Oberon is the first product that supports limited-use access tokens enforced by cryptography and not a central database. Oberon single-use tokens are standalone and transferable without any server interaction making them perfect for granting exclusive access to your customers. For example, purchase one of the first run limited editions and receive an Oberon token authorizing the customer to send one private message to the creator. This is the digital equivalent of a "golden ticket".
Oberon tokens may also be limited to a fixed number of uses and can work as a digital loyalty punchcard that leverages Oberon's client-side multi-factor authentication, including biometric authentication by thumb print or face recognition.
Oberon supports distributed multi-party authorization control whereby multiple authorities must collaborate to grant authorization to a client. This creates extreme defense in depth and allows for authorization to take place offline and "air gapped" from the Internet. Because the verifiers only ever possess a public key, a compromise of a verifier never gives an attacker the ability to forge and authorization token. The cryptographically secure proofs of issuance and revocation creates a resilient forensics environment second to none.
Oberon offers application developers the ability to eliminate dependence on 3rd party "wallet" apps. Our simple API is designed to integrate directly into your existing app. Issuance is streamlined and our SDK utilizes all available client-side secrets management and biometric inputs. If the mobile device has a secure enclave the secrets will be stored there. If the mobile device supports fingerprint reading then authorization can be bound to the client's fingerprint.
Oberon along with our Credx library for credential description, proof requirements and ZKP presentation is a replacement for your existing self-sovereign identity solution. It also has the added benefit of more complex credential schema definitions and zero-knowledge proofs including verifiable encryption proofs and non-revocation proofs that use our scalable revocation system. We offer fully redactible signatures, private set intersection, and blinded accumulator updates all design to absolutely preserve the privacy of the credential holders from both issuers and verifiers. Also, by eliminating any blockchains from the critical path, our self-sovereign identity approach easily scales to billions of credentials issued and exchanged all without complex 3rd party wallets and less-than-steller user experiences.
Oberon supports both one-time use access tokens as well as capabilities based access control. It can function as a replacement for your existing OAuth 2.0 deployment and move your enterprise away from centralized/federated authorization to zero-trust architecture with no privileged servers or services.
Integrating the Oberon API requires just a few lines of code and our SDK is written in Rust by usable directly in PHP, Python, Nodejs, and others. Typically, integration can be done in less than a day.
OAuth 2.0 is a complicated protocol with a giant specification that was designed a decade ago for use in the Web 2.0 world with limited privacy protection and naïve assumptions about securitry. OAuth 2.0 typically requires databases of user authentication and authorization information including biometric data if you deploy biometrics. Centralized databases pose a huge security risk.
Oberon uses state-of-the-art cryptography to eliminate centralized databases and supports any kind of client-side multi-factor authentication—including biometric binding. Oberon uses zero-knowledge proofs to prove to your servers that the user is an authorized user without revealing any personal or private information. Authorized capabilities are managed using cryptographic set proofs that support revocation, cryptographically secure logging and auditability while scaling to the billions of authorized clients.
Self-sovereign identity is limited in its scalability and privacy preservation capabilities. Oberon supports a flexible claims framework for constructing complex zero-knowledge proofs. It also supports fully redactible signatures, private set intersection, and blinded revocation updates to eliminate leaking privacy sensitive data while supporting arbitrarily complex proofs, capability combinations, and revocation at the scale of billions of credentials.
Self-sovereign identity solution providers like to talk about "anoncreds". You can think of Oberon as being "anoncreds 2.0" because it fixes all of the problems and limitations in the current design and actually preserves the privacy of the clients while reducing the security risks to the server.
Oberon uses compact cryptographic accumulators for authorizing capabilities. These function as sets in the mathematical sense and do not grow in size with the number of authorized clients. Theoretically they can support any number of clients while requiring only a small, fixed amount of storage/memory. Revocation is as simple as removing a client from the accumulator. Doing so also creates a cryptographically secure paper trail for auditing (i.e. proof of revocation). Clients that wish to generate proofs of non-revocation use a blinded protocol to avoid leaking their identity to the issuer.
Oberon uses succinct and compact proofs typically on the order of a few hundred bytes making it possible to use Oberon in all computing environments from the deeply embedded up to enterprise applications. By eliminating a direct dependence on a blockchain to issue, verify, and revoke credentials, Oberon easily scales to billions of credentials.