!

business agility: enables companies to adapt & survive

 

switch to a different service provider is easy

 

change policies in days (rather than months)

 

enables data reduction and data economy

Legal Dimension

Economic Dimension

Social Dimension

Environment Dimension

Security for Ecosystems:

Realibilty in four dimensions

connects everything:

devices, edge, applications,

users, processes, enterprises

neuropil

Security First

  • SSI / digital identities (OIDC)

  • dual encryption layer (transport and end-to-end)

  • attribute based access control

  • decentralized access delegation

  • object level permissions via security token

  • limit packet size / throughput

  • standardized security measures (OSI Layers 1-7)

  • ... and more

(see also: OWASP API Security)

Privacy First

  • stacked/pseudonymized identities
  • transport layer privacy
  • addressing and discovery is hash based (Blabe2b)
  • DHT to protect from metadata discovery
  • "blind" broker nodes
  • stay secure behind closed firewalls
  • packet segmentation

  • ... and more

 

(see also: OWASP Privacy risks)

neuropil.org

protocol development & standardization

technical security stack definition

responsible disclosure handling

neuropil.io

base service layer

organizational security definition / enforcement

compliance & reviews

neuropil.com

​Add-On business services

Consulting & Development

where are we going?

 

  • extend our own protocol (with VC attributes)
  • a hardware wallet for IIoT devices and the edge
  • enable multiple identities on one neuropil node
  • two more FFI (javascript/dart) language bindings

 

With the help of NGI ESSIF LAB we plan to build

+ Support for of the NGI Essif Community

 

  • FFI bindings for users and enterprises
    • enable the use in javascript NodeJS 
    • enable the use on smart phones (Dart)
    • allow the transferral of user access rights

With the help of NGI ESSIF LAB we plan to build

  • HSM integration for processes and applications
    • integrate / use HSM module(s) to store identities
    • enable transfer of SSI identities to other servers
    • load more that one identity into one process

With the help of NGI ESSIF LAB we plan to build

  • a TPM wallet for IIoT devices and the edge
    • leveraging TPM modules for device identities
    • separate authN / authZ / accounting responsibilities
    • enable several data owner per device 

With the help of NGI ESSIF LAB we plan to build

 

  • extend protocol with VC attributes
    • verifiable credentials can be added to IIoT devices
    • it is possible to lookup other SSI components / participants
    • create interfaces to work as an interledger protocol
  • ​extension / adoption of protocol towards the common NGI Essif architecture

With the help of NGI ESSIF LAB we plan to build

Easy to use

  • hiding cryptographic complexity
  • installed as a OS library
  • remote token attestation
  • python / lua binding available
  • supporting
    • organizational security (e.g. SIEM)
    • enterprise architecture map (e.g. RAMI 4.0)
  • ... and more

Let's
chat!

NGI ESSIF slides

By Stephan Schwichtenberg

NGI ESSIF slides

trying to explain the new security stack

  • 164

More from Stephan Schwichtenberg