TrustGrid Architecture

This document outlines the software architecture for the SSI Wallet mobile application, Web Admin Portal, and supporting infrastructure built on Hyperledger Indy, Aries Framework JavaScript (afj), and leveraging Biometric Authentication.

Core Components:

1. User Devices (Edge Nodes):

· Users interact with the TrustGrid’s network/solution through their mobile devices (Android/iOS) running the TrustGrid (SSI Wallet) App. The app provides secure storage for user credentials and facilitates interaction with other components.

· Biometric authentication (fingerprint, facial recognition) is implemented on the mobile device for secure wallet access and specific interactions within the app.

2. Cloud Infrastructure (Azure):

· Our solution leverages Microsoft Azure cloud services for scalability, reliability, and managed security features. Key components within our Architecture include:

§ Load Balancer: Distributes incoming traffic across various backend services based on pre-defined rules, ensuring high availability and performance.

§ Private VNets: Securely isolate critical backend services within a dedicated virtual network segment.

§ Web App: The TrustGrid Admin Portal is a web application hosted on Azure App Service, providing a user interface for administrators to manage the SSI ecosystem (e.g., Internal user management, Onboarding Issuers & Verifiers, credential issuance configuration).

§ Mobile App Backend: Backend services for the mobile wallet application are hosted within Azure App Service or Azure Functions. These services handle user authentication, secure storage of user data (excluding private keys), communication with other components, and business logic functionalities.

§ API Gateway: Provides a single entry point for external applications and services to interact with the backend APIs in a secure and controlled manner.

§ Kubernetes Clusters (Optional): For advanced deployment management and scaling needs, container orchestration with Kubernetes clusters running on Azure Kubernetes Service (AKS) can be implemented.

3. Hyperledger Indy Network (Off-chain):

· A Hyperledger Indy network serves as the decentralized identity ledger for our solution. It manages the issuance and revocation of credentials while ensuring user privacy.

· User credentials (private keys) are never stored on the cloud or user devices. They are securely stored within a Secure Enclave (TEE) on user devices or Hardware Security Modules (HSMs) for enhanced protection.

4. DIDComm Messaging:

· afj facilitates secure and interoperable communication between different actors within the SSI ecosystem using DIDComm messaging protocols. This ensures the confidentiality and integrity of data exchanged between the mobile app, web portal, and other SSI agents.

5. CI/CD Pipeline:

· A continuous integration and continuous delivery (CI/CD) pipeline automates the software development lifecycle. It integrates code changes, performs automated testing, and deploys new versions of the mobile app, web portal, and backend services to production environments efficiently.

6. Database:

· A secure database service within Azure (e.g., Azure SQL Database) can be used to store non-sensitive user data like profiles, preferences, and application configuration information.

Security Considerations:

· Data Encryption: All sensitive data, including user credentials (excluding private keys) and verifiable credentials (VCs), is encrypted at rest and in transit using industry-standard encryption algorithms.

· Identity and Access Management (IAM): Azure Active Directory or a similar IAM solution is used to manage user access and authorization for both the mobile app and web portal functionalities.

· API Security: API Gateway enforces access control policies and validates requests before forwarding them to backend services, minimizing unauthorized access risks.

· Regular Security Audits: Penetration testing and vulnerability assessments are conducted regularly to identify and address potential security weaknesses in the system.

This software architecture leverages a combination of secure cloud infrastructure, Hyperledger Indy for decentralized identity management, afj for interoperable communication, and Biometric Authentication to create a robust and user-friendly SSI solution. The focus on data encryption, secure coding practices, and regular security evaluations ensures a high level of security for user data and privacy within the ecosystem.

Building upon the core components outlined in the software architecture document, let's delve deeper into the functionalities of the microservices and other crucial elements:

Microservices:

1. Connection Service:

· Responsible for managing secure connections between the mobile app, web portal, and other actors within the SSI ecosystem.

· Utilizes DIDComm protocols (via afj) to establish encrypted communication channels and ensure data integrity.

2. Issuance Service:

· Handles the process of issuing Verifiable Credentials (VCs) to users.

· Interacts with the Hyperledger Indy (TrustGrid) network to create and distribute VCs based on issuer policies and user requests.

· Integrates with the Organization Service to verify issuer identity and authorization.

3. Revocation Service (Optional):

· Maintains a registry of revoked VCs.

· Allows issuers to invalidate compromised or outdated credentials, preventing their misuse within the ecosystem.

· Verifies revocation status during the VC verification process.

4. Biometric Scan Service (Mobile App):

· Responsible for capturing and processing biometric data (fingerprint, facial scan) on the user's device.

· Utilizes secure libraries and hardware features (TEE) to ensure the privacy and integrity of biometric data.

· Authenticates users for access to the mobile wallet and authorizes specific actions requiring high security.

5. Organization Service:

· Manages information about organizations participating in the SSI ecosystem.

· Stores issuer public keys and credentials necessary for verification.

· Can be integrated with external directories or KYC/AML services for issuer onboarding and validation.

6. Verification Service:

· Enables verifiers to confirm the authenticity and validity of presented VCs.

· Interacts with the Hyperledger Indy network to validate VC issuers and check revocation status.

· Utilizes AnonCreds techniques (with afj) to allow verification without revealing specific user data within the VC.

7. Backup & Recovery Service:

· Provides mechanisms for users to back up and recover their non-sensitive data (e.g., profiles, preferences) in case of device loss or malfunction.

· Secure storage options like Azure Blob Storage can be leveraged for backups.

Additional Components:

8. Mediator (Optional):

· Acts as an intermediary between the mobile app/web portal and other services, potentially offloading processing tasks and improving scalability.

9. AFJ Agent (Cloud & Mobile):

· Software libraries implementing afj functionalities for secure communication and interoperability.

§ The cloud agent resides within the backend services, enabling communication with other SSI agents.

§ The mobile agent is integrated within the mobile app, facilitating secure interactions with the SSI ecosystem.

10. Agent Service (Optional):

· A broader term encompassing various SSI agents within the ecosystem. These agents could represent issuers, verifiers, or other entities interacting through established protocols.

11. TrustGrid (Hyperledger Indy) Ledger:

· The off-chain distributed ledger for managing user identities and credentials.

· Stores cryptographic keys and credential revocation information in a secure and verifiable manner.

12. IPFS (Optional):

· InterPlanetary File System (IPFS) can be used for decentralized storage of non-sensitive data associated with VCs (e.g., document proofs).

· This can improve data availability and redundancy while potentially reducing reliance on centralized storage providers.

These microservices and components work together to deliver a secure, scalable, and user-friendly SSI solution. By leveraging strong cryptography, secure communication protocols, and privacy-preserving techniques, the architecture empowers users with control over their identities and facilitates trusted interactions within the decentralized identity landscape.