Most security technologies (unfortunately) focus more on encryption and ways to generate complex keys to cipher the communication between two parties, instead of solving the problem of identification and authentication, which are central to any interaction. What good is a strong encryption when one doesn't even know with whom one is exchanging protected, sensitive, and confidential data / resources?

Current security technologies are based on 1-way authentication protocols and deal with absolute identity models – e.g. Biometrics, Login-Password and Digital Certificates. Here, the identity is transmitted over the (public and unsecure) internet channel before / during the authentication process, which makes is vulnerable to all kinds of attacks.

Authentication necessarily has to be mutual and it MUST precede encryption.  A mutually-authenticated, secure connection between two end-points has to be established before initiating any data transfer between them. Hence, we present a new identity framework – RELATIVE IDENTITY, which uses the ‘relationship' between two entities to address and eliminate most of the fundamental problems of current identity technologies. 

In a globally connected flat-earth the internet dominates the human enterprise – recording and disseminating information, financial transactions and providing news and entertainment. TRUTHs are established democratically – where the mass decides the direction, similar to the stock market – the herd effect. In Google search the authenticity of any claim made is not based on the inherent truth in it, neither on who agree(s), but on how many agree to it as the truth. One such example is the secure communication model used for web-based transactions using credentials supplied by Certificate Authorities as implemented by the SSL. In our view, the Certification Authority (CA) based trust model has been proved to be fundamentally flawed for the Internet. Though the underlying Public Key Cryptography is still valid and sound for channel security, the CA based trust model is inadequate for secure communication. We present a new Relative Trust model and an implementation based on it (the REL-ID protocol) as an alternative to SSL for establishing end to end protection of web based transactions, not just channel security but also identity vetting of the end point entities.

Three Fundamental Questions

1. Why should one identify the website before providing any data to it , even if SSL is in use?
   Answer - Because if one doesn't, one could provide one's private data (over SSL) to a fraudster
   
   
2. Can one identify a website without having a-priori knowledge about its identity?
   Answer – No. One can't identify anything (websites or other communicating parties) without a-priori information
   
   
3. Why should a website accept data from the customers only after confirming the ownership of the data being submitted by the customer?
   

   Answer – Because the real customer might be put at risk if it accepts data from a fraudster

   
   

Axioms for an Identity and Authentication Framework

Axiom 1: Authentication (the act of confirming the identity of an entity) requires a-priori information (i.e. information shared beforehand) about the identity (ID) of the entity to be authenticated – for example, fingerprint, password, etc.

Axiom 2: The identity information should be kept secret and difficult to spoof.

Axiom 3: Depending on the context, authentication MUST be unidirectional or bi-directional (It should be mutual, if the identities of both parties involved are critical for the transaction)

What is Relative Identity?

Properties of a Relative Identity of an Entity

1. Is distributed among the relationship of this entity with other entities. Each such valid relationship:
• Constitutes a unit “Relative Identity” – an important and inseparable constituent of the identities of each of the entities sharing the valid relationship
• Contributes in the definition of the relative identity of each entity
• Exists only in the context of two (or more) entities who share a relationship.
2. Is the union/collection of all such “Relative Identities”
3. Is dynamic since new relationships may be established, while old relationships may be discarded, over time
4. Is associated with a set of labels/attributes/characteristics – immutable and mutable
• immutable - such as biometrics, which cannot be changed at will
• mutable - such as SSN which are awarded for a  life time, log in passwords, bank account numbers which are changed quite often

 

The Properties of the Relative Trust Model based on REL-ID

1. All IDs are generated privately between two separate entities
   
   
2. All IDs are mutual – that is, IDs are always associated with both the end-points simultaneously – ID is generated for the PAIR (A,B)
   
   
3. The ID's of the two end-points are relative to each other, i.e. the ID of end-point A with respect to end-point B, is different than ID of end-point A with respect to end-point C
   
   
4. The information about the IDs is shared beforehand between the two entities via an out of band channel. This A PRIORI information is SECRET and is exchanged over a channel (out-of-band) other than one used for authentication and secure communication/transaction, the efficacy of the TRUST between the two parties is dependent on the strength/security of this out-of-band channel (this is the IDENTITY activation step). It must be noted this out of band exchange of initial secret information regarding the end point IDs needs to be carried out only once to initiate the communication. Once the initial information exchange has taken place, the rest of the communication happens over the public channel in a secure manner.
   
   
5. Authentication is always MUTUAL
   
   
6. Channel Security is always preceded by end-point MUTUAL AUTHENTICATION step.