We’re excited to announce Anonyome Labs continues to innovate at the forefront of decentralized identity technology by releasing the Sudo Platform decentralized identity mobile wallet SDK. This SDK unites industry standard decentralized identity protocols with Sudo Platform’s modularity, reliability, and security. This article gives the detail, but in summary:
- Sudo Platform DI Wallet SDK is an implementation of Aries RFC 0050: Wallets.
- Sudo Platform DI Wallet SDK allows users to create and securely store cryptographic public key pairs and decentralized identifiers (DIDs), and securely store DI-related data such as DIDComm connections and verifiable credentials.
- Anonyome’s DI Wallet SDK sits alongside our other DI offerings, such as the Sudo Verifiable Credentials Issuer and Verifier services and the Sudo Platform Decentralized Identity Relay.
- The Sudo Platform DI Wallet SDK is available for iOS and Android.
Let’s dive into the technical detail about the Sudo Platform DI Wallet SDK.
Identity wallet approach is defined in Aries RFC 0050: Wallets
Aries RFC 0050: Wallets specifies identity wallets in the Hyperledger Indy ecosystem. This RFC defines several requirements for an identity wallet.
The RFC suggests that identity wallet should provide public interfaces for encryption and queries. Figure 1 displays this layer as “encryption, query (wallet core).” Implementations of these layers should guarantee proper encryption and secret (e.g. private cryptographic keys) handling, as well as query features for information it stores.
The RFC also states that stored items in identity wallets are records, which may be secrets or non-secrets (e.g. public keys and DIDs) and that there are certain extra restrictions on the handling of secrets. For example, private keys cannot be returned across the public interface.
DI wallets can be supplemented with pluggable storage to facilitate data persistence and querying. This pluggable storage may be implemented using a variety of databases, a file system, or any similar value store.1 All pluggable storage options will receive data that are already encrypted, so they do not need to perform any cryptographic operations.
Querying in identity wallets is achieved using tags. Each record in the wallet may be associated with a set of tags, where a tag is a name and value pair. These tags can be used to search using a set of pre-defined tag filters, such as whether the value equals or does not equal a value. Tag values may be encrypted, which limits the types of tag filter that can be applied. Tag filters comparing values, such as greater than and less than, cannot be applied to encrypted tag values. Therefore, it is a trade-off between security and the richness of queries available on the wallet data. The RFC also implies that the identifier and type of the record can also be used to query the records.
There are some specific encryption requirements for identity wallets. While wallets must be searchable, data patterns in encrypted data must be avoided. For example, repeated patterns for common prefixes and fragments should be avoided. Further, the wallet master key should be rotatable without the need to re-encrypt wallet contents. As a result of these requirements, the RFC specifies an encryption approach for record attributes, record values and wallet keys. This encryption approach is described here.
Identity wallets are not cryptocurrency wallets
While there are similarities between identity and cryptocurrency wallets, they are not identical. Both wallets are a storage mechanism for keys, but cryptocurrency wallets are often designed to hold only a small number of keys. Conversely, identity wallets are designed to hold verifiable credentials, DIDs, generic records, as well as cryptographic keys. This allows identity wallets to present proofs and establish connections, and facilitate other DI interactions.
Further, a custodial cryptocurrency wallet (e.g. Coinbase) is a common approach that bestows control over private keys to third parties. This is a violation of decentralized identity principles and is not used in identity wallets.
The Sudo Platform DI Wallet SDK is available for iOS and Android
Sudo Platform DI Wallet (SudoDIWallet) is packaged as iOS and Android SDKs. It is built on top of Hyperledger Aries Askar with Swift and Kotlin wrappers created using Mozilla’s UniFFI[1] tool, which automatically generates the necessary foreign function interfaces (FFI).
Aries Askar is written in the Rust programming language and allows for creating and deleting wallets, managing keys, and managing generic records. Aries Askar’s wallet implementation assists in various decentralized identity interactions such as establishing connections, DIDComm messaging, and receiving and presenting credentials.
To run this Rust library on mobile platforms, Aries Askar was compiled into mobile-ready binaries for iOS and Android. FFI layers were also generated in Swift and Kotlin using UniFFI. UniFFI is a cross-platform bindings generator for Rust. The stack of technologies can be seen in Figure 2.
Aries Askar provides secure storage and cryptographic operations for Aries agent wallets
Aries Askar is an open-source project in the Hyperledger Foundation providing secure storage and cryptographic operations for Aries agent wallets. Aries Askar is the underlying library upon which SudoDIWallet SDKs are built. Maturing quickly, Aries Askar has become the recommended wallet and storage solution for other larger projects such as Aries Cloud Agent Python (ACA-py V0.7.4+).
While Aries Askar is largely derived from Indy SDK—a large SDK for decentralized identity features—Aries Askar does not provide Indy domain-specific APIs, such as DID, pairwise and verifiable credential operations. This allows Aries Askar to provide a lower level of control over wallet items, resulting in faster performance. According to the 2022 Q2 Hyperledger Aries project health update, load testing found Aries Askar to be more stable than the Indy SDK over time. Aries Askar also performed twice as fast as the Indy SDK.[1]
Aries Askar offers key management functionality such as key generation and storage, encryption and signing. The project also provides Rust bindings for other required operations, such as non-secrets APIs, whereas Indy SDK does not. While Anonyome Labs considered alternative open source libraries such as Indy SDK, we found Aries Askar to be the most suitable for SudoDIWallet when considering performance and feature compatibility.
We used UniFFI as a Swift and Kotlin bindings generator
UniFFI is an open source toolkit created by Mozilla for generating cross-platform Rust components. Leveraging UniFFI, common components can be written in an underlying Rust layer and then wrapped to multiple platforms. For Sudo Platform, we wrapped Aries Askar in Swift and Kotlin wrappers.
Alternative options were to implement the core wallet functionality natively or to use Aries Framework JavaScript. Aries Framework JavaScript does not have a standalone wallet, but instead relies on Indy as its default. Native implementations in Swift and Kotlin would entail code duplication between platforms. This comes at the cost of extra maintenance and difficulty in guaranteeing interoperability. As such, we decided that generating wrappers over Aries Askar was the better alternative.
UniFFI is used in Mozilla’s application-services project, which provides browser storage and syncing functionality for mobile Firefox browsers.[2] Similarly, the core functionality is written in a common Rust layer, and UniFFI auto-generates the relevant bindings for Kotlin and Swift applications.
We will expand our wallet features
Identity wallets should allow users to export the contents of the wallet to another wallet, to prevent vendor lock-in. This means identity wallets need some level of interoperability with each other.
The RFC also states that wallets should have a backup and recovery feature, which allows a user to store their contents (e.g. to a cloud service) and restore them to a new device or multiple devices.
Both of these features are part of Anonyome Labs’ future roadmap for the Sudo Platform DI Wallet.
Sudo Platform lets you put privacy in your customers’ hands
Sudo Platform is the cloud platform for decentralized identity. Use our APIs to quickly build and deploy next-generation privacy, cybersafety and decentralized identity apps so your customers can communicate privately, navigate online safely, and transact securely in an increasingly connected world.
Sudo Platform combines a scalable identity foundation and menu of enterprise-ready APIs and SDKs, built for developers by developers. Quickly integrate our technology into your new or existing products. Create a custom solution or choose a pre-configured option.
[1] Aries RFC 0050: Wallets: https://github.com/hyperledger/aries-rfcs/tree/64e5e55c123b2efaf38f4b0911a71a1c40a7f29d/concepts/0050-wallets
[2] Mozilla UniFFI: https://mozilla.github.io/uniffi-rs/
[3] 2022 Q2 Hyperledger Aries: https://wiki.hyperledger.org/display/TSC/2022+Q2+Hyperledger+Aries
[4] UniFFI is a multi-language bindings generator for Rust:https://github.com/mozilla/uniffi-rs
