Integrators

Integrate AxiomaticId in your systems

Home

Why open source?

Typical integration

Protection against attacks

Integrators of AxiomaticId can find all the information they need, in here.

AxiomaticId is a set of open source applications developed in C#, specifically designed for mobile devices (like PDAs), which work on any system with DotNet (at least version 2.0, which you can download from Microsoft).

AxiomaticId works on Mono (at least version 1.1.18, which you can download from Mono); tests have been performed only on the Windows port of Mono. This means that AxiomaticId can be used in applications running on operating systems other than Windows (like: BSD, Linux, MacOsX, and all the other Mono ports).

Note that Mono doesn't support the graphical user interface from DotNet. Mono also doesn't support the DotNet Compact Framework, and thusly in order to use AxiomaticId on Mono you need to hack the "System.Xml" referenced assembly to the full framework assembly (or compile all AxiomaticId projects for the full framework).

AxiomaticId is designed to handle most of the work required to implement an action processing service compatible with AxiomaticId. Of course, action processing services still need to develop the code which processes AxiomaticId documents inside their system, but that is all they need to do. They don't need, for instance, to implement a user interface (or rather, they need to implement only a minimal user interface, one which would simply display messages to the user).

Integrating AxiomaticId is necessary only for automated services, like currency operators. However, merchants could either integrate automatic verification of the AxiomaticId documents they receive, or they could have employees who manually perform the verification (using AxiomaticIdManager). In fact, having employees could be better because there might be some need for special interpretation of the data sent by customers (in AxiomaticId documents).

Why open source?

It's a business model.

AxiomaticId is open source because we, the AxiomaticId Entity, want clients to trust (by analyzing the source code) that AxiomaticId does what we say, we want clients to be able to change the source code so that it does what they want, we want programming and cryptography experts to analyze it for weaknesses.

For us, open source is the business model which can bring the highest reputation to AxiomaticId. As its reputation and usage increase, so does the profit that it earns for us and for our clients. Profit is not necessarily measured in money, but for certain in reach, reputation and in the strength and freedom it gives to people who want to fight for their Life, Liberty and Property.

If you want to share your ideas with the AxiomaticId Entity, in hope that they would be integrated in AxiomaticId, please consider that the core must be simple enough so that the developers could maintain a high level of reliability of the source code. Also consider deriving the existing code for the specialization you may need, instead of trying to push specializations into AxiomaticId.

Typical integration

A typical integration, for an online service provider, of AxiomaticId consists of a library which executes (in the database) the actions requested by the service's users.

The service uses direct socket connection and therefore it doesn't need either ASP.Net or IIS. Also, it runs on the DotNet Compact Framework, meaning that it runs on PDAs (although the user interface doesn't).

For details, see the source code of AxiomaticId.

Protection against attacks

Processing asymmetrically signed and encrypted documents is a very slow operation. This fact exposes an AxiomaticId service provider to potential attacks where someone would try to suffocate the service with many requests for document processing.

Using an automated process, an attacker could succeed to effectively shut down the service provider's ability to process the documents of legitimate users.

There are two main types of attacks which can be launched against an AxiomaticId service:

DDOS.
Sending the same document repeatedly.

AxiomaticId reduces the effects of DDOS attacks by letting service providers specify a list of processing (or traffic redirecting) URIs in the service descriptor. The effects could even be eliminated if the attack is not against all processing URIs. Of course, this requires the URIs to point to different physical servers.

An attacker could repeatedly and quickly send to the service provider a document which was properly signed and encrypted. To protect against this type of attack, an IP filter has to be used to reject the requests which are coming from the same location, too many in a given time frame.

Documents

The AxiomaticId documents are in XML format.

Here are a few examples AxiomaticId documents:

Account identity document. This document stores an account identity, in a form which makes it impossible to see if it has valid content or just random data. In its hidden content, this document contains an account identity.
Person presentation identity document.
Group presentation identity document.
Claudia-Bob certification powers delegation.
Age certification document. The certification is granted by Bob, but AxiomaticIdTester checks if the certification was granted by Claudia. Normally, this would cause AxiomaticIdTester to say there is a missing signer, but the signature verifies because of there is an attached age certification delegation (Claudia -> Bob), and it appears that the certification was indeed granted by Claudia.
Action request.
Action response.
Asymmetrically encrypted document.
Full hash serializer output. A normal hash serializer is used for signing to guarantee binary identical output, regardless of platform. A full hash serializer includes the unsigned data (like the signatures themselves).

The documents which contain encrypted data (the account identity document, the action request, the asymmetrically encrypted document) also contain the unencrypted data so that you could see what is actually stored.

Performance

Here are the results of test for cryptographic operations. The asymmetric operations use key blinding.

The cryptographic algorithms are also open source, adapted from Mono (and from Classless for some hashes). They are written in C#.

The XML serializer (both serialization and deserialization) is custom made, using reflection. Compared to the DotNet serializer, this is more secure because it doesn't use any temporary files. Also, for signing operations, it guarantees the same serialization output, regardless of the platform it runs on.

All tests have been performed with the GUI edition of the AxiomaticIdTester on a computer with a 2.2 GHz Intel Mobile Core 2 Duo processor, on Windows Vista (with real-time antivirus).

Legend:

MB = megabyte.
s = seconds.
ms = milliseconds.

The tests with results expressed in seconds (instead of bytes / second) are made from real life applications, and exclude theoretical values.

For instance, the verification of a signature includes:

The loading of the verified document from a byte array.
The serialization of the data to be verified. The data has to be serialized in order to create the same data buffer like the one which was used during signing.

Mono is expectedly slower than DotNet, about 2 times, except for the deserializer which is about 6 times slower (probably due to the unoptimized XML reader).

Values:

Sha256 generation: 48 MB / s.
Ripe256 generation: 53 MB / s.
Sha512 generation: 23.5 MB / s.
Whirlpool512 generation: 7 MB / s.
Rijndael256-256 encryption: 25 MB / s.
Signature generation for a 2048 bits key pair: 45 ms.

Signature verification for a 2048 bits key pair (the signature of a presentation identity): 3.2 ms.
Passphrase blender performance: 1.6 s. On a computer with a 1.33 GHz AMD Athlon processor, on Windows XP, the value was 2.6 s.
Database summary document speed (for 1'000 document references): 0.7 s.
Generation of an identity with two 2048 bits key pairs (batch of 50 identities), 6 rounds for the Miller-Rabin test: 3.4 s (but individually it varies wildly, even 3 times more).
Generation of an identity with two 4096 bits key pairs (batch of 50 identities), 4 rounds for the Miller-Rabin test: 41 s (but individually it varies wildly, even 3 times more).
Transaction duration, 2048 bits keys (using the service endurance test): 0.44 s. This time doesn't include the service database access (which could be significant if there are many service accounts), but does include round-trip processing. The network communication is local. The data is encrypted and signed in all relevant ways.
Service endurance (batch test): 15'000 transactions. This test is meant to show any weaknesses in the used programming techniques, memory or resources retention or leaks, problems which may arise due to the use of random numbers, etc. The test indicated no weaknesses. The previous test had 8.5 millions cycles (and was stopped by external causes), but significant changes were made to AxiomaticId since then.

See AxiomaticIdTester for a testing tool.

Source code

The source code of AxiomaticId is released under a Common Sense License. See the license terms for details.

The source code for AxiomaticId can be downloaded from here.

The AxiomaticId libraries can be used (independently) on both WindowsForms and ASP.Net, and for both the full and compact DotNet frameworks.

The source code for AxiomaticId is published as open source. The code is heavily documented, but given the nature of applied cryptography, you should try to understand the inner workings only if you have significant cryptographic experience. For examples see the source code of AxiomaticIdTester, from which you can understand the functionality of the core documents.

However, here are a few notes:

AxiomaticId could change significantly until it will be released to the public. Therefore, DO NOT base important operations on the it, use it only for testing.
Although the content of the documents is separated from the serializer, the serializer itself is bound to XML and so if you want to serialize the documents to another format you have to implement the entire serializer.

Testing the service

You can test the payment service which is part of AxiomaticId. This service was designed to be as scalable as the underlying database engine. Even more, the service can run distributed in different geographical locations, if the underlying database engine supports distributed transactions.

You must have installed on your computer:

AxiomaticIdTester. Download AxiomaticIdTester
AxiomaticIdService. Download AxiomaticIdService
This step is not necessary for now. MS SQL Server 2005. You can use the Express edition.
This step is not necessary for now. Create a database named "AxiomaticIdPaymentService". Create a SQL Server login and database user named "AxiomaticId" with the password "opensesame". If you have the source code, you can execute the "AxiomaticIdServices \ AxiomaticIdPaymentService \ DatabaseScripts \ MsSql.sql" SQL script.

Here is what you have to do in order to test the service:

Start AxiomaticIdTester.
To modify the database connection string, click the "Work \ Create settings" menu and close the application. Edit the "AxiomaticIdTesterOps.aist" file and modify the "ConnectionString" setting. Start the application again.
Click the "Do all test" menu.
Wait until a message box says that all tests have been performed.
Select the following files from the "AxiomaticIdTester \ Documents" directory: "saoi_alice.aid", "saoi_bob.aid", "sasi_alice.aid", "sasi_bob.aid".
Copy the selected files into the "AxiomaticIdPaymentService \ DatabaseDocuments" directory. This directory is used as a temporary solution, until the service will work with a database.
Start AxiomaticIdService.
Click the "Import service initializer" button. In the dialog which is opened, navigate to the "AxiomaticIdTester \ Documents \ service_initializer.aid" file and double-click it. Now the service is started.
From the "AxiomaticIdTester", double-click the "Service endurance" test. This will start an infinite test of the service, simulating the interaction between a user and the service. Note that the first time you try this you might get a timeout error because various lengthy operations must be executed by the operating system (like starting the database engine service).

AxiomaticIdTester

Version 1.7 released on 05.09.2007, size 490 KB.

There are no special requirements to run the program. To install the program, just run the downloaded file.

Download AxiomaticIdTester

The source code for AxiomaticIdTester can be downloaded from here.

AxiomaticIdTester is a tool designed for testing the AxiomaticId documents (for correctness and performance).

First public release of AxiomaticIdTester: version 1 on 11 March 2006.

ColorChanger

Version 1.1.1 released on 11.07.2006, size 70 KB. It works on any Windows system with DotNet2 (which you can download from Microsoft).

There are no special requirements to run the program. The program has no installer, it's just the executable file.

Download ColorChanger

ColorChanger is a tool designed for creating new color schemes for AxiomaticIdManager. However, ColorChanger is not technically limited to this.

Basically, you paste into the program the picture whose colors you want to change, you click a pixel to select a color, and finally you pick a new color to replace the selected color. So, as you can see, it works in a similar way as the fill function from picture editors.

The power of ColorChanger comes from the fact that you can see the color changes in real-time because you can simply drag the mouse over the color picker and immediately see the changes in the picture.

First public release of ColorChanger: version 1 on 09 March 2006.