Lockstep secures grant from US Homeland Security for digital identity solution

What is your identity? Depending on who you ask you’ll get very different answer. Family members will respond with information like your name, birthday and who your parents are. But in the office, your identity is probably more likely to be associated with your job title or role.

During a natural disaster or some other acute incident, the idea of identity takes on a completely different meaning. When someone is flown across the country to support local officials or governing authorities, names are largely irrelevant. What does matter are certified skills and approvals to work in particular situations.

“What is it about you, right now, that matters to me?”.

This is exactly the question Steve Wilson (@steve_lockstep) from Lockstep Technologies wants to answer.

“We need to be more precise about identity,” he says.

His company is working on a way to provide digital credentials that would allow people reporting to a disaster situation to securely exchange a digital certificate. The solution is called Stepwise.

This is how Stepwise would work.

Individuals can be issued with a number of different authoritative documents such as First Aid certification, firearms licenses, permits to operate particular equipment or working with children checks.

“It uses anonymous and pseudonymous certificates,” explains Wilson. “They have really specific attributes – what do you have to prove?”.

Rather than carry a number of cards, that can be easily lost and need to be visually verified, a person could carry a digital certificate, validated using PKI, that proves they have the requisite permits and certifications.

Those digital certificates could then be electronically exchanged between approved devices that have the appropriate integrated security so the different identity credentials can be securely exchanged.

Unlike other authentication systems, which typically collect some data and then verify it with a remote database, Stepwise uses the provenance of the certificate’s issuing authority to ensure that it is valid. It also means verification can be done offline, without reliance on communications infrastructure.

Importantly, only the information required for each credential is exchanged. For example, with a license to carry firearms, there would not be a need to connect that with another credential such as a First Aid certification. Each credential would be sandboxed from the others and only hold data pertinent to that specific certificate.

An example of how only required data is exchanged could be proof of age. Today, proof of age is provided by someone showing a valid identifier that displays the holder’s date of birth. However, a chip-based system could simply answer “Are you over 18?” with a yes or no. This tells he party what they need to know without revealing any extra information.

Wilson has been working on identity technologies for over a decade but at an event last year, held in San Diego, the idea for Stepwise fermented and he became aware of the potential for some level of sponsorship from the Department of Homeland Security (DHS) in the US.

“We got a lot of attention from the Department of Homeland Security. They have a big R and D program. They finance research and commercialisation of early-stage technologies, especially privacy and identity,” says Wilson.

He spent several months in discussion and consultation with other parties and formed a relationship with the Kantara Alliance and the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA) at Rutgers University in New Jersey. Through that he was able to put in an application with DHS for a grant to develop a more concrete plan.

“We applied for a competitive grant in the area of first-responder security. How do you convince people in a difficult, semi-networked environment, of who you are?,” explained Wilson.

The process with DHS goes through three stages. There’s an initial phase where Wilson needs to prove the viability of his proposed solution to specifically address the problem DHS wants to solve and develop a detailed architecture.

Then, if DHS approves, he can move to developing a proof of concept with the third stage, called Transition, taking the proof of concept to production and commercialisation.

Each stage is scheduled to take about six months.

Lockstep secured a substantial grant to get to the first stage. While the actual amount is confidential, it was enough for Lockstep to prepare Stepwise for the next round of decision making and further funding from DHS.

“To be an Aussie playing in this space is very exciting,” says Wilson.

Join the CSO newsletter!

Error: Please check your email address.

Tags AusCERT conferenceStepwisenetwork securityDHSAusCERT2016LockstepCCICADAcyber security

More about Advanced

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place