MUSAP – Multiple SSCDs using Unified Signature API Library Project
The MUSAP project aims to develop a new software interface called Unified Signature Application Programming Interface (USAPI) Library. The interface provides a consistent and flexible way for applications to request either low, substantial or high LoA signatures, regardless of the Secure Signature Creation Devices i.e SSCDs (key stores/ secure elements or security technologies, etc) or location of the private key.
The primary objective of the MUSAP is three fold:
- To develop an open-source API library that streamlines the integration of various Secure Signature Creation Devices (SSCDs) into smartphone applications, thereby facilitating the creation of robust authentication and signature solutions.
- MUSAP aims to seamlessly integrate with both centralized and decentralized identity management systems, allowing SSCD keys to function effectively in both environments. This approach empowers end-users to access services without being constrained by the specific identity management model in use.
- To allow support for multiple certificates/credentials in one device. This approach demonstrates MUSAP’s user-centric approach, where giving option to choose which SSCD they want to have their private keys in, and allows end-users to have identities with various level of assurances in use.
MUSAP addresses both security and convenience aspects, offering a resilient and adaptable implementation for end-user-app(s) requiring high level of trust. MUSAP offers end-users methods to diversify their key storage and use existing SSCD (from already deployed Digital ID system). Eventually avoiding the concentration of all keys in a single basket.
MUSAP Architecture
MUSAP architecture supports both smartphone based apps (local end-user app or eWallet) and web servers (remote web wallets). Smartphone support is defined in Module 1 i.e MUSAP library for smartphones and web server support is defined in Module 2.
Module1: MUSAP Library
MUSAP Library (Java/Swift) can be integrated with any Android or iOS app projects.
Module2: MUSAP Link
Whereas, MUSAP Link Library (Servlet component) is delivered as a library that can be used with a Java-based web server.
MUSAP in NGI Trustchain OC1
Methics will create an open-source implementation that combines multiple SSCD technologies to form a common Signature Profile for the end-user and its device.
During OC1 of NGI Trustchain project, 4 key stores will be enabled for the end-user with MUSAP, i.e TEE (Android Key store or iOS Secure Enclave), eUICC/UCICC (Mobile ID), Dongle (Yubikey via NFC) and eIDAS Remote Signing.
MUSAP project has been developed from user-centric perspective to let end-users choose what SSCD they trust more to generate/store their private keys. This will allow end-users to adopt to the new end-user-app such as EDIW.
MUSAP offers end-users methods to diversify their key storage and use existing SSCD (from already deployed Digital ID system). We believe, new identity systems should complement existing state of the art, rather than completely replacing it.
MUSAP can be used for following use cases:
- Sign any data format (X.509, VC, DID, etc)
- Provide multiple SSCDs for end-users to sign/auth
- Handling Key Management methods and operations
- Enable EDIW Type 1 and Type 2 config in one device for eIDAS2
MUSAP will provide common set of definitions for a universal taxonomy to enable SSCD/key store/ secure element interaction with identity wallets.
1. Sign any data format with MUSAP
MUSAP allows end-user to select their preferred SSCD, and sign any data format with SOG-IS agreed signing scheme and algorithm.
2. Provide multiple SSCDs for end-users
MUSAP allows end-user to select their preferred keystore and sign any data type.
3. Provide Key Management
MUSAP handles operations related to key generation, storing, securing, and to manage and protect identities and its associated data. MUSAP provides a set of cryptographic methods and operations
(Initial release in D2, final version in D4).
4. Enable both types of EDIW configs in one device
MUSAP can enable both configurations of European Digital Identity Wallet (EDIW/EUDIW) i.e Type 1 and Type 2 in one mobile device.
MUSAP enabled EUDIW to authenticate/sign with High and Substantial level of assurance. Multiple security technologies (HSM+app, eUICC/UICC, Yubikey via NFC, Phone key store) will be interfaced in OC1. More SSCDs like (eID card, TEEs, etc) can be added in future OCs
Deliverables related to MUSAP
MUSAP will have 4 deliverables as a part of NGI Trustchain requirements.
D1 shared with NGI team on 7th September 23023.
D2 shared with NGI team on 3rd November 2023.
D3 will be shared with NGI team on 26th January 2024.
D4 will be shared with NGI team on 15th March January 2024.
NGI funded MUSAP is expected to have several positive impacts for NGI technologies, TRUSTCHAIN and Digital Identities once successfully implemented.
MUSAP Fact sheet
MUSAP fact sheet can be viewed Here.
MUSAP Github Repository
MUSAP github repository can be viewed Here.
MUSAP is a NGI TRUSTCHAIN funded project aiming to deliver an Open-Source Unified Signature API Library. Methics team applied and won grant under NGI TRUSTCHAIN Open Call 1 process. This project has received funding from the European Union’s Horizon 2020 research and innovation program through the NGI TRUSTCHAIN program under cascade funding agreement No. 101093274.