This master thesis will cover a major part of Digidow's BS.
When a request of the \emph{Verifier} appears, the system captures data from the biometric interface, wraps and submits it to the \emph{personal agent}, where further processing is done.
Two essential questions arise while doing so.
First, the system has to identify the corresponding personal agent.
This thesis will assume, that a personal agent is available for the corresponding user.
Second and more important for this thesis is the question, how the BS and the PA trusts each other.
A \emph{Trusted Platform Module} (TPM) is able to address this problem by generating trust by cryptography.
Another question is how the system interacts with attached sensors that get the sensible data.
Figure \ref{fig:physview} shows an example scenario where three physical devices are involved to explain the tasks of the BS.
The Verifier sends a request to the BS containing an UID of the user to be verified, signed with the organization's private key.
The BS then gains the needed biometric data and finds the corresponding PA with the provided UID.
Although Verifier and BS are usually reachable within the local network, the PA is available only via a worldwide network which implements privacy-features.
After establishing a connection, both BS and PA require a \emph{Trusted Platform Module} (TPM) to create a trusted environment on the own system.
The TPM ensures that the system is in a provable, well defined state that can be shown to external readers.
\emph{Direct Anonymous Attestation} (DAA) allows then to proof the validity of another device anonymously.
Thus, BS and PA use DAA to verify the other instance and to generate trust between both devices.
When having a trusted environment over the network, the gained biometric data as well as the public key information of the Verifier can be submitted to the PA.
\subsection{Practical Part}
One goal of this thesis is to set up a system which is \emph{trustworthy}.
This means that the system's TPM can verify the whole software stack (firmware, boot loader, kernel, driver, executed software, firmware of attached devices, \ldots).
This thesis aims to implement the features defined in the previous subsection.
Therefore it is assumed that the network discovery delivers a function where the BS gets the corresponding PA using the provided UID.
The next step is to find a way to trust the yet unknown PA instance.
Again the system's TPM may help with a function called \emph{Direct Anonymous Attestation} (DAA).
Both, BS and PA have to trust each other to submit the biometric data payload to the PA for further processing.
During this phase, privacy features should be implemented to prevent misuse with sensitive data from the user.
The \emph{Trusted Environment} for the BS as shown in Figure \ref{fig:physview} describes the process that verifies the whole software stack (firmware, boot loader, kernel, driver, executed software, firmware of attached devices, \ldots) by the TPM.
Furthermore it should be possible to verify the attached biometric sensors.
This depends however on whether the firmware and driver software could be extracted verified and installed on the device.
After having this system implemented, a demonstration platform should illustrate how this system works.
The not yet provided, but required interfaces will be simulated in a way that allow to demonstrate the function of the implemented part of this thesis.
@ -105,12 +114,13 @@ The not yet provided, but required interfaces will be simulated in a way that al
The implementation and demonstration allows a discussion about benefits and drawbacks of the implementation and a comparison to other possible implementations.
This thesis should cover and discuss the following questions:
\begin{itemize}
\item How can a BS find the corresponding PA?
%\item How can a BS find the corresponding PA?
\item How is trust implemented in the BS?
\item How is trust generated between PA and BS in both directions?
\item What can be done to protect the sensible/biometric data within the system? Which risks are relevant for protection?
\item What is necessary to protect sensible data for submission over the network.
