Hurricanes, floods, earthquakes and terrorist attacks.
If these natural and manmade threats are growing in number and intensity, so is the need to quickly verify the identities and expertise of emergency responders arriving from distant jurisdictions.
The New Jersey firefighter who goes to New Orleans in the aftermath of Hurricane Katrina…the police officer from Champaign, Illinois, who goes to Chicago to assist with crowd control at a political convention…the California EMT who goes to Haiti to help treat earthquake victims.
These responders can present their badges and IDs to local authorities, but this is not enough to truly verify who they are, the agencies they represent or their credentials.
Solving this problem is at the heart of a new identity-access-management research project called Mobile Device and Attribute Validation (MDAV), a joint initiative of the homeland-security-research-group CCICADA and its partner, the Kantara Initiative. The project is supported by the Cyber Security Division of the US Department of Homeland Security.
“In MDAV, we will study how first responders working across jurisdictions can convince field personnel of their credentials such as a concealed weapons permit, a hazmat ticket, or a security clearance,” said CCICADA Director Fred Roberts, adding that critical response time is often lost because of the need to independently verify those credentials.
Dennis Egan, CCICADA’s assistant director, said the solution the Center is researching will involve writing special software enabling a first responder’s smart phone to send encrypted information about their credentials to a smart phone used by local authorities managing the response operation.
“What we need is something that’s very user friendly for the user and the reader,” Egan said. “We need a ubiquitous device, so a smart phone is the obvious answer.”
With the help of a “Certificate Authority,” local authorities will have their smart phones pre-loaded with the digital credentials of emergency responders. The information supplied by outside agencies sending emergency responders to the scene will, in effect, be converted into cryptographic “attributes” carried in the responders’ smart phones.
In more technical terms, researchers in the MDAV project will explore how to use modern cryptographic methods to develop pseudonymous (or “only light identified”) certificates holding authoritative attributes that convey the authenticity of the issuer of credentials and of the device used to present them. An authority issues an attribute in the form of a digital certificate, and the certificate is uniquely tied to the smart device via a key, held in the phone’s secure memory element, yet able to be externally authenticated.
This technology would also be valuable in any situation where the quick and secure transmission of credentialing and identity information is desired. One such example, Egan said, would be in a healthcare setting where an individual needs to quickly prove they have power of attorney in a life or death situation.
Egan said the first phase of the project, which has been funded by DHS, involves the preparation of a concept paper and technology design. The next phase will involve the participation of a government agency or private entity that wants to use the technology for a specific purpose. In this advanced development phase, the software would be written and field trials conducted.
A key player in the project is Steven Wilson of Lockstep Technologies in Sydney, Australia, whose company has developed a technology called “Stepwise” that is designed to do many of the things envisioned in the Mobile Device and Attribute Validation (MDAV) project headed by CCICADA and Kantara. Lockstep will be the primary developer of the MDAV technology.
“The classic approach to identity theft and identity fraud has been to pile on more identity. We’re in an arms race where users are subject to more and more identification even for basic transactions,” Wilson said.
The problem with this approach is that it actually puts more personal data at risk of being exposed. This is amply documented in the frightening frequency with which hackers gain access to the personal data of millions of individuals whose information is stored on government and business servers.
“What we need to do is get better at proving specific things that matter about people in specific contexts. We need ways of presenting attributes (e.g. personal information) such that the data cannot be stolen and replayed,” Wilson explained.
Lockstep Technologies’ Stepwise innovation has the ability to do that by equipping individuals with electronic “wallets” that verify only the discrete data needed for a particular situation or transaction. The next step is to create a prototype of Lockstep Technologies’ technology that can be used to present the attributes of first responders in emergency settings.
Once this technology has been field tested and proven, it could be applied to healthcare, e-commerce, social media and any situation that requires secure cyber communications between two parties in a transaction.
Ultimately, it could solve the now ubiquitous problem of cyber thieves stealing the personal information of hundreds of millions of people around the globe.