Lockstep secures grant from US Homeland Security for digital identity solution

What is your identity? Depending on who you ask you’ll get very different answer. Family members will respond with information like your name, birthday and who your parents are. But in the office, your identity is probably more likely to be associated with your job title or role.

During a natural disaster or some other acute incident, the idea of identity takes on a completely different meaning. When someone is flown across the country to support local officials or governing authorities, names are largely irrelevant. What does matter are certified skills and approvals to work in particular situations.

“What is it about you, right now, that matters to me?”.

This is exactly the question Steve Wilson (@steve_lockstep) from Lockstep Technologies wants to answer.

“We need to be more precise about identity,” he says.

His company is working on a way to provide digital credentials that would allow people reporting to a disaster situation to securely exchange a digital certificate. The solution is called Stepwise.

This is how Stepwise would work.

Individuals can be issued with a number of different authoritative documents such as First Aid certification, firearms licenses, permits to operate particular equipment or working with children checks.

“It uses anonymous and pseudonymous certificates,” explains Wilson. “They have really specific attributes – what do you have to prove?”.

Rather than carry a number of cards, that can be easily lost and need to be visually verified, a person could carry a digital certificate, validated using PKI, that proves they have the requisite permits and certifications.

Those digital certificates could then be electronically exchanged between approved devices that have the appropriate integrated security so the different identity credentials can be securely exchanged.

Unlike other authentication systems, which typically collect some data and then verify it with a remote database, Stepwise uses the provenance of the certificate’s issuing authority to ensure that it is valid. It also means verification can be done offline, without reliance on communications infrastructure.

Importantly, only the information required for each credential is exchanged. For example, with a license to carry firearms, there would not be a need to connect that with another credential such as a First Aid certification. Each credential would be sandboxed from the others and only hold data pertinent to that specific certificate.

An example of how only required data is exchanged could be proof of age. Today, proof of age is provided by someone showing a valid identifier that displays the holder’s date of birth. However, a chip-based system could simply answer “Are you over 18?” with a yes or no. This tells he party what they need to know without revealing any extra information.

Wilson has been working on identity technologies for over a decade but at an event last year, held in San Diego, the idea for Stepwise fermented and he became aware of the potential for some level of sponsorship from the Department of Homeland Security (DHS) in the US.

“We got a lot of attention from the Department of Homeland Security. They have a big R and D program. They finance research and commercialisation of early-stage technologies, especially privacy and identity,” says Wilson.

He spent several months in discussion and consultation with other parties and formed a relationship with the Kantara Alliance and the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA) at Rutgers University in New Jersey. Through that he was able to put in an application with DHS for a grant to develop a more concrete plan.

“We applied for a competitive grant in the area of first-responder security. How do you convince people in a difficult, semi-networked environment, of who you are?,” explained Wilson.

The process with DHS goes through three stages. There’s an initial phase where Wilson needs to prove the viability of his proposed solution to specifically address the problem DHS wants to solve and develop a detailed architecture.

Then, if DHS approves, he can move to developing a proof of concept with the third stage, called Transition, taking the proof of concept to production and commercialisation.

Each stage is scheduled to take about six months.

Lockstep secured a substantial grant to get to the first stage. While the actual amount is confidential, it was enough for Lockstep to prepare Stepwise for the next round of decision making and further funding from DHS.

“To be an Aussie playing in this space is very exciting,” says Wilson.

Tags DHSAusCERT conferenceAusCERT2016LockstepCCICADAStepwise

Show Comments