We bring your products and services into the digital world
Spherity is building decentralized identity management solutions to power the 4th industrial revolution, bringing secure identities (“Digital Twins”) to machines, algorithms, and other non-human entities.
Spherity’s Digital Twins enable innovative customer journeys across mobility, supply chain transparency, risk assessment, audit trails for data analytics, and many more use cases.
Our developers and systems designers combine years of deep research in the emerging decentralized identity space with a wide range of cross-industry experience. They have built and refined complex, bespoke information systems for supply chain management, data-rich manufacturing, and next-generation data control.
We participate in key standards processes and community conferences to ensure full compliance and interoperability in the complex technological landscapes of decentralization and self-sovereign identity.
An SAP accelerator alumni
Spherity participated in the 12-weeks accelerator program of the SAP.io Foundry Berlin
Along with five other startups managing risk and compliance needs for large enterprises, Spherity participated in the 12-weeks “accelerator” program of the SAP.io Foundry Berlin,
After these 12 weeks, we truly want to say “THANK YOU, SAP.io!” The accelerator program enabled us to develop a lot of trusted relationships with people from throughout the organizational map of SAP. We were able to develop a very good understanding of how SAP works and how our solution could be integrated in the best way. SAP opened up to us deep insights into SAP’s cloud technology and its ecosystem of partnerships and interlocking business models. They further accelerated us with qualified introductions to SAP projects and clients.
More from SAP accelerator
Spherity’s Digital Identity Cloud Software Solution
Dr. Carsten Stöcker, CEO Spherity
SAP Demo Day at TechCrunch Disrupt
“In a thought through digitalization in which we want to raise the potential of blockchain technologies, it is not enough to network every “milk can” with 5G. In the Internet of Things (IoT) things must be clearly identifiable. Only in this way can trust be created, which is the basis of any contractual relationship. At the same time no isolated solutions may be created. This is where Spherity comes in, who has developed an application- and industry-spanning, scalable and secure software solution.”
Investment Manager at High-Tech Günderfonds (HTGF)
“We are pleased to support Spherity, a company that makes a significant contribution to the success of the Internet of Things with its solution. With its high talent concentration and proximity to research institutions such as the two universities and the Fraunhofer Institute, Dortmund offers optimal conditions for their further corporate development.”
Project Lead Venture Capital at SeedCapital Dortmund III
We Are Spherity
Dr. Carsten Stöcker
CEO & CTO
Dr. Michael Rüther
COO & CFO
Manager Marketing & Sales,
Manager Industry Solutions
Senior iOS Developer
Senior QA Engineer
Manager Business Development
Dr. Juan Caballero
SSI Researcher & Developer
May 28th, 2020
May 14th, 2020
April 28th, 2020
Rebooting the Web of Trust – June 29th, 2020
Rebooting the Web of Trust – January 1st, 2019
We make it simple to build applications with all the capabilities enabled by W3C-compliant and widely interoperable self-sovereign data management. These include:
- Privacy-preserving auditing
- Robust access control and authentication capabilities
- Granular privacy and enterprise-grade security
- Next generation verifiability of business transactions and legal identities
The name Spherity is a composite of "Sphere" and "Identity"
- The ability to bridge the digital, the physical and the biological spheres
- The ability to create secure and interoperable digital identities
Blockchain-based and other decentralized technologies offer reliable interoperability, trusted transactions, proof of authenticity, and full audit trailing. Even though blockchains and DLTs are state of the art in most of today's decentralization efforts in enterprise IT, Spherity relies on the principle of "Minimal Use of Blockchain," taking a cautious approach to privacy and immutable records. We are using blockchain more as an infrastructure component.
To be more concrete, Spherity's infrastructural usage of distributed ledger technology (DLT) such as Ethereum or Hyperlegder Indy / Sovrin consists primarily of the following features:
- Storing Decentralized Identifiers (DID) documents containing key rotation information, signing keys, and service end-points for public identities (i.e., issuers of verifiable credentials)
- Registries (e.g. Enterprise or Asset Register, Revocation Registry)
- Semantic templates, schemes (can also be stored off-chain locally or publically via IPFS or schema.org)
- We tend to keep Electronic signatures or Verifiable Credentials (VCs) off-chain, all things being equal, although every use case is unique. In combination with DIDs and VCs, we establish cryptographically verifiable audit trails via identity subjects, processes or events, using whichever combination of on-chain data, off-chain storage, private DLTs, and security logging are appropriate to the use-case.
- We mostly use W3C off-chain credentials to implement audit trails to comply with regulatory requirements.
- In some use cases, it can make sense to have a VC on-chain, provided that smart contracts are to process them automatically. With today's production-grade decentralized ledger technology (DLT), this almost always leads to problems with privacy requirements.
[ Further Reading ]
A digital twin represents the combination of a unique identifier of any real world entity with its assigned data: To create a reliable, real-time digital representation. A unique identifier (DID) is a code as unique as your fingerprint. The DID can be anchored with a physical uncloneable function (PUF) of the real world entity. The DID makes an object uniquely identifiable. An entity might be a machine, a product, a software or even a living organism like humans.
[ Further Reading ]
Think of a Digital Twin as a bridge between the physical, biological and digital spheres. Data associated with a physical entity (e.g. real-time status, working condition or GPS position) is linked to a unique identity and immutable stored in a decentralized system. The data can then be used in many ways; for example, for predictive maintenance, track and trace or to enable pay-per-use models.
[ Further Reading ]
Spherity's Cloud Identity Wallet supports the following key management systems (KMS):
- Software (limited security)
- Secure Element / Trusted Enclave / Mini Hardware Security Module (HSM) / Key Chain
- Enterprise Trust Center / Hardware Security Module (HSM)
- Cloud HSM
- Multi-Party Computation (MPC) – With MPC, the "whole key" never exists, only multiple fragments which must be combined to be used.
[ Further Reading ]
With Secure Element / Trusted Enclave / Mini Hardware Security Module (HSM) / Key Chain, Enterprise Trust Center / Hardware Security Module (HSM) and Cloud HSM the key does not usually leave the hardware (although keys derived from a master key can leave the hardware depending on the requirements). A user or system must authenticate to the Key Managements System by Multi-Factor Authentication (MFA) or Privileged Access Management (PAM). Then, a signing or encryption transaction can be initiated in which the private key is used on the device.
When it comes to enterprise and system identity (e.g. domain controller), the Enterprise Trust Center system is state of the art. Some companies are already using cloud HSM solutions with suitable security architectures that can achieve comparable security without hosting hardware HSM in their own trust zone.
With suitable key event rotation logs (or DID documents), Key Managements System solutions at the edge and in the cloud / trust zone can be combined depending on the use case.
When it comes to human identity, Key Managements System solutions at the edge or Multi-Factor Authentication solutions can be used to authenticate and e.g. trigger an enterprise signing transaction according to an authorization. Alternatively, a natural person can use a signing key to sign on behalf of the company.
MPC is used to implement "threshold" or "M of N" signatures. Often used to refer to a whole family of cryptographic innovations, the term MPC can also be understood as the mature and production-ready core of modern multi-sig wallets. MPC is purely software, used to perform signing and encryption operations from fragments of a given key, shredded at rest and combined securely in compute. This allows "quorum" business logic for the segregation of duties. If a smart phone is used as an MPC client, it can be a very effective way to include individuals and their biometrically-secured end devices. We have integrated MPC for our Cloud Identity Wallet.
[ Further Reading ]
We use edge wallets backed by on-device biometrics to authenticate individuals as needed. The Cloud Identity Wallet can be accessed through a web interface, or through our lightweight mobile apps.
Where multiple authorizations or "signatures" are needed to produce credentials or authorize transactions via credentials, we utilize advanced MPC cryptography managed at the enterprise-wallet level.
The only thing stored on the device (Spherity Edge Wallet) is biometric information, which is stored in a "secure enclave" to insure the phone is being used by the enrolled/intended individual in each session. All key material and verifiable credentials are still stored custodially in the Cloud Identity Wallet.
If a phone is lost or damaged, the "enrolment" process binding a cloud identity to the on-device biometrics can simple be repeated; this binding and re-binding process traditionally requires the approval of an internal authority (i.e., an HR department), but this is configurable by the client, as can the degree of auditing of such processes.