You’ll have to forgive the deliberate inaccuracy in the title, but I just couldn’t resist the wordplay. The topic of this blog is the use of the blockchain for identity, which is not exactly Bitcoin. By my facetiousness, and by my analysis, you’ll see I don’t yet take the identity use case seriously.
In 2009, Bitcoin was launched. A paper was self-published by a person or persons going by the nom de plume Satoshi Nakamoto, called “Bitcoin: A Peer-to-Peer Electronic Cash System” and soon after an open source software base appeared at http://www.bitcoin.org. Bitcoin offered a novel solution to the core problem in electronic cash: how to prevent double spending without reverting to a central authority. Nakamoto’s conception is strongly anti-authoritarian, almost anarchic, with an absolute rejection of fiat currency, reserve banks and other central institutions. Bicoin and its kin aim to change the world, and by loosening the monopolies in traditional finance, they may well do that.
Separate to that, the core cryptographic technology in Bitcoin is novel, and so surprising, it's almost magical. Add to that spell the promise of security and anonymity, and we have a powerful mix that some people see excitedly as stretching far beyond mere money, and into identity. So is that a reasonable step?
Bitcoin’s secret sauce
A decentralised digital currency scheme requires some sort of community-wide agreement on when someone spends a virtual coin, so she cannot spend it again. Bitcoin’s trick is to register every single transaction on one public tamper-proof ledger called the blockchain, which is refreshed in such a way that the whole community in effect votes on the order in which transactions are added or, equivalently, the time when each coin is spent.
The blockchain ledger is periodically hashed to keep it to a manageable length, but all transactions are visible, archived in effect for all time. No proof of identity or KYC check is needed to register a Bitcoin account, and currency – denominated "BTC" – may be transferred freely to any other account. Hence Bitcoin may be called anonymous (but the unique account identifiers are set in stone, providing a rock solid money trail that has been the undoing of many criminal Bitcoin users).
The continuous arbitration of blockchain entries is effected by a peer-to-peer network of servers that race each other to double-check a special hash value for the refreshed chain. The particular server that wins each race is rewarded for its effort with a tiny fraction of a Bitcoin. The ongoing background computation that keeps a network like this honest is referred to technically as "Proof of Work"; with Bitcoin, since there is a monetary reward, it’s called mining.
Whether or not Bitcoin lasts as a form of electronic cash, there is a groundswell of enthusiasm for the blockchain as a new type of public ledger for a much broader range of transactions, including “identity”. The scare quotes are deliberate on my part, reflecting that the blockchain-for-identity speculations have not been clear about what part of the identity puzzle they might solve.
For identity applications, the reality of Bitcoin mining creates some particular challenges which I will return to. But first let’s look at the positive influence of Bitcoin and then review some of its cryptographic building blocks.
People will argue about its true originality, but we can regard Bitcoin and the blockchain as providing an innovative and practical solution to the unsolved double-spend problem. I like Bitcoin as the latest example of a wondrous pattern in applied mathematics. Conundrums widely accepted as impossible are, in fact, solved quite often, after which frenetic periods of innovation can follow. The first surprise or prototype solution is typically inefficient but it can inspire fresh thinking and lead to more polished methods.
One of the greatest examples is Merkle’s Puzzles, a theoretical method invented by Ralph Merkle in 1974 for establishing a shared secret number between two parties who need only exchange public pieces of data. This was the holy grail for cryptography, for it meant that a secret key could be set up without having to carry the secret from one correspondent to the other (after all, if you can securely transfer a key across a long distance, you can do the same with your secret message and thus avoid the hassle of encryption altogether). Without going into detail, Merkle’s solution could not be used in the real world, but it solved what was thought to be an unsolvable problem. In quick succession, practical algorithms followed from Diffie & Hellman, and Rivest, Shamir & Adleman (the names behind “RSA”) and thus was born public key cryptography.
Bitcoin likewise has spurred dozens of new digital currencies, with different approaches to ledgers and arbitration, and different ambitions too (including Ripple, Ethereum, Litecoin, Dogecoin, and Colored Coins). They all promise to break the monopoly that banks have on payments, radically cut costs and settlement delays, and make electronic money more accessible to the unbanked of the world. These are what we might call liquidity advantages of digital currencies. These objectives (plus the more political promises of ending fiat currency and rendering electronic cash transactions anonymous or untraceable) are certainly all important but they are not my concern in this blog.
Bitcoin’s public sauce
Before looking at identity, let’s review some of the security features of the blockchain. We will see that safekeeping of each account holder’s private keys is paramount – as it is with all Internet payments systems and PKIs.
While the blockchain is novel, many elements of Bitcoin come from standard public key cryptography and will be familiar to anyone in security. What’s called a Bitcoin “address” (the identifier of someone you will send currency to) is actually a public key. To send any Bitcoin money from your own address, you use the matching private key to sign a data object, which is sent into the network to be processed and ultimately added to the blockchain.
The only authoritative record of anyone’s Bitcoin balance is held on the blockchain. Account holders typically operate a wallet application which shows their balance and lets them spend it, but, counter-intuitively, the wallet holds no money. All it does is control a private key (and provide a user experience of the definitive blockchain). The only way you have to spend your balance (that is, transfer part of it to another account address) is to use your private key. What follows from this is an unforgiving reality of Bitcoin: your private key is everything. If a private key is lost or destroyed, then the balance associated with that key is frozen forever and cannot be spent. And thus there has been a string of notorious mishaps where computers or disk drives holding Bitcoin wallets have been lost, together with millions of dollars of value they controlled. Furthermore, numerous pieces of malware have – predictably – been developed to steal Bitcoin private keys from regular storage devices (and law enforcement agencies have intercepted suspects’ private keys in the battle against criminal use of Bitcoin).
You would expect the importance of Bitcoin private key storage to have been obvious from the start, to ward off malware and destruction, and to allow for reliable backup. But it was surprisingly late in the piece that “hardware wallets” emerged, the best known of which is probably now the Trezor, which first appeared in 2013. The use of hardware security modules for private key management in soft wallets or hybrid wallets has been notably ad hoc. It appears crypto currency proponents pay more attention to the algorithms and the theory than to practical cryptographic engineering.
Identifying with the blockchain
The enthusiasm for crypto currency innovation has proven infectious, and many commentators have promoted the blockchain in particular as something special for identity management. A number of start-ups are “providing” identity on the blockchain – including OneName, and ShoCard – although on closer inspection what this usually means is nothing more than reserving a unique blockchain identifier with a self-claimed pseudonym.
Prominent financial services blogger Chris Skinner says "the blockchain will radically alter our futures" and envisages an Internet of Things where your appliances are “recorded [on the blockchain] as being yours using your digital identity token (probably a biometric or something similar)”. And the government of Honduras has hired American Bitcoin technology firm Factom to build a blockchain-based land title registry, which they claim will be “immutable”, resistant to insider fraud, and extensible to “more secure mortgages, contracts, and mineral rights”.
While blockchain afficionados have been quick to make a leap to identity, the opposite is not the case. The identerati haven’t had much to say about blockchain at all. Ping Identity CTO Patrick Harding mentioned it in his keynote address at the 2015 Cloud Identity Summit, and got a meek response from the audience when he asked who knew what blockchain is (I was there). Harding’s suggestions were modest, exploratory and cautious. And only now has blockchain figured prominently in the twice-yearly freeform Internet Identity Workshop unconference in Silicon Valley. I'm afraid it's telling that all the initial enthusiasm for blockchain "solving" identity has come from non identity professionals.
What identity management problem would be solved by using the blockchain? The most prominent challenges in digital identity include the following:
What does the blockchain have to offer?
Certainly, pseudonymity is important in some settings, but is rare in economically important personal business, and in any case is not unique to the blockchain. The secure recording of transactions is very important, but that’s well-solved by regular digital signatures (which remain cryptographically verifiable essentially for all time, given the digital certificate chain). Most important identity transactions are pretty private, so recording them all in a single public register instead of separate business-specific databases is not an obvious thing to do.
The special thing about the blockchain and the proof-of-work is that they prevent double-spending. I’ve yet to see a blockchain-for-identity proposal that explains what the equivalent “double identify” problem really is and how it needs solving. And if there is such a thing, the price to fix it is to record all identity transactions in public forever.
The central user action in all blockchain applications is to “send” something to another address on the blockchain. This action is precisely a digital (asymmetric cryptographic) signature, essentially the same as any conventional digital signature, created by hashing a data object and encrypting it with one’s private key. The integrity and permanence of the action comes from the signature itself; it is immaterial where the signature is stored.
What the blockchain does is prevent a user from performing the same action more than once, by using the network to arbitrate the order in which digital signatures are created. In regular identity matters, this objective simply doesn’t arise. The primitive actions in authentication are to leave one’s unique identifying mark (or signature) on a persistent transaction, or to present one’s identity in real time to a service. Apart from peer-to-peer arbitration of order, the blockchain is just a public ledger - and a rather slow one at that. Many accounts of blockchain uses beyond payments simply speak of its inviolability or perpetuity. In truth, any old system of digitally signed database entries is reasonably inviolable. Tamper resistance and integrity come from the digital signatures, not the blockchain. And as mentioned, the blockchain itself doesn't provide any assurance of who really did what - for that we need separate safeguards on users' private keys, plus reliable registration of users and their relevant attributes (which incidentally cannot be done without some authority, unless self-attestation is good enough).
In addition to not offering much advantage in identity management, there are at least two practical downsides to recording non Bitcoin activity on the blockchain, both related to the proof-of-work. The peer-to-peer resolution of the order of transactions takes time. With Bitcoin, the delay is 10 minutes; that’s the time taken for an agreed new version of the blockchain to be distilled after each transaction. Clearly, in real time access control use cases, when you need to know who someone is right away, such delay is unacceptable. The other issue is cost. Proof-of-work, as the name is meant to imply, consumes real resources, and elicits a real reward.
So for arbitrary identity transactions, what is the economics for using the blockchain? Who would pay, who would be paid, and what market forces would price identity, in this utopia where all accounts are equal?
From the quote you provided I thought the point was to immutably record the ownership transfer of the device. If you can associate devices with the credentials they own, this forms a strong Proof-of-Possession system (POP) for private keys. If you have this system it means you can use it during credential issuance to verify POP of the private key and you can automatically revoke the keys should the device change hands.
There is a bit of a chicken-or-egg here though as what do you sign the ownership transaction with as at that point you don't have a device to hold the private key. I suppose this credential could be effectively ephemeral like the BitCoin wallet key.
The delay is ten minutes, but you can never be sure that the consensus will accept that new blockchain as the longest version, opening you up to a double spend attack. There's always a small chance that someone else on the P2P network is slightly ahead and you just haven't heard about it yet or is deliberately holding it back.
The bitcoin core client protects against this by waiting until the transaction is at least six blocks deep in the blockchain before changing the status to 'confirmed'. Then there's then only a very small chance that there's a longer blockchain somewhere. Some merchants will use a payment processor to transfer this risk for a fee.
Proof of possession for private keys is critical indeed. It's the basis for EMV credit card security, SIM cards, all sorts of identity smartcards etc. POP via asyemmetric crypto is based on the private key being stored securely inside the device in question. Looking forward to the Internet of Things, if a device has the property of secure private key storage and digital signature generation, then the POP is implicit in everything signed by the device. The signed data doesn't have to be registered with the blockchain. Any Relying Party can see that something signed by the smart device had to have originated from that device.
What's needed is a digital certificate that vouches for (binds) the device being in possession of the user in question. As you say, you would need that binding before anything meaningful is sent to the blockchain.
So what does the blockchain add to the POP use case? Nothing I can see.
A key objective in IDAM has always been auditability -- certainty about who precisely did what, when, and where. There may be too much uncertainty in the identity events registered on the blockchain.
[It would be ironic wouldn't it if a central time stamp authority was needed to resolve the order of disputed blockchain transactions?]
And as you say, bad actors can still try to thwart the ordering. For highly risky transactions like the Honduras land titles registration being done on the blockchain, the stakes are high and resistance to organised crime is unknown. It will be of paramount importance that land titles players use private keys held in verifiably secure media (like smartcards or secure elements). But then, as mentioned in my earlier comment, it doesn't much matter where the signed land transaction data is held.
Very comprehensive piece and I have a mixed reaction as here at GBG we are investigating this exact topic and have had some favorable feedback in early socialisation with customers. We've made sure we spoke to people who understand Blockchain too, and not those looking for an answer to their boss when they ask about what their 'Blockchain strategy' is.
I think the point we have discovered with Blockchain and Identity is that the Blockchain on its own is not the silver bullet to any specific problem. We have to build further applications on top and then harness the value a de-centralised system provides. So in the case of identity you first need to have comprehensive identity verification methods to allow someone into the system, and then use the Blockchain to reduce the requirement for a central arbitrator to continually re-authenticate that. This is what we find very interesting and whilst we are in the very early stages, we believe that this could be an enabler in the rise of sharing attributes of an identity as opposed to all of it, every time. Could this happen anyway without Blockchain? Sure. Does Blockchain provide some nice technology that means we can get there quicker? Maybe.
We can give you a demonstration of our prototype product if you like? Just let me know.