When SSI Meets IoT: Challenges and Opportunities

Hello everyone. I'm Shin Fran, head for cryptography at iot. Today I'm going to share, yeah, II and the iot. Basically highlight some challenges and opportunities here. Here's today's agenda. We will first have a brief look at the whole identity being handled in the traditional web two based IOT systems. After review, some key concept in isi, we will talk more about the traditional challenges and opportunities when you want to deploy the ISI for IOT systems. Okay.

Firstly, let's look at how identity are being handled in today's web two based IOT systems. Yeah, like we all know, the traditional web two based IOT systems largely centralized, right? So when we deploy an iot application today, we will either deploy it in the cloud environments or we will use the edge computing framework to deploy on the edge. Either way, those systems are largely centralized and all the core management, all the core application or management services will be deployed in the cloud or in the in the edge framework.

Identity management in those systems, like all the other systems, essentially we need to manage the relationship instead of identify themselves, okay? In the iot context, actually, we need to manage the relationship between iot devices and their owners or users as well as the service resources, service and resources. But by mention those relationship, essentially we're going to define who can access what in the entire system. Take the aw as an example. Let's look at how the identity company management in the typical cloud service provider, right?

So in terms of the user management, actually cloud service provider will allow user to log into their system in a different way, right? You can use a social network based logging approach, which is more federated identity approach to log, or you can use a traditional username and password, right? So AWS have have the enable user to realize access control by attached policies with a user, with a group, with different roles and credentials, et cetera. So in this way, basically you can define the, how user can access the resource in the AWS in terms of device management.

Actually, the idea here is to create a, a digital twin of what they call the device shadow in the cloud service environment. This device shadow or digital twin will represent the iot device in the physical world by, yeah, by accepting the, the data from the real, real device and in this way. So basically you bring something the physical world to the AWS domain.

So, and the digital twin will represent the real world device device to interact with other services within the AWS network. We can see clearly the user management and device management handled in the differently in the, in the typical cloud service setting, PK and the five x 5, 5 9 have been extensively used to connect a device into cloud service provider. The idea is that you, you can download a set of certificates, a set of certificates as far as the corresponding keys from the cloud service provider, and install those certificates and keys inside the iot device.

So in this way, the cloud service provider can identify which, which device are actually connected to the, to the service. So we can see for web two based iot systems X 5 5 0 9 certificate have been used to establish, to establish the trust between a iot device and a service provider.

How, how does Issi will address this issue differently? Okay. I think previous, previous speaker have talking about all the basic concepts for ssi, like decentralized iden identifiers where credentials and maybe DD comes, right? So I don't repeat those basic concept here.

Again, instead, we, we all, we, we all know there are three key pillars for building the SSI technology, right? So we have decentralized identifiers that need to be used to identify all the entities which joined your, your network, such as the, the iot device organizations, people, et cetera. So everyone joining the system need to be identified by, by D I D.

Secondly, the D I D will be recorded verifiable data registry. So verifiable credentials have been extensively used in I SSI to establish the trust between, between a credential holder and a wire. So we have this trust triangle.

Basically, a issuer will issue a verifiable credential to the holder. In order to access additional resource or interact with other services, the holder will need to present what they call verifiable presentation to a verifier. So once verifier verifi verify the verifiable presentation, they will either grant or reject the services. So the communication between the issuer holder and the verifier can use DD com to establish a secure connection between all those entities, the three key pillars, dds, VCs, and DD com defined by the standard organization, that three C and identity foundation.

So what's the difference between the IS side and X five one certificates when they establish the trust? So x five one certificate certificates, like we already see why they used in, in centralized class risk provider to establish the trust between the IOT device and the, and the service, right? So I ii on the other hand, taking a quite different approach. So we can see in order to identify a subject like a, like a person, organization or, or IOT device, we have these three components here, right? So first is identifier. Second is is a public key, and third one is identity attributes, right?

So for ssi, they actually have a very clear distinction between identifier and identity attributes, right? So basically your identifier will be yeah, represented by by by D id, which is corresponding to a D ID documents, which represent rep, which describes the entity. You try to identify, basically give you more information, how can you, how can you interact with the setting subject. On the other hand, the identity attribute will all be encapsulate, encapsulated in the verifiable credentials.

The identity subject will interact with other services or other participants by exchanging the verifi fabric credential to, yeah, basically show which credential they have, whether they are, they're eligible to access certain services. So the DDS here, we can see they will be anchored in network such as a blockchain or decentralized database, X four, x five nine certificate. On the other hand, the, they combine the identifier public key.

Also, they can use certificate extension to capture identity attributes. They basically collect, encapsulate all these three components together in a certificate. We do need a centralized certificate authority to issue this certificate, and also we need a cert, a certificate chain, their hierarchical architecture starting from the root certificate to intermediate certificate until the end certificate and entity certificate, okay? We do have this certificate chain to establish your trust. So unlike the exercise case, essentially verifiable credential can be issued by any entities.

Act five oh certificate. On the other hand, you rely on centralized certificate authority. So this is a comparison between those two technologies, how they issue the, how they establish the trust among different entities in our system. Another very important question is why SSI matter? Iot?

Actually, there are a number of components here, right? So d i D offers a unified representation of identifier for all the different identity subject such as people, iot, device service organizations, et cetera. Recall from the traditional web web tool based IOT application, we manage the users at identity and device identity differently. Dd on the other hand, they provide a unified representation.

So, so that we can simplify the identity management process, also provide the interoperability among different systems. Secondly, the verifiable credential actually can enable stakeholders to atest test different attributes regarding a iot device. So in this case, for example, the device manufacturer can attest the number for attributes regarding the security of, of a single IOT device. For example, whether there's a secure storage or secure element exists on the device, what our operating system working, et cetera.

So this level of adaptation from the different stakeholders actually provide fine level levels for yeah, to attest the device security and trustworthiness. Also, the idea when they, when they combine them together, which will enable you to build a large scale, decentralized, trusted, and the interoperable interoperable interal IOT applications.

Yeah, those are some nice features. What the ID can bring to the IOT systems with respect to the security and privacy as I has the capability actually to give back control of device and, and associated data back to the device owner.

Also, you can use the decentralized selective disclosure to enhance the, the privacy of the entire system while isi, I provide a nice set of features in terms of security and privacy, but deploying the ISI technology in PR in practice bring a number of challenges. So I will talk about a number of challenges in the iot context. Also highlight some potential opportunities Yeah. For moving, for moving forward. Yeah. The first technical challenge actually is that iott device.

There's a lot of huge amount of iot devices with different capabilities in terms of the processing power, the memory footprint, et cetera, right? So we have the, from the smaller LT device, like the light bulb to the medium size IOT device towards a more, more, more capable IOT device like the single board computer, IOT gateway, et cetera. So all those device is, they, they represent the different processing capability and, and the, and the different utilities, right? So in order to handle all of those devices and give them disinterest, identifier, turn out, need to be a challenge task. Yeah.

To address this task, actually our tax is initiated this effort to build an embedded sdk, what we called web three lt. So actually we follow the industry best practice to build this few layers like the crypto cryptography service layer, all the primitives and the route of trust. We follow the r PSA cryptography API to build this layer, which will enable the developer to access the crypto services in a unified, in a unified way.

Also, we build upon of this, we build the identity and the, and the credential layer to capture the, yeah, like the, the DD and the verifiable credentials. Also, we, we build the DD com layer to enable the different device and the device and server to communicate through the DD com messaging. Yeah. Second challenge, we, we all realized that IOT system or IOT device had very complex lifecycle.

This starting from the design process, we need to provision our device, we need to generate identity until, yeah, once you deploy the device in the field, you need to complete the network application onboarding process. Also, you need to manage the device. So the over the air updates, like, yeah, you may also need to handle the ownership transfer during the lifetime of a device until it's being decommissioned from the, from the field.

It's a, actually, it's a quite complex, complex process. So if we, we want to apply the IS technology to here actually we are going to build a decentralized identity access management system using is a technology. So there is a actually standard working group, P 29 58. Actually we have participant from the, yeah, like a larger organizations and startups to working on this together to, to define how SSI can be used to build a decentralized, I Im as a service.

So this actually will establish a foundation for deploying this service, this type of decentralized identity and access management service in the future. Yeah. Search challenge is more, more challenge from the business side.

Also, also from the technical side, lack of it, no, Sisi is such type of technology, which really needs the cooperation among other stakeholders. So iot system has many stakeholders like US manufacturer, network, network service provider, cloud service providers from a vendor, et cetera, for building certain type of service. You may need when, when you may need multiple stakeholder to join, join the effort together.

So this, this, this definitely is a challenge in the real business use case, your business case, right? So we, we can look at this challenge from the both enterprise use case side and the community driven use use case side, okay. To convince a large stake, large number of stakeholders to join joint effort.

Actually, yeah, to apply the s side technology, actually you need to have a solid use case, which can benefit all the, all the stakeholders. Also, these type of use cases cannot be, cannot be built by individual stakeholder, which means only when everybody work together, you can get the group benefits. So the IT network is, is a nice example here, which is created by the mobile alliance. So the idea is that we can, we can get all the stakeholders from auto automotive sector together to build this like the identity registry.

So all the stakeholders can run permission, permission network to serve as a federated identity registry. So in this case, you can build a use case which are useful, which are available for all the stakeholders. You can build, for example, the battery tracking and other type of use cases, which, which is actually needed by all the, all the system stakeholders like the insurance company, the auto, the, the car manufacturer, et cetera. So this is a, a typical case for particular inter sector.

You can gather everybody together to build something which cannot be realized before for the more community driven IOT application. So in such case, actually your iot device need to be inter interact with a decentralized network which is owned by the community. For example, the IOT is building such net decentralized network called webstream, right? So the idea is that we will incentivize committee members to build a decentralized network. On top of that, people can, can build the machine economy, decentralized applications. In such case, actually the IS size is size very important technology.

The reason is that the iot device need to interact with, with a node he never known before, which means we need to form like those type of ad hoc relationship on the fly. So in such case, the ISI technology definitely can help to establish this type of relationship, like the traditional web two case, you know, which cloud provider you are going to, you are going to interact with. Yeah. In such community dreaming applications, you need to establish this ad relationship.

So in, yeah, for all of those, those use cases, as I said, has a great value here. Okay. I think that's, that's all I would like to share today. Thanks for your attention.

Well, thank you very much. I think we have just a little bit of time for one question, and that question would be, well, we just heard a little bit earlier about a company talking about their own practical SSI journey and how it took them years and it's still ongoing. If another company would just start today, like from scratch, do you think they would have it easier with so many opportunities, which would be your recommendation for them?

Yeah, so I think the ISIS is a great technology. Basically they can give back the control of, of the, like the data or identity back to the user. From this aspect, there's a nice set of features, but in terms of the development, I think there's a great effort from the web three community, from the W three C community to push this technology together. There's already tons of tools you can use, but the most challenge you, you need to think about is how this can either save the, save the cost for your existing solution or, or this can bring the new revenue stream.

Also, you need to have the very strong justification how this technology should be used for address particularly challenge in your own business. Yeah, that's my recommendation.

Okay, great. Well, thanks a lot again.