 Доброе утро. Мы можем начать, я думаю. Спасибо большое, что приходили. Для того, чтобы услышать презентацию, мы подготовили для вас. Я надеюсь, что это будет довольно интересно. Меня зовут Анна Толопешкова. Я представляю компанию GSR Corporation. Моя главная тема презентации, есть много технических деталей, которые мы хотим поговорить о использовании, в какой-то использовании, и какие-то челленджи, на introduction of new type of security или о том, как мы собираем идентичную идентичность в IOT. Просто немного о GSR. Вы получите идею, почему мы говорили об этом. GSR — это социальная компания. Мы делаем много работ для различных компаний в индустрии, в различных индустриях, особенно в IOT. Так что GSR — часть хайпер-леджер фондации. И в том числе, что мы частьем CSA. Если вы не знаете, что это CSA, это коммуникация, коннективность стандартной линии. Вы можете найти эту информацию CSA-IOT.org. Это очень большая организация, которая имеет 350 компаний. В основном, это древесер в IOT-индустрии. Большие имя — Amazon, Google, Apple, LeGrand, а также большие компании, которые работают в IOT-индустрии. GSR — очень активная компания CSA. Мы работаем с стандартами. Мы работаем с стандартами, мы были на CSA за 10 лет. Просто как референсация CSA, это форма ZIGBI Alliance. Это может дать вам больше снаряжений. Компания CSA-ISR не очень огромная. Собственно, это социальная компания. У нас почти 300 инженеров. Мы работаем с маленькими компаниями и большими корпорациями. 400, 500, и global 2000. Большинство — 3 маркета. Норсамерик, Европа и Япония. Это 3 фокусы для GSR. Хэд-квартера в Калораде — Дэнгер, который пришел чуть-чуть. Вы увидели фотографию с красивым лейком. Это в Калораде. Это очень приятно. Это небольшая информация. Компания была создана в 1998 году. У нас есть несколько дивизий. У нас есть очень большая IOT-дивизия. У нас есть бизнес-дивизия, который работает в десентролитетных системах. GSR-Аргент been a contributor для Индии, Эрис и Дитком. Вы можете увидеть наши имя. Мы работаем с многими компаниями в индустрии, очень близко, как партнер. Что мы говорим? В основном, мы поговорим о использовании и челленджах, Introducing SSI for IOT. Но, перед этим вопросом, я буду разговаривать с челленджами в индустрии IOT, в связи с секретой. Секретой в IOT. Если вы работаете в IOT, вы понимаете, что это основная база для секретой в IOT. Есть какие-то проблемы, в том числе конфинитаризации. Это очень важный вопрос. Так что, в том числе, There were several governing laws introduced, JDPR and California SB 327. By the way, California SB 327 was specifically addressed to IOT, security issues. A lot of companies and standards had to adjust their approach in security. That actually brought us to new standards. As soon as a new standard is introduced, there is a new implementation, it has to come in place, certification and then release of the devices or solutions on the market. This is a little brief about JDPR. What kind of requirements it introduces and California Consumer Privacy Act. These are two main drivers in the last, I would say, 3-4 years for IOT, for security, I mean. Let's talk a little bit about digital identity. Digital identity overall, we all understand what does it mean for people. Yes, we can have our traditional identity, like passport or ID and so on. However, the new identity we are getting in place is related to digital identity. It's very interesting that we are as humans. Yes, we have to have an identity, but at the same time, if you think about, let's say, a device, it's a proxy for us as humans. They have devices, they have a lot of data. It means there is a right away, the issue is around privacy, how the data is stored, who has access to the data. And it means every device has to have an identity. If you think about how many devices right now deployed on a market, on a planet, it's a huge number, really huge, like wireless communication like sensors. Even in this room, if you start counting, I'm sure we can count about 200 devices, at least, including, of course, your cellphones, your laptops, different kinds of motion sensors, video cameras, small color devices, and so on and so forth. And all these devices, they have to have an identity. So, and again, we are talking about challenges for digital identity. The main is trust and privacy. There are some standards already in place, but we need to really improve it and work on it. So, let's check what kind of identity models are available on the market. At first, very traditional cell identity, you know, SSL, base TLS SSL. This is, you can see it, case number one. So, when you send some information, confirmation, confirmation, and it's directly confirmed by organization. So, then there is a second type of identity confirmation. It's a third party, and we all can see it's in place, in play, when, for instance, like you are trying to register yourself on some website, it's offering you, like, using Facebook identity or your Google identity. So, this is all, and again, all the information is stored in those storages of those providers. Of course, there is a deficiency here, because we cannot control our identity. Now it's all controlled by third parties. And it's not necessarily evil, by the way, because it's just a convenience for right now. So, but we need to evolve those methods. And very important protocol X.509, it's in place, heavily used in IoT. A lot of money is already invested into support for that protocol in IoT. A lot of companies, they spend millions and millions of dollars for the infrastructure. And we will talk a little bit later about what does it mean. But if you think about overall, it's great. There is some infrastructure in place. However, this is a huge obstacle for moving forward with new methods for introducing new security and identity methods on the market. Why? Because a lot of money is already in place, invested, and when you are making new decisions, like moving to a new method, then it means always money will go to nowhere. And it means every person who made a decision to invest into this kind of infrastructure will be, I would not say exactly personally responsible. However, it's a career-related decision. So it means we are having more interesting obstacles for implementation of new methods. So the new method is an SSI, self-sovereign identity. Most of you are quite familiar with that. This is a new method, which we are trying to introduce in IoT. But in order to introduce it, we need to have main players being at first interested in new methods. There should be a reason why it should be introduced. And secondly, we need to get those companies on board so they will start pushing a new approach on the market. And that's quite a task. Now, let's talk about IoT in general, specifics of the security in IoT. So yes, there are several specifics. However, the main ones, of course, we need to make communication secure. That's pretty clear, very simple. But if you think about IoT, there is a lot of wireless communication involved here. And a lot of embedded devices. And this is a completely different world. And usually developers, people who are working on hyperlator, blockchain and so on, they don't understand it exactly. Why? Because, well, here's a computer, you just design the code, and who cares how much memory it takes, how much resources, CPU and so on. Actually, people of course care, I'm simplifying it. However, not the way how embedded software engineers care, because here is every byte, every cycle CPU should be counted and every system should be strictly budgeted. So in that case, we have a quite a challenge. It means all the methods we are talking about, they have to be implemented strictly and focused towards embedded devices. Let's talk a little bit about 509. And again, I don't want to kind of go over in details, because this is all public information. You can, there is no innovation here. We are talking about, I just want to make a reference. What exactly happening? And so 509 have been quite a traditional approach in IoT for digital identity for devices. And it's really, there are a lot of efforts to make 509 working for IoT devices. Some are okay for some ecosystems. Some are really not very successful. If you think like latest protocols coming to the market about IoT, if you are familiar, there is a new protocol matter, which will be released in December. That's a new protocol for IP-based devices. It can be based on like Ethernet, or it can be based on thread. If you know thread, it's a wireless communication protocol, kind of like a successor to Six-Low-Pen. So 509 is really kind of a real base for these protocols. However, that classic approach doesn't allow us to move forward. There are some drawbacks and deficiencies in this protocol. For instance, as I talked about like footprint, footprint of devices, it's a really big deal. Why? Because when you are releasing a device, like I don't know, let's say motion sensor, that device can be released like 100 million devices. I'm just talking about scale. It means when you are adding more memory, the price is going up and overall the cost of that investment and solution is huge. So 509 has a lot of deficiencies here. Why? Because the key itself is very long and storing it on a device can be too expensive. This is the way how it works usually. So we are talking about here two personas, Alice and Bob. All the verification is going through the root authority, the root public certificate. By the way, just for reference, I'm not exactly a specialist in security. So I can answer some questions, but not all of them. So I'm just representing the topic. But I know a little bit more about IoT. So what's happening here, you can see, so it's always involved root. And that's kind of a very critical point, because it brings, if root will be compromised, so if the implementation is not really strong, it means all the certificates for all the devices will be compromised. And the entire system, that's a huge security breach. So it means that approach, it still works, but in this case, we will have an issue. And 509 doesn't give us a lot of privacy. What does it mean? Because when we are sending all the information to verifier, we are basically sending all the information about device. And it's not good, actually, because you understand like there is some information not related to verification process at all. I can give you a real example of life. So I live in Colorado, but there are different states of the way how they handle your access to alcohol, for instance, in a bar. So you know how it's happening, the waiters, they check your ID. And they check ID, they can see your database. So they know exactly how old are you. And they can check, for instance, in some cases, social security number. There is some additional information, which is not exactly related to the case, because what waiters should be worried about, I'm over 21, right? But in some states, I don't want to name it, but in some states, even worse, they take your ID, they go into some room and sending that information to the state government. And this is the kind of demonstration that your information is leaked to some third party, and you have no control on this. So SSI-idea, so to make privacy conventionality working more granularly, that's the idea. So that's, I was talking about already that case. So there are several more issues related to 509. I don't want to talk more, because definitely that solution has to be improved. And this is why we believe that SSI approach will give us a chance to improve it dramatically. So there are several issues, as I said. Non-selective disclosure, no authorization. And besides that, I talked about overhead and single point of failure. So again. So let's talk about what SSI self-sovereign identity provides us and what kind of advantage will give us so we can improve security for devices. Not only for people, but overall for devices as well. We believe that SSI approach will help to create more robust and more reliable security. And help us to control identity of devices. Which is very important. And this is the way how it works. It's slightly different than in case of 509. But, well, there are some actually similarities. There is an article, very nice one. If you want to check the difference between 509 and SSI, I can give you a reference to that article, which explains like very much in details what is the essential difference. So what SSI provides? SSI provides security, of course, private, privacy, and verifiable relationship. So verifiable credentials. We all know, yes, there are some already examples of digital passwords, device certificates, access tokens, and bank accounts. So we are talking about what are the key terms for SSI. I'm just giving you time to read. I can read it for you. This is the way how the SSI verifiable credentials work. It's a workflow. On the left side you can see issuer. Issuer issuing a credential, which goes to holder. And holder, in our case, device. Or a person stores the data in their memory or their device. And there is a verifier. And then there is a decentralized network. It can be a blockchain for creating a story of some public information. By the way, it's not exactly... It can be not a blockchain at all. Some of the solutions can be used without blockchain. So it's not necessarily like blockchain is involved. Blockchain just helps to store that information publicly and being decentralized. Okay. Well, that slide showing like a magic of SSI. Of course, there are a lot of technical details here. Very important ones. This distinguishes a new approach against the previous ones. But this is kind of like overall a dream, I would say. So privacy, again, talking about privacy, it's a big deal. And SSI approach completely provides a mechanism so the way how our privacy and device privacy can be preserved. So here we have several actors, I would say Alice and Bob. And the way how Alex deals with shared information and presents it to Bob about banks and hospitals and police. It's very interesting. So that is the case. We have a demo. I will show you a little video. Actually, it's an actual IoT demo of the implementation the way how SSI could work for IoT. Well, you probably know there are several companies trying to implement SSI already for IoT, but again, there are a lot of obstacles here and like real good implementation, I mean true implementation, as we know, doesn't exist yet. Because we still need to work on a lot of technology side details. Repeatability, that's one of the issues here. And 509, for instance, always non-reputable. So here we have a case and SSI completely solves it. And it's very important that SSI helps us to provide not all the information, provide the only information which is required for specific case. And 509, in this case, of course, will disclose everything, which is not even related to the case. There is an anonymous revocation mechanism. That's very important as well, part of the deal. And this is the way how the authorization is happening. By the way, that presentation will be available as part of all materials for a conference. So you can check it. Of course, you can ask questions or personally questions, happy to answer. So SSI actually provides delegation for authority. These are kind of like a regular case. If you think about, I know, I have a question for you. Who has like home automation at home? Like system. How many? Like a garage or a door, or you have it. Okay, several people. And you know, like if you are going for a location, sometimes, it depends on what kind of neighbors you have. I have a very nice neighbor and I like him to open my garage and, you know, like swing the package I received under the garage door. But some of the systems now, they, like on the application level, allow in doing it. For instance, I can delegate some of the rights. But SSI actually helps in delegation quite a bit. It provides additional mechanism and security. For instance, you can say, okay, that person can access my home like five to six in the morning or, I don't know, during like two to three p.m. to fix some electrical issues and so on. Most important, zero knowledge IoT clouds. That is a big deal. Why? Because every IoT system stores a lot of data about us. Like when you come home, when you are living home, what is the temperature, how you are using electricity and all this kind of stuff. But SSI helps us to make all this data basically not personalized. So it means even if you will have access to the data, it will be difficult to connect to a specific person. That's very important. So it's zero knowledge IoT clouds. Here we are talking about distributed source of trust. So there is no single point of failure which is important. It means if the network will be compromised, it will be only kind of very much localized. And you can see one of the several approaches how it can be done. This is kind of more technical. So talking about compact revocation. So it can be done in very efficient way. Again, we are very much up to using SSI against 509. So we would like to push it. And by the way, if you are interested in exploring that approach, please talk to us. Happy to find partners and people who really or organizations who really like to have it deployed on the market. Now I will talk a little bit about Hyperledger Indie and Aries. Why? Because our company was one of the maintainers and contributors to Indie and to Aries. So overall this is very generic information and you might know that. So Indie is an independent identity basically. This is an course software, which is an active project which is part of Hyperledger and Linux Foundation. Everyone can access it and download and contribute and so on. This is a state right now at Indie to the moment. There are several components which are written in Rust, Python, Node.js .NET but It's very interesting like can you use one of those components like for IoT? It's not applicable. Yes, you can use it like on a gateway which is pretty powerful device can be. But on a actually like a very much restricted device that's not possible. So it means we have to create additional software specific range of devices. And you know the challenges we are talking about are substantial. Let's talk about like what kind of devices we are dealing. Let's say there is a gateway. It can be like Linux or FreeRTOS whatever it is, operating system and there are a lot of resources to handle SSI. However, if you will move like two sensors in that case you will have a challenge. Why? Because the devices are very much restricted. Not only on a like ROM size or ROM size. They are restricted on amount of energy because if you will move like one step up or depends on down let's talk about green power devices. If you are familiar with green power devices these are really super restrictive devices. For instance, like when you are using, you can be using switch which is a can be battery less switch. It means what's happening light switch, you are pushing the button and there is some mechanism which generates enough memory enough energy for CPU to process like a certain very small amount of operations. And all the security certification verification should be able to fit into the usage of that amount of memory. So we are pretty challenging task and make it secure. We need to understand how far we want to go with that security approach. Well, some of you know Eris, so Eris I would say like not exactly new generation of India, it's a more decoupled architecture than India itself. So DSR has been working on Eris as well. But besides I want to tell you that DSR itself we have been working Fabrik and Aserium, so we have been using a lot of components in our development depends on customers and so here we are talking specifically about India and Eris because the demo is based on India. Okay, so what is the difference between India and Eris? There are a lot of differences, but it's more like components. So it's more decoupled and less I would say not solid, I would say it. More flexible architecture than India. And again, the demo I'm going to show you it's based on India, but here we have a comparison between India and Eris, so you can see the difference. Let's talk about IoT use cases for SSI. Okay. The main challenge for in IoT when most of the security breaches is happening, this is the moment when we are commissioning device it means that device has to provide security authentication to appear where it's connected to the network. So making sure if the device will be included into the network it has to be secure. It's not a device which is not authorized, should not be connected. And that moment actually is a very important moment because most of the breaches if you see happening on the market, it's at the moment when the commissioning of the device is happening. By the way, I don't know if you try to connect let's say homecoming feature of your car like opening the garage door actually I had an incident and I was commissioning the device and at the same time my neighbor opened the garage and my device got connected to his garage. That's really unacceptable. So it means that moment is very I'll say intimate and very important one. So addressing that device authentication it's a very critical step. And this is the way how the SSI can help solving that. So this is a continuum of device authentication. There are some little details here. Of course in real life if we would implement it part of the standard there are more details has to be worked out and a lot of of course review and security site excuse me have to be done. Well now we are talking about the smart the use case itself. So the idea is so Alice she wants to delegate access to her smart log to the neighbor this delegation basically and to Bob and this is the way how it can be done using SSI. And here is the case how revocation could happen in this case. And this use case it's number 3 showing how to preserve privacy not sharing a lot of information about private information with third party. So basically Alice she wants to access a door and she has to be over 18 years old. Let's talk about like she wants to access a bar and she wants to get in so she's just using her credential and in that case the credential will send a message confirmation that she's over 18 but it will not specify how old is she. So that is really very important. So there are several more additional use cases. We have kind of listed here you can see, but of course the number of use cases is huge in IOT and if you are using at home IOT devices you need to think about your privacy quite a bit. There is by the way IUXT Alliance in the United States that IUXT Alliance is working all about security and one of the members actually did a check at his house where interesting he has many devices and he checked how much traffic is going out of his house and he found out that the amount of traffic was huge really. So yes there is traffic incoming initiated by him but the amount of traffic generated by some Wi-Fi router actually had to turn it off because he didn't know what kind of information was translated to the net. So it means security is really a big deal and especially so you need to be in control of your security. This is a demo by the way a demo is available on the internet you can download the presentation and there is a link to YouTube video I will try to run that video here just a second it's a very short one basically couple minutes ok, here we are this is a demo showcasing a blockchain IOT security use case using the ZigBee IOT stack this process is widely applicable to security and hospitality applications and increases the efficiency and security of access control while also maintaining the total privacy user or guest So let's walk through the process and a simple use case First we have to start with credentials Credentials are initially created by an authority such as a government The credential in this example consists of basic information such as a name and birth date Think of it as a license or passport Upon issuance this credential is signed by the authority using a key that is rooted on the blockchain This allows us to use the blockchain as a source of trust later on for storing public information such as the issuers public keys Here you can see the initial credentials issuance process Notice how fast and simple it is to create a new set of credentials and to create a secure connection between devices using a simple barcode Then, in order to gain access to something, in this case our hotel mini bar the prover connects to the gateway or verifier via a public key The gateway then requests a proof from the prover who sends back a zero-knowledge proof For instance, the proof verifies that the person is old enough to access the mini bar but does not tell you their age Here you can see the whole system The small white box is the gateway The black box is the lock we will be operating and an indicator light bulb is on the left First we create a connection between the prover and verifier The prover gets a public key from the gateway and fulfills the proof request from the verifier You can now see from our indicator light that the user's proof has been verified and the box will unlock In a situation such as our mini bar example it is likely that we would want to grant repeat access to the user You can see here that the user can use their existing credentials to unlock the mini bar without repeating the issuance process just as you would with a real-world ID or passport If the credential doesn't match the proof request in this case if the user is too young the app will generate no proof and the user will simply see an error message It is important to remember that the zero-knowledge proof is not the same as the user's credential and it does not disclose all of the information about the prover, but only the required information In this case it's sufficient to prove that the user is old enough to access the mini bar but their exact age, name and birthday will not be disclosed This system allows for access control without interface between the prover and authority The zero-knowledge proof can be verified by the verifier in this case the mini bar via the blockchain without direct communication with the issuer The issuer or authority can even be offline and the verification will still work This way the user can be granted secure access without ever disclosing any of their private information Visit our website today and let us know how DSR can help you come up with a solution for your product or company Thank you Just for your reference what kind of tools you use here you can see like 2 iPhones and there is a gateway the gateway itself is on Raspberry Pi so it means we had to implement SSI on Raspberry Pi and we did some of the implementation is done DoorLock It's a ZigBee DoorLock We are using ZigBee protocol for this demo Okay Well, that's all Actually Thank you Well, that's a link Oops No worries, it's all good Teamwork So that's a link from the presentation Well, we have like 2 minutes left for questions, but you can ask me questions after the presentation itself So again, my name is Anatoly Peshkov I'm a CEO and founder for DSR Corporation company out of Colorado Denver Please talk to me if you have questions or ideas Okay, thank you