Identity and Authorization Model

In many traditional systems, network access is granted first and refined later through authentication and authorization. A connection is established based on network location, and identity is used only after access already exists. This creates implicit trust at the network level and increases the surface area exposed before policy checks are applied.

Enigma reverses this order. Identity is verified first, authorization is evaluated next, and network access is created only if those checks succeed. Connectivity does not exist by default and is not tied to location. Network access is established only when it is explicitly permitted, reducing unnecessary exposure and removing assumptions based on network position.

Identity-scoped access prevents visibility and lateral movement.

TRADITIONAL:
  Network Access → Authentication → Authorization

ENIGMA:
  Authentication → Authorization → Network Access
  (prove identity) → (check policy) → (only then, connect)

J1 defines how a user is admitted into the network and issued a constrained, time-bound identity. The protocol covers initial identity verification, enrollment token issuance, and on-device key generation, establishing the cryptographic basis for authenticated access. Because this step anchors all subsequent trust and routing decisions, compromise at this layer would enable impersonation, interception, or unauthorized access, making it one of the system’s highest-risk entry points.

// J1: USER ENROLLMENT PROTOCOL

// Phase A: Enrollment Token Acquisition
function requestEnrollment(user, enrollmentService):
    claim = user.createIdentityClaim()
    proof = user.proveIdentity()  // External verification

    // Service validates with Controller
    approved = controller.validateClaim(claim, proof)

    if approved:
        token = JWT.create({
            sub: hash(claim),
            iss: enrollmentService.id,
            aud: "ravid_network",
            exp: now() + TOKEN_VALIDITY,
            epoch: currentEpoch,
            constraints: {
                allowed_services: ["service_a", "service_b"],
                max_sessions: 3
            },
            nonce: randomBytes(32)
        })
        return token.signWith(enrollmentService.privateKey)

// Phase B: Key Generation (on user device)
function generateIdentityKeys():
    sk_user = secureRandom(32)           // Private key (secure enclave)
    pk_user = Ed25519.publicKey(sk_user) // Public key

    csr = createCSR({
        subject: identityClaim,
        publicKey: pk_user,
        extensions: {
            keyUsage: ["digital_signature", "key_encipherment"],
            epochBound: currentEpoch,
            tokenHash: hash(enrollmentToken)
        }
    })

    return signCSR(csr, sk_user)

// Phase C: Certificate Issuance
function issueCertificate(enrollmentToken, signedCSR, edgeRouter):
    // Validation checks
    assert verifyTokenSignature(enrollmentToken)
    assert tokenNotExpired(enrollmentToken)
    assert tokenNotRevoked(enrollmentToken)
    assert verifyCSRSignature(signedCSR)
    assert epochIsCurrent(signedCSR.epochBound)

    // Issue X.509 certificate
    cert = CA.issueCertificate({
        version: 3,
        serialNumber: generateUnique128Bit(),
        issuer: "CN=RAVID Intermediate CA, O=Enigma",
        subject: "CN=<identity_id>, O=Enigma Users",
        publicKey: signedCSR.publicKey,
        validity: {notBefore: now(), notAfter: now() + CERT_VALIDITY},
        extensions: {
            subjectAltName: "URI:enigma:identity:<id>",
            ravidEpochBound: currentEpoch,
            ravidServiceBindings: allowedServices,
            crlDistributionPoints: revocationEndpoint
        }
    })

    return CA.sign(cert)

// Phase D: Authenticated Session (mTLS)
function establishSession(userCert, edgeRouter):
    // Full mutual TLS handshake
    clientHello = {versions, cipherSuites, keyShare}
    serverHello = edgeRouter.respond(clientHello)

    // Both sides present certificates
    user.presentCertificate(userCert)
    edgeRouter.presentCertificate(routerCert)

    // Derive session keys
    sharedSecret = ECDH(user.ephemeralKey, router.ephemeralKey)
    sessionKeys = HKDF(sharedSecret, user.pk, router.pk)

    return EncryptedSession(sessionKeys)

PreviousData Tunnels NextTrust Model

Last updated 12 days ago