SlideShare a Scribd company logo

Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials

Simone Onofri, profile picture
Simone Onofri

Threat Modeling @ W3C: Age Verification Systems with W3C Verifiable Credentials” was presented at the TMC Barcelona Meetup on November 28, 2024, by security experts Simone Onofri and Kim Cerra. The session began by introducing the presenters—Kim, an independent security researcher with over a decade of experience in both proactive and reactive security, and Simone, the W3C Security Lead, noted for his contributions to web application security and digital identity. Their combined expertise set the stage for a deep dive into threat modeling practices as applied to modern web technologies. The presentation outlined how threat modeling is an iterative, structured process essential to securing digital systems. Emphasizing frameworks like Shostack’s Four Question Framework—What are we working on? What can go wrong? What are we going to do about it? Did we do a good job?—the speakers explained how this method helps identify potential vulnerabilities, enumerate threats, and prioritize countermeasures. They highlighted that threat modeling is not a one-off task; it must evolve alongside technological advancements and emerging risks. Two primary case studies were discussed. The first focused on the Vibration API, a feature in modern mobile devices that enables web applications to provide tactile feedback. While the API enhances user interactivity, it also poses risks such as spoofing, fingerprinting, and battery-draining denial-of-service attacks. The speakers recommended several mitigations, including limiting vibration duration, introducing randomness, requesting user consent, and restricting API usage to reduce potential abuse. The second case study examined the Spanish Age Verification System, which utilizes decentralized digital identity methods based on W3C Verifiable Credentials (VC) and Decentralized Identifiers (DID). This system is designed to verify a user’s age for access to online content while preserving privacy. The approach minimizes data disclosure by issuing government-backed credentials that do not reveal personal information. The system architecture involves three key parties: the Issuer (the government), the Holder (the user), and the Verifier (the website). Detailed diagrams and multiple iterations of the threat model illustrated how credential issuance, selection, and verification are managed to prevent linking and replay attacks, thereby maintaining both security and user anonymity. Concluding the session, Simone and Kim reflected on the future of threat modeling at W3C. They stressed the need for continuous, collaborative improvement in security practices, especially as digital systems grow more complex and as regulatory requirements tighten. The speakers encouraged ongoing engagement with initiatives like the W3C Security Interest Group and the Threat Modeling Community Group, underlining that effective threat modeling is a cornerstone of building a secure and trustworthy web ecosystem.

Internet
Related topics:
Mobile Devices
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Threat Modeling @ W3C: Age Verification Systems with W3C Verifiable Credentials Threat Modeling Connect November 28th, 2024 Simone Onofri, Kim Cerra
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials
Introduction Who are we? Kim (Independent Security Researcher) ● I’m a Security Researcher with over 10 years of experience in Information Security, specializing in Application Security and Offensive Security. ● My expertise spans both proactive and reactive security measures. I’ve worked on diverse projects across industries, ensuring security practices are integrated from design to deployment. ● Invited Expert for W3C Security Interest Group. https://it.linkedin.com/in/eugeniokimcerra Simone (Security Lead @ W3C) ● I take care of the security of the Web as a Team Contact for different groups such as Security Interest Group, Web Application Security Working Group, Web Authentication Working Group, Federated Identity Working Group and as a co-chair of the Threat Modeling Community Group. ● I wrote the book Attacking and Exploiting Modern Web Applications, and the Identity and the Web Report. https://linkedin.com/in/simoneonofri
Agenda ● Introduction ● Threat Modeling Basics ● Threat Model of the Vibration API ● Threat Model of the Spanish Age verification system for access to online content with W3C VC/DID ● Conclusion
Introduction
Introduction World Wide Web Consortium ● Standards Development Organization, founded in 1994 by Tim Berners-Lee, who was Director until June 12, 2023 ● Over 500 technical Web standards, 480 in progress ● Consensus-driven process, Royalty-Free patent policy ● Over 350 Members
Introduction How we do Threat Modeling at W3C ● When we develop a standard, from what is in an early state, we start doing Threat Modeling, with the Security and Privacy Questionnaire. ● It is a collaborative effort between those developing the specification and the groups doing Privacy and Security review and the Threat Modeling Community Group. ● We are evaluating Privacy, Security and Human Rights Threats, on different levels (e.g., from a single feature to Ecosystems)
Threat Modeling Basics
Threat Modeling Basics Definitions Let’s start with definitions: ● Threat Modeling is a family of structured, repeatable processes that allows you to make rational decisions to secure applications, software, and systems (Shostack, 2014). ● During Threat Modeling, potential threats, such as vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized (OWASP). ● In general terms is a form of risk assessment that models aspects of the attack and defense sides of an entity (NIST SP 800-53 Rev. 5, NIST SP 800-154).
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials
Threat Modeling Basics Shostack's Four Question Framework Answering the following questions: ● What are we working on? ● What can go wrong? ● What are we going to do about it? ● Did we do a good job?
Threat Modeling introduction Which model is better?
Threat Modeling Basics Threat lists ● Security Threats (STRIDE) ● Security Attacks (RFC 3552) ● Security/Privacy/Trust Controls (OSSTMM) ● Privacy Threats (LINDDUN) ● Privacy Threats (RFC 6973) ● Privacy/Security Threats (W3C Self-Review Questionnaire: Security and Privacy) ● Harms Threats (Microsoft) ● Human Rights (RFC 9620) Tools: Check-lists and Prompt-lists
Threat Modeling Basics How do I find threats? ● An inefficient but effective method is to have lists of principles or properties that need to be respected, controls that should be in place, or threats. ● We can “brute-force” them: ○ For each component or flow, identify the threats ○ For each threat, identify the component(s) affected ● We can also use also Kill-Chains, Incidents Analysis, Think like the enemy…
Threat Model of the Vibration API
Threat Model of the Vibration API What are we working on? ● Most modern mobile devices are equipped with vibration hardware, allowing software to provide tactile feedback by causing the device to vibrate. The Vibration API enables web applications to access this hardware, enhancing interactivity and user immersion. ● By leveraging this API, developers can create more engaging and immersive user experiences, particularly in gaming and Progressive Web Apps (PWAs), where tactile feedback adds a new dimension of realism and interaction. This capability allows web applications to rival the functionality and responsiveness of native apps.
Threat Model of the Vibration API What can go wrong? Now, let’s dive into the risks associated with the Vibration API. Although it doesn’t directly collect data, it can still be exploited: ● Simulate normal phone behaviors (Spoof Identity/Tampering). ● Fingerprinting and Cross-Device Tracking (Information Disclosure). ● Draining Battery/User’s Resources DoS (Denial of Service). ● Out-of-band/Side Channel communication (Information Disclosure/Tampering).
Threat Model of the Vibration API What are we going to do about it? ● Standardize of Max Length and Duration ● Include Random Vibration ● Request User Consent ● Minimize Information Disclosure in Error Handling ● Limit API Usage
Threat Model of the Vibration API Did we do a good job?
Threat Model of the Spanish Age verification system for access to online content with W3C VC/DID
Threat Model of the Spanish Age verification Before the flight ● I am modeling this solution as an exercise during the W3C Verifiable Credentials Security Review (Volunteers?). ● It is possible as their documentation is publicly available, and I liked it, as they used W3C and OID4VC. ● Kudos to Spanish Government for doing this with standard technologies. ● The model is not exhaustive and it is simplified to fit the presentation (quoting Shostack, quoting Box: “all models are wrong, some models are useful”) ● We’re going to do micro-iterations of what are we building, what can go wrong, and what are we going to do in each slide, as a mini-model.
Threat Model of the Spanish Age verification Why are we working on this? Regulators have many thoughts to protect children surfing internet, and different possible approaches, e.g.: ● Self-declaration: “I am 18 or older - Enter” button ● Credit Card: age of majority is different cross-countries (and identification and possible scam) ● Online document check: such ask KYC* ● Biometrics: facial features recognition using AI (special category of data per GDPR) ● Usage patterns: analyzing browser history or questionnaire ● Vouching: asking third parties if a user is adult ● Digital ID: “Acceder con cl@ve” (Federated Identity Model) But, it is a controversial topic, which is the impact of user’s privacy? ��
Iteration #1 Taking-Off
Threat Model of the Spanish Age verification What are we working on? The Spanish Digital Wallet BETA uses Decentralized Identity Model to put the user in control with the objective is to reduce user profiling, preventing tracking transactions performed by users. ● The Government (the Issuer), will create 30 credentials (without the name of the user). ● The User (Holder), that sends (present) the credential to the Website (Verifier). ● The Website will check if the credential is valid, without connecting directly to the Government. Image source Which Threats are we going to Analyze?
Threat Model of the Spanish Age verification What are we working on? Privacy requirements from European Electronic identification and trust service 2.0 (eIDAS), e.g.: ● Selective Disclosure: user can decide to limit the information in a presentation. ● Pseudonymous Identifiers: don't use unique identifiers unless necessary. ● Unlinkability: two verifiers should not recognize the same holder, issuer should not know when a credential is presented or verified, even with the collusion of verifier and issuer. This is in particular between the Holder and Verifier (User and Website). Minimization Scale To try to qualify Minimization, we can use a scale defined by the various cryptographic techniques developed for Digital Credentials: ● Full Disclosure (e.g., I show the whole passport). ● Selective Disclosure (e.g., I show only the date of birth). ● Predicate Disclosure (e.g., I show only the age). ● Range Disclosure (e.g., I show only that I am an adult). Unlinkability Scale To try to qualify Unlinkability, we can use the Nymity Slider, which classifies credentials by: ● Verinymity (e.g., Legal name or Government Identifier). ● Persistent Pseudonymity (e.g., Nickname). ● Linkable Anonymity (e.g., Bitcoin/Ethereum Address). ● Unlinkable Anonymity (e.g., Anonymous Remailers). Threat Modeling for Decentralize Identities
Iteration #2 View from above
Threat Model of the Spanish Age verification General Solution Components and Data Flow What are the Trust Boundaries? What are the Assumptions? Holder (User) Acquires, stores, presents Credentials Issuer (Government) Creates, issues, and revoke Credentials Verifier (Website) Receives and verifies Presentations 2. authenticate and asks for credentials 3. Isser generates credentials: containing “K” associated with each key 1. Generates 30 key pairs 4. Request access to a content 5. Credential Request 6. Presentation Generation / 7. Sending Verifiable Data Registry Local Allowlist 8. Verification using whitelist and expiration date 9. Grants/Denies Access
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials
Holder (User) Acquires, stores, presents Credentials Issuer (Government) Creates, issues, and revoke Credentials 2. authenticate and asks for credentials 3. Isser generates credentials: containing “K” associated with each key 1. Generates 30 key pairs Threat Model of the Spanish Age verification Issuance Flow 1. During the Issuance, the Wallet generates a series of 30 public/private keys using the W3C Decentralized Identifier (DID) (did:key:{yourkeyhere}). 2. The Identity Assurance is derived by the Electronic DNI, or CL@VE, then the Wallet asks for the credentials, sending the public keys to the Issuer. 3. The Issuer sends 30 credentials (one for each public key) in the format of W3C Verifiable Credential with validity of 1 month, using OpenID4VCI. What are the Threats and Mitigations? Identifying Linking 30 Creds!
Threat Model of the Spanish Age verification Presentation and Verification Flow 4. The User requests access to the Content Provider using a custom schema ageverification:// or QR Code 5. The Content Provider sends a request of the evidence to the Users’ Wallet. 6. The Wallet generates the evidence using a W3C Verifiable Presentation in JWT. What are the Threats and Mitigations? Holder (User) Acquires, stores, presents Credentials Verifier (Website) Receives and verifies Presentations 4. Request access to a content 5. Credential Request 6. Presentation Generation / 7. Sending 9. Grants/Denies Access Non-Compliance Digital Credentials API 7. The Wallet sends the evidence using OID4VP. 8. The Content Provider verifies the evidence. 9. Access is granted or denied. 8. Whitelist and Expiration Verification
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials
Iteration #4 Diving Evidence
Threat Model of the Spanish Age verification Evidence Image source What are the Threats and Mitigations? Linking 30 Creds! Reply Attack (RFC 3552) Nonce Linking Issuer is known Tampering (STRIDE) Each level has USER signature
Iteration #5 Diving Presentation
Threat Model of the Spanish Age verification Verification Image source
Iteration #7 Diving Logic
Threat Model of the Spanish Age verification Credential Selection Algorithm Image source ● Each credential will be reused a maximum of 10 times with the same content provider and can never be used across different content providers. ● Up to 3 different batch credentials (10%) will be assigned to each content provider. ● The credential that used will be selected randomly, and there is no need to exhaust all 10 uses of one credential before starting to use another credential linked with the same content provider. ● If a group of credentials for a content provider has reached its maximum usage, new unused credentials will be assigned, if they are available. Linking Issuer/Verifier Verifier/Verifier
Iteration #8 Landing?
Threat Model of the Spanish Age verification Look who’s here ● General Identity concerns, in particular considering Real Identity ● Cryptography (e.g., algorithms used correctly, they have vulnerabilities, are they post quantum ready?) ● Credentials Lifecycle (Revocation) ● Attestation ● Issuer and Verifier collusion? ● Which are the assumptions and residual threats/risks?
Conclusion
Thank you! If you like to review standards > Security Interest Group If you like to threat model standards > Threat Modeling Community Group
Backup
Threat Model of the Spanish Age verification What can go wrong? Privacy Threats with LINDDUN! ● Linking: when it is possible to learn more about an individual or a group by associating data items or user actions. ● Identifying: when the identity can be revealed through leaks, deduction, or inference in cases where this is not desired. ● Non-Repudiation: when it is not possible to deny specific claims. ● Detecting: where it is possible to deduct through observation the involvement, participation, or membership. ● Data Disclosure: when personal data, to, and from the system are disclosed. ● Unawareness: when the users are not informed or empowered. ● Non-Compliance: when the system deviates from legislation, regulation, standards, and best practices…

More Related Content

PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
PDF
Your Skill Boost Masterclass Online Safety and Cybersecurity Tips
Excellence Foundation for South Sudan
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
PDF
Security overview 2
CMR WORLD TECH
 
PDF
Securing And Protecting Information
Laura Martin
 
PPT
Web Application Security Testing
Marco Morana
 
PPTX
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
Your Skill Boost Masterclass Online Safety and Cybersecurity Tips
Excellence Foundation for South Sudan
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
Security overview 2
CMR WORLD TECH
 
Securing And Protecting Information
Laura Martin
 
Web Application Security Testing
Marco Morana
 
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 

Similar to Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials (20)

PPTX
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
PDF
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
DOCX
RaoNayakShelve inNetworkingSecurityUser levelB.docx
audeleypearl
 
PPTX
Cybersecurity Basics of awareness presentation .pptx
williambillrials
 
PPTX
Cybersecurity Basics of awareness presentation .pptx
williambillrials
 
PDF
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET Journal
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PDF
19BCP072_Presentation_Final.pdf
KunjJoshi14
 
PPTX
Development lifecycle and principals of Security
SylvesterNdegese1
 
PPT
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Mahdi_Fahmideh
 
PPTX
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
PPTX
What i learned at issa international summit 2019
Ulf Mattsson
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
PDF
Secure at Speed @ Solent.tech
Stuart Gunter
 
PDF
Aujas incident management webinar deck 08162016
Karl Kispert
 
PPTX
Threat Modeling Web Applications
Nadia BENCHIKHA
 
PPTX
swamy_ppt[1]_[Read-Only][1].pptxswamy_ppt[1]_[Read-Only][1].pptx
ajayrm685
 
PDF
Trusted, Transparent and Fair AI using Open Source
Animesh Singh
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
RaoNayakShelve inNetworkingSecurityUser levelB.docx
audeleypearl
 
Cybersecurity Basics of awareness presentation .pptx
williambillrials
 
Cybersecurity Basics of awareness presentation .pptx
williambillrials
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET Journal
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
19BCP072_Presentation_Final.pdf
KunjJoshi14
 
Development lifecycle and principals of Security
SylvesterNdegese1
 
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel
 
Application Security - Your Success Depends on it
WSO2
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Mahdi_Fahmideh
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
What i learned at issa international summit 2019
Ulf Mattsson
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Secure at Speed @ Solent.tech
Stuart Gunter
 
Aujas incident management webinar deck 08162016
Karl Kispert
 
Threat Modeling Web Applications
Nadia BENCHIKHA
 
swamy_ppt[1]_[Read-Only][1].pptxswamy_ppt[1]_[Read-Only][1].pptx
ajayrm685
 
Trusted, Transparent and Fair AI using Open Source
Animesh Singh
 
Ad

More from Simone Onofri (20)

PDF
Serverless Meetup Barcelona - Attacking and Exploiting Modern Web Applications
Simone Onofri
 
PDF
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Simone Onofri
 
PDF
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri
 
PDF
Attacking Ethereum Smart Contracts a deep dive after ~9 years of deployment
Simone Onofri
 
PDF
Linux Day 2018 Roma - Web Application Penetration Test (WAPT) con Linux
Simone Onofri
 
PDF
Agile Lean Conference 2017 - Leadership e facilitazione
Simone Onofri
 
PDF
Agile Business Consortium - LEGO SERIOUS PLAY e i Principi di Agile Project M...
Simone Onofri
 
PDF
Agile Project Framework
Simone Onofri
 
PDF
Agile nei servizi di cyber security (Security Summit Edition)
Simone Onofri
 
PDF
Security Project Management - Agile nei servizi di Cyber Security
Simone Onofri
 
PDF
Cyber Defense - How to find and manage zero-days
Simone Onofri
 
PDF
Cyber Defense - How to be prepared to APT
Simone Onofri
 
PDF
ISACA - Gestire progetti di Ethical Hacking secondo le best practices
Simone Onofri
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
PPTX
Mamma, da grande voglio essere un Penetration Tester HackInBo 2016 Winter
Simone Onofri
 
PDF
Penetration Testing con Python - Network Sniffer
Simone Onofri
 
PDF
ORM Injection
Simone Onofri
 
PDF
Agile e Lean Management
Simone Onofri
 
PDF
Nuove minacce nella Cyber Security, come proteggersi
Simone Onofri
 
PDF
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Simone Onofri
 
Serverless Meetup Barcelona - Attacking and Exploiting Modern Web Applications
Simone Onofri
 
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Simone Onofri
 
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri
 
Attacking Ethereum Smart Contracts a deep dive after ~9 years of deployment
Simone Onofri
 
Linux Day 2018 Roma - Web Application Penetration Test (WAPT) con Linux
Simone Onofri
 
Agile Lean Conference 2017 - Leadership e facilitazione
Simone Onofri
 
Agile Business Consortium - LEGO SERIOUS PLAY e i Principi di Agile Project M...
Simone Onofri
 
Agile Project Framework
Simone Onofri
 
Agile nei servizi di cyber security (Security Summit Edition)
Simone Onofri
 
Security Project Management - Agile nei servizi di Cyber Security
Simone Onofri
 
Cyber Defense - How to find and manage zero-days
Simone Onofri
 
Cyber Defense - How to be prepared to APT
Simone Onofri
 
ISACA - Gestire progetti di Ethical Hacking secondo le best practices
Simone Onofri
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Mamma, da grande voglio essere un Penetration Tester HackInBo 2016 Winter
Simone Onofri
 
Penetration Testing con Python - Network Sniffer
Simone Onofri
 
ORM Injection
Simone Onofri
 
Agile e Lean Management
Simone Onofri
 
Nuove minacce nella Cyber Security, come proteggersi
Simone Onofri
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Simone Onofri
 
Ad

Recently uploaded (20)

PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
artificial intelligence overview of it and more
yafotin445
 
Funds Management Learning Material for Beg
NKKumar16
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 

Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age Verficiation Systems with W3C Verifiable Credentials

  • 1. Threat Modeling @ W3C: Age Verification Systems with W3C Verifiable Credentials Threat Modeling Connect November 28th, 2024 Simone Onofri, Kim Cerra
  • 3. Introduction Who are we? Kim (Independent Security Researcher) ● I’m a Security Researcher with over 10 years of experience in Information Security, specializing in Application Security and Offensive Security. ● My expertise spans both proactive and reactive security measures. I’ve worked on diverse projects across industries, ensuring security practices are integrated from design to deployment. ● Invited Expert for W3C Security Interest Group. https://it.linkedin.com/in/eugeniokimcerra Simone (Security Lead @ W3C) ● I take care of the security of the Web as a Team Contact for different groups such as Security Interest Group, Web Application Security Working Group, Web Authentication Working Group, Federated Identity Working Group and as a co-chair of the Threat Modeling Community Group. ● I wrote the book Attacking and Exploiting Modern Web Applications, and the Identity and the Web Report. https://linkedin.com/in/simoneonofri
  • 4. Agenda ● Introduction ● Threat Modeling Basics ● Threat Model of the Vibration API ● Threat Model of the Spanish Age verification system for access to online content with W3C VC/DID ● Conclusion
  • 6. Introduction World Wide Web Consortium ● Standards Development Organization, founded in 1994 by Tim Berners-Lee, who was Director until June 12, 2023 ● Over 500 technical Web standards, 480 in progress ● Consensus-driven process, Royalty-Free patent policy ● Over 350 Members
  • 7. Introduction How we do Threat Modeling at W3C ● When we develop a standard, from what is in an early state, we start doing Threat Modeling, with the Security and Privacy Questionnaire. ● It is a collaborative effort between those developing the specification and the groups doing Privacy and Security review and the Threat Modeling Community Group. ● We are evaluating Privacy, Security and Human Rights Threats, on different levels (e.g., from a single feature to Ecosystems)
  • 9. Threat Modeling Basics Definitions Let’s start with definitions: ● Threat Modeling is a family of structured, repeatable processes that allows you to make rational decisions to secure applications, software, and systems (Shostack, 2014). ● During Threat Modeling, potential threats, such as vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized (OWASP). ● In general terms is a form of risk assessment that models aspects of the attack and defense sides of an entity (NIST SP 800-53 Rev. 5, NIST SP 800-154).
  • 11. Threat Modeling Basics Shostack's Four Question Framework Answering the following questions: ● What are we working on? ● What can go wrong? ● What are we going to do about it? ● Did we do a good job?
  • 13. Threat Modeling Basics Threat lists ● Security Threats (STRIDE) ● Security Attacks (RFC 3552) ● Security/Privacy/Trust Controls (OSSTMM) ● Privacy Threats (LINDDUN) ● Privacy Threats (RFC 6973) ● Privacy/Security Threats (W3C Self-Review Questionnaire: Security and Privacy) ● Harms Threats (Microsoft) ● Human Rights (RFC 9620) Tools: Check-lists and Prompt-lists
  • 14. Threat Modeling Basics How do I find threats? ● An inefficient but effective method is to have lists of principles or properties that need to be respected, controls that should be in place, or threats. ● We can “brute-force” them: ○ For each component or flow, identify the threats ○ For each threat, identify the component(s) affected ● We can also use also Kill-Chains, Incidents Analysis, Think like the enemy…
  • 15. Threat Model of the Vibration API
  • 16. Threat Model of the Vibration API What are we working on? ● Most modern mobile devices are equipped with vibration hardware, allowing software to provide tactile feedback by causing the device to vibrate. The Vibration API enables web applications to access this hardware, enhancing interactivity and user immersion. ● By leveraging this API, developers can create more engaging and immersive user experiences, particularly in gaming and Progressive Web Apps (PWAs), where tactile feedback adds a new dimension of realism and interaction. This capability allows web applications to rival the functionality and responsiveness of native apps.
  • 17. Threat Model of the Vibration API What can go wrong? Now, let’s dive into the risks associated with the Vibration API. Although it doesn’t directly collect data, it can still be exploited: ● Simulate normal phone behaviors (Spoof Identity/Tampering). ● Fingerprinting and Cross-Device Tracking (Information Disclosure). ● Draining Battery/User’s Resources DoS (Denial of Service). ● Out-of-band/Side Channel communication (Information Disclosure/Tampering).
  • 18. Threat Model of the Vibration API What are we going to do about it? ● Standardize of Max Length and Duration ● Include Random Vibration ● Request User Consent ● Minimize Information Disclosure in Error Handling ● Limit API Usage
  • 19. Threat Model of the Vibration API Did we do a good job?
  • 20. Threat Model of the Spanish Age verification system for access to online content with W3C VC/DID
  • 21. Threat Model of the Spanish Age verification Before the flight ● I am modeling this solution as an exercise during the W3C Verifiable Credentials Security Review (Volunteers?). ● It is possible as their documentation is publicly available, and I liked it, as they used W3C and OID4VC. ● Kudos to Spanish Government for doing this with standard technologies. ● The model is not exhaustive and it is simplified to fit the presentation (quoting Shostack, quoting Box: “all models are wrong, some models are useful”) ● We’re going to do micro-iterations of what are we building, what can go wrong, and what are we going to do in each slide, as a mini-model.
  • 22. Threat Model of the Spanish Age verification Why are we working on this? Regulators have many thoughts to protect children surfing internet, and different possible approaches, e.g.: ● Self-declaration: “I am 18 or older - Enter” button ● Credit Card: age of majority is different cross-countries (and identification and possible scam) ● Online document check: such ask KYC* ● Biometrics: facial features recognition using AI (special category of data per GDPR) ● Usage patterns: analyzing browser history or questionnaire ● Vouching: asking third parties if a user is adult ● Digital ID: “Acceder con cl@ve” (Federated Identity Model) But, it is a controversial topic, which is the impact of user’s privacy? ��
  • 24. Threat Model of the Spanish Age verification What are we working on? The Spanish Digital Wallet BETA uses Decentralized Identity Model to put the user in control with the objective is to reduce user profiling, preventing tracking transactions performed by users. ● The Government (the Issuer), will create 30 credentials (without the name of the user). ● The User (Holder), that sends (present) the credential to the Website (Verifier). ● The Website will check if the credential is valid, without connecting directly to the Government. Image source Which Threats are we going to Analyze?
  • 25. Threat Model of the Spanish Age verification What are we working on? Privacy requirements from European Electronic identification and trust service 2.0 (eIDAS), e.g.: ● Selective Disclosure: user can decide to limit the information in a presentation. ● Pseudonymous Identifiers: don't use unique identifiers unless necessary. ● Unlinkability: two verifiers should not recognize the same holder, issuer should not know when a credential is presented or verified, even with the collusion of verifier and issuer. This is in particular between the Holder and Verifier (User and Website). Minimization Scale To try to qualify Minimization, we can use a scale defined by the various cryptographic techniques developed for Digital Credentials: ● Full Disclosure (e.g., I show the whole passport). ● Selective Disclosure (e.g., I show only the date of birth). ● Predicate Disclosure (e.g., I show only the age). ● Range Disclosure (e.g., I show only that I am an adult). Unlinkability Scale To try to qualify Unlinkability, we can use the Nymity Slider, which classifies credentials by: ● Verinymity (e.g., Legal name or Government Identifier). ● Persistent Pseudonymity (e.g., Nickname). ● Linkable Anonymity (e.g., Bitcoin/Ethereum Address). ● Unlinkable Anonymity (e.g., Anonymous Remailers). Threat Modeling for Decentralize Identities
  • 27. Threat Model of the Spanish Age verification General Solution Components and Data Flow What are the Trust Boundaries? What are the Assumptions? Holder (User) Acquires, stores, presents Credentials Issuer (Government) Creates, issues, and revoke Credentials Verifier (Website) Receives and verifies Presentations 2. authenticate and asks for credentials 3. Isser generates credentials: containing “K” associated with each key 1. Generates 30 key pairs 4. Request access to a content 5. Credential Request 6. Presentation Generation / 7. Sending Verifiable Data Registry Local Allowlist 8. Verification using whitelist and expiration date 9. Grants/Denies Access
  • 29. Holder (User) Acquires, stores, presents Credentials Issuer (Government) Creates, issues, and revoke Credentials 2. authenticate and asks for credentials 3. Isser generates credentials: containing “K” associated with each key 1. Generates 30 key pairs Threat Model of the Spanish Age verification Issuance Flow 1. During the Issuance, the Wallet generates a series of 30 public/private keys using the W3C Decentralized Identifier (DID) (did:key:{yourkeyhere}). 2. The Identity Assurance is derived by the Electronic DNI, or CL@VE, then the Wallet asks for the credentials, sending the public keys to the Issuer. 3. The Issuer sends 30 credentials (one for each public key) in the format of W3C Verifiable Credential with validity of 1 month, using OpenID4VCI. What are the Threats and Mitigations? Identifying Linking 30 Creds!
  • 30. Threat Model of the Spanish Age verification Presentation and Verification Flow 4. The User requests access to the Content Provider using a custom schema ageverification:// or QR Code 5. The Content Provider sends a request of the evidence to the Users’ Wallet. 6. The Wallet generates the evidence using a W3C Verifiable Presentation in JWT. What are the Threats and Mitigations? Holder (User) Acquires, stores, presents Credentials Verifier (Website) Receives and verifies Presentations 4. Request access to a content 5. Credential Request 6. Presentation Generation / 7. Sending 9. Grants/Denies Access Non-Compliance Digital Credentials API 7. The Wallet sends the evidence using OID4VP. 8. The Content Provider verifies the evidence. 9. Access is granted or denied. 8. Whitelist and Expiration Verification
  • 33. Threat Model of the Spanish Age verification Evidence Image source What are the Threats and Mitigations? Linking 30 Creds! Reply Attack (RFC 3552) Nonce Linking Issuer is known Tampering (STRIDE) Each level has USER signature
  • 35. Threat Model of the Spanish Age verification Verification Image source
  • 37. Threat Model of the Spanish Age verification Credential Selection Algorithm Image source ● Each credential will be reused a maximum of 10 times with the same content provider and can never be used across different content providers. ● Up to 3 different batch credentials (10%) will be assigned to each content provider. ● The credential that used will be selected randomly, and there is no need to exhaust all 10 uses of one credential before starting to use another credential linked with the same content provider. ● If a group of credentials for a content provider has reached its maximum usage, new unused credentials will be assigned, if they are available. Linking Issuer/Verifier Verifier/Verifier
  • 39. Threat Model of the Spanish Age verification Look who’s here ● General Identity concerns, in particular considering Real Identity ● Cryptography (e.g., algorithms used correctly, they have vulnerabilities, are they post quantum ready?) ● Credentials Lifecycle (Revocation) ● Attestation ● Issuer and Verifier collusion? ● Which are the assumptions and residual threats/risks?
  • 41. Thank you! If you like to review standards > Security Interest Group If you like to threat model standards > Threat Modeling Community Group
  • 43. Threat Model of the Spanish Age verification What can go wrong? Privacy Threats with LINDDUN! ● Linking: when it is possible to learn more about an individual or a group by associating data items or user actions. ● Identifying: when the identity can be revealed through leaks, deduction, or inference in cases where this is not desired. ● Non-Repudiation: when it is not possible to deny specific claims. ● Detecting: where it is possible to deduct through observation the involvement, participation, or membership. ● Data Disclosure: when personal data, to, and from the system are disclosed. ● Unawareness: when the users are not informed or empowered. ● Non-Compliance: when the system deviates from legislation, regulation, standards, and best practices…