Offline Authorization for Critical Infrastructure.
P3KI Core is an identity agnostic* and transport agnostic* delegation* framework*.
P3KI Core is the perfect solution to delegate permissions in a controlled and accurate fashion. Especially if it's not foreseeable who is going to talk to whom about what and when to a degree that would allow you to use simple access control lists.
All authorization decisions are decidable between just two parties interacting. No active third parties or brokers are required which allows this interaction to be performed entirely offline if needed.
P3KI Core has been a long time coming: based on research that begun in 2006, two best-of-class diploma theses, and under active development since 2014 by a growing consortium of companies with a headcount crossing thirty.
P3KI Core is the brainchild of the internationally renowned hacker Felix 'FX' Lindner and strongly informed by decades of experience1,
doing cyber security consulting1
for large multi-nationals from the automotive to telecoms sector.
1999: RFC 2693
SDSI/SPKI was way ahead of its time and was soon forgotten outside academia.
Despite not being aware of SDSI/SPKI during initial development of P3KI Core we've arrived at many a same conclusion.
P3KI Core, while not exactly SDSI/SPKI, shares a lot of its spirit.
2006: ISO 20828
The automotive industry foresaw the need for distributed PKI to address increasingly complex maintenance scenarios as well as vehicle-to-X communication security. The standard itself is heavily influenced by the established tools available at the time (X.509) and several important technical details are noted as outside the scope of the standard.
Nevertheless, ISO 20828 was instrumental in seeding the idea that would later become P3KI Core. Today P3KI Core goes far beyond what ISO 20828 envisioned and solves all its requirements with ease.
2012: Diploma Thesis
Gregor Kopf, in his diploma thesis, layed the foundation for what would become P3KI two years later. He outlined a distributed, peer-to-peer based, highly flexible alternative PKI approach and wrote the first prototype implementation while working for Recurity Labs1.
2015: Inverted PGP Web-of-Trust
As a first proof-of-concept we've shown an alternative approach to how PGP does verification of key material.
PGP let's you verify that you trust someone that trusts someone that trusts a given key to be legitimate.
However, since you already have a usable key in hand and attesting someone's key at key signing events did not quite scale, this step is rarely taken.
Our prototype turned this around by doing a forward-search of the web-of-trust until it found a trusted key that was directly usable or none at all, making key verification way more robust.
2016: Autonomous Parking & Driving
With this proof of concept for a large automotive we've outlined the applicability of P3KI to vehicle-to-X scenarios, namely autonomous parking and driving. For this we've developed a table-top demonstrator based on small mobile computers wirelessly communicating with each other.
2017: Reimplementation in Rust
Due to customer demand for an embedded implementation of P3KI Core, we've decided to move away from Java. After much deliberation we've settled on Rust at a time where MISRA-C and C++ where still state of the art.
With this proof of concept we are able to show that it's possible to use P3KI Core to digitize personal certificates, like attestations for having successfully passed a professional welding test.
The resulting system is straight forward to use, protects your privacy, and fully supports offline verification for scenarios where you do not have internet connectivity at hand.
We analyze your requirements and existing solutions to identify how your systems can best benefit from P3KI Core with the least impact to your existing solutions.
We design a custom Policy Language that fits your requirements like a glove and document it in a way that makes integration a breeze for your developers.
We'll also take care of customizations you wish for to make P3KI Core match your system perfectly.
The easy part for your developers: add our library or service to your solution and follow the documentation step by step to add decentralized access delegation to your solution!
Any questions along the way? We're there for you!
We're committed to offering you first class service while your P3KI Core based solution is in the field. This includes access to our latest Solution Engineering Tools to help you operate your system more easily as they become available.
P3KI is the next generation of Public-Key Infrastructure (PKI).
We offer flexible and arbitrarily precise expression of permission levels with first-class support for mathematically proven delegation to solve authorization and authentication challenges.
Everything is verifiable even in offline scenarios; without any central infrastructure being required.
P3KI's technology augments existing protocols and services and offers a solid base for new designs.
Offline-Capable & Decentralized
Our technology offers real decentralization, not the misleading "we're highly redundant" kind of distribution.
From the day the idea was born, we designed our solution to be 100% capable of operating without any kind of central infrastructure.
You can model systems comprised of decentralized, fully autonomous nodes that only communicate occasionally with a random selection of their peers.
A strongly decentralized system automatically has to be fault tolerant with regards to the availability of inter-node communication connections.
Split networks, nodes only occasionally able to communicate, and nodes without network connectivity are the norm in such scenarios.
P3KI's technology is designed to not only cope with these scenarios but excel at modeling them.
You can of course still model centralized systems if that's what you need.
Risk Manager's Best Friend
Access delegations between devices can be expressed with arbitrary, scenario specific expressions.
This means that access is delegated not wholesale but to exact specifications and requirements.
This has two added benefits:
Up front, risk management can determine the exact permission levels delegated between any arbitrary selection of devices and services, making the risk manager's job significantly easier and more precise.
Should a device get compromised, the worst that could happen is what the specific device was trusted with, which is usually just exactly what that specific device needed to do and nothing else.
Other solutions use generic or coarsely specified certificates that lead to higher threat impact.
P3KI's solution offers better up front risk management capabilities and also greatly reduced possibilities of lateral movement in cases of compromise.