...by Daniel Szego
"Simplicity is the ultimate sophistication."
Leonardo da Vinci

Friday, May 29, 2020

Blockchain and identity

Today’s systems for managing digital identity and identity are deeply rooted in the analog world and can only be used sparingly online. The most common authentication solution is to enter a username and password, where you usually need to enter an additional phone or email. The real role of this is not only the possible password reset, but also that the email or phone number provider has a good chance of doing some kind of additional offline identity verification. On the one hand, this makes the person using the service somewhat traceable to the extent absolutely necessary, and on the other hand, the system prevents so-called sybil hacking: a person creates a large number of anonymous users. In more critical cases, credit card or bank information is also used for a similar purpose.

However, username-based authentication solutions have several problems. With the proliferation of online solutions and the increasing complexity of password requirements, most users use a single username, email, phone number, and, in the worst case, the same password for most services. This poses a serious privacy and security risk. Of course, users can also be blamed for this, but it is not necessarily realistic to securely store 200 completely different names and passwords for two hundred different online services. On the other hand, basically neither the email nor the SIM nor the credit card system is designed to identify users, so their use for this purpose is difficult in most cases.

On the other side of the scale are classic paper-based documents, either identity documents or digital versions of them. Scanning or photographing any such paper document does not implement exactly the same mechanism as the original paper-based certificate. The problem is that the digital copy can be duplicated and easily modified. This again raises some serious security and privacy issues. In a slightly different perspective, the Internet was unfortunately designed 30-40 years ago with the built-in support of digital identity not being a priority, so any such but basically analogue-based solution is only moderately workable.

Technologies that combine blockchain and digital signature (so-called Blockchain Identity Stack) try to provide a solution to the two major issues mentioned above and to digital identity and authentication in general. The main building blocks of such systems are:

Decentralized Identifiers (DID): Identification is based on a public and secret key pair, similar to blockchain systems. In a blockchain system, my public key, or the address generated from it, shows exactly who I am and, blockchain rules (or eg smart contracts) describe what I am entitled to. The fact that I “physically” really belong to that address is evidenced by signing a message with my secret key (which, ideally, only I have). In this sense, in blockchain systems, a digital signature is actually personal identification.

This concept is generalized by decentralized identifiers. Compared to the foregoing, such identifiers may contain, in addition to the public key or address, a number of different pieces of information, such as data relating to a particular person or entity, in the form of a document. For more information on such an identifier, what blockchain solution it supports: most productive systems are optimized for one blockchain type, such as Ethereum, but there are initiatives for those used in multiple blockchains. Last but not least, some systems also support so-called organizational IDs, where you have to sign not only with one but also with several private keys to prove your identity.

Decentralized identifier (DID)

Verifiable Credential: The verifiable certificate model is the digital equivalent of paper-based certificates. In the model, the Issuer issues a Credential to a Holder, and then this certificate is verified by a third party. A classic example is the issuance of a university degree: here the issuer is a university, the owner is the student who received the degree and the certifier is, for example, an employer who wants to verify the authenticity of the degree. In contrast to the paper-based solution, however, here we identify each actor with decentralized identifiers:

-    Diploma handover: the university enters its public ID in the diploma and then signs it all with its secret key
-     Diploma receipt: the owner attaches his own public ID to the previous data and then signs it with his secret key.

The blockchain in the system serves to ensure the consistency of the certificates as a public and difficult to hack database. Thus, when an identifier such as an employer verifies the authenticity of a diploma, it checks the consistency of the data on the blockchain and that it was indeed signed with a secret key that belongs to the university. And for the fact that the diploma really belongs to the owner, the owner has to produce a separate signature with his secret key.

With the above building blocks, a system with several pleasant properties can be implemented:

-    We do not use a username, password, phone number or credit card or other inappropriate information for identification, only secret keys.

-    Not only the entire certificate can be submitted for validation, but also parts of it. So, for example, it is possible to share with the prospective employer, in the verifiable way mentioned above, when the person graduated and where, without having to share the specific grade. Because the blockchain also contains only the hash values ​​of the certificates, maximum GDPR compliant systems can be implemented.

-    The DID that forms the basis of the identification can be generated by everyone themselves, in fact, the key pair generation is the basis. It does not work by assigning these IDs in a centralized way to “someone”. This is why these systems are also called “self sovereign identity”.
The issued certificate can be revoked, usually by a blockchain entry revoking the issue.

-    Although its system is based on the secret key that players store in their digital wallets, losing the key is not as critical here as it is with a cryptovalent. For example, if my secret key to owning a degree is stolen, I can go in person to the university, where I can revoke the diploma certificate from the lost key and re-issue it to a newly generated decentralized ID. Of course, it involves pursuit, but it is by no means impossible or critical.

-    I can make my own separate decentralized ID for each online service I use. Thus, each service can be used with maximum privacy.

Overall, it is worth noting that such an implementation of digital identity goes far beyond storing a digital identity on a mobile phone. Although secret keys can of course be stored on a mobile phone, in real use cases, some secret keys will probably be stored in several different places, such as laptop, special hardware device, cloud solution. In addition, several different solutions will be available in case some identity-related keys are stolen or lost.