AACIM -A proposed universal layer of the Internet, protecting authentication, access control and identity management
Nowadays, it is common for authentication, access control and identity management to be implemented differently in different systems. They are often part of the application logic of the target systems, sometimes authentication is delegated (federation). This is complicated, expensive and not very secure. It is complicated for system creators, for their operators and, last but not least, for users.
It is advantageous for attackers, as it creates a large number of chances that they can exploit.
The Internet successfully uses a layered model based on open standards. Today, we take it for granted that target applications do not implement communication protocols (such as TCP/IP) or a security layer (such as TLS).
The new AACIM layer
The basic idea is to separate the handling of the authentication, access control and infrastructure functions of identity management within a specialized, universally applicable layer of the Internet.
How it could work
The target applications would not have any implementation of authentication or any basic access control. The target applications would be protected by an infrastructure that implements ZTA (Zero Trust Architecture – NIST) PEP (Policy Enforcement Point) functionality.
Technically, we can imagine it in such a way that, for example, the web server where the application runs or the preceding reverse proxy server, will ensure the functionality of the PEP, i.e. it will ensure the authentication of the user, request a decision on access from the PDP (Policy Decision Point) and allow the application to be accessed only by authenticated and authorized user. In doing so, it passes the result of user authentication to the application (e.g. in the http header).
PDP, i.e. the management of users, their identities and access rights will also be part of the infrastructure, i.e. part of the AACIM layer. It will work with all PEPs in a given organization as well as the authentication subsystem.
Users will use a new generation of web browsers that will be integrated with a universal authenticator (with EUDI Wallet functionality) and thus create the client part of the AACIM layer.
In the initial stages, the implementation of a new generation web browser can use an embedded browser, e.g. the open source Chromium Embedded Framework.
Collaborating systems (e.g. servers, IoT) will use automated authenticators similar to browser-integrated universal authenticators. These can be integrated, for example, with the client's TLS library.
The new generation of web browsers will automatically and safely take care of everything related to authentication, authorization and identity management for users.
The AACIM layer will also include the creation of universal triple-authenticated data channels, which will create a universal infrastructure for the secure transfer of any information needed to manage identities (especially identity proofing and information needed to manage access rights). We can think of this as a special user-bound VPN. This will meet the requirements for a strong 3D-authenticity.
The AACIM layer should include sophisticated security assurance in all areas, i.e.
strong mutual authentication,
privacy protection,
ensuring the availability of services (including redundancy of user authentication means),
crypto material management including key rotation,
ensuring the full life cycle including recovery from emergency situations,
long-term support sustainability (cryptographic agility), i.e. readiness for the future development of cryptography, including managing the impacts of quantum computers.
The AACIM layer should also enable the execution of authenticated transactions, even between three entities (as needed, for example, in electronic payments). And also, to create a technological basis for the management of electronic identification documents and other functionalities expected from the EUDI Wallet.
It is also natural for the AACIM layer to manage cryptographic material for other purposes related to authentication and identity management such as data encryption and electronic signature.
The AACIM layer can perform authentication and authorization automatically, almost invisible to the user. Today's commonly available ICT is so powerful that authentication and authorization can take less than 1s and require the user to use nothing more than their personal device (laptop, smartphone, tablet).
Drawing inspiration from history
The history of the Internet can inspire us. The very essence of the Internet is an invisible automatic layer. Routing of datagrams over the network is arranged by routers and uses routing protocols (e.g. RIP, OSPF, BGP) for this.
In the early days of the Internet, each user had to configure the basic parameters of TCP/IP communication manually. Today, this is mostly handled by the DHCP protocol. An ordinary user does not care that his smartphone may change its IP address several times whilst the user moves locations. The Internet will arrange it automatically.
Let us also recall Europe's contribution in this area - HTML (CERN).
Reaping the benefits
A high-quality AACIM layer will significantly simplify and make application implementation cheaper, while at the same time significantly increasing their security and protection of target assets. It can apply to the entire spectrum of applications from e-government, through to healthcare, finance, business, industry, SMB to social networks and peer-to-peer communication.
AACIM will also enable the implementation of eIDAS2 and thereby contribute to an overall increase in cyber security in the EU.
It will enable significantly simpler and more efficient management of access rights and their enforcement in accordance with the principles of ZTA.
It will reduce operational costs associated with handling authentication and authorization, e.g. costs associated with recovering forgotten passwords.
It will significantly simplify the life of users, including increasing productivity. The term login name and password will become part of history.
The AACIM layer will have a negative benefit for attackers. The spectrum of exploitable weaknesses, including the possibility of social attacks, will be significantly reduced, and at the same time, the resistance of the protection of target assets will be increased.
