Identity Mangement on the Blockchain Julian Roos Technical - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Julian Roos Technical University Munich Munich, 06. July 2018

Identity Mangement on the Blockchain

• Introduction
• Explain important concepts
• Explain identity management systems
• Conclusion

2 Julian Roos

Agenda

• Introduction
• Explain important concepts
• Explain identity management systems
• Conclusion

3 Julian Roos

Agenda

What is identity management?

• System for identifying, authenticating and authorizing individuals
• Link identities to user rights (and restrictions)

Who manages identities today?

• Governments
• Facebook and other social networks
• Websites themselves through username-password systems

Problem: Identity is not controlled by the individual

4 Julian Roos

Overview of Identity Management

Characteristics of self-sovereign identities:

• Identity belongs to the person herself
• Person has full control over her identity

− What information is stored? − Who has access to the information? − Full control to change attributes

• Identity is portable
• No trust in a central authority is required
• Data has to be stored securly
• Integrity of the data has to be guaranteed

5 Julian Roos

Self-Sovereign Identity

• System is available more often, does not go down if a server goes down
• Enables self-sovereign identities because

− It is decentralized  no central authority − Integrity of data is guaranteed

• In most cases: Identity attributes are NOT stored on the blockchain!

− Everybody can read the data on the blockchain − Space constraints

• Identity stored on an external filesystem
• Link to that stored on the blockchain

6 Julian Roos

What Role Does Blockchain Play in this?

• Introduction
• Explain important concepts
• Explain identity management systems
• Conclusion

7 Julian Roos

Agenda

• Is built on the Ethereum blockchain
• Currently only exists as a mobile app
• Claims to enable self-sovereign identity
• Utilizes Ethereum‘s smart contracts
• Smart contracts are code (on the blockchain) that can move data when invoked
• Smart contracts are invoked to create the identity

8 Julian Roos

uPort

Example: uPort

• 1. Create asymmetric key pair

9 Julian Roos

How is an Identity Created?

Private Key Public Key Only stored on the user’s mobile device

Example: uPort

• 2. Create instantiation of the controller smart contract with link to the public key

10 Julian Roos

How is an Identity Created?

Private Key Public Key

Controller instantiation

Example: uPort

• 3. Create proxy smart contract with a reference to that instantiation of the controller

11 Julian Roos

How is an Identity Created?

Private Key Public Key

Controller instantiation Proxy

Example: uPort

• 4. Address of the proxy is the uPortID.

12 Julian Roos

How is an Identity Created?

Private Key Public Key

Controller instantiation Proxy

Address is the uPortID

Example: uPort

• Registry maps uPortIDs to identity attributes

13 Julian Roos

How are Identity Attributes Managed?

Proxy Registry

read / write Address is the uPortID

Example: uPort

• Registry references a distributed database

14 Julian Roos

How are Identity Attributes Managed?

Proxy Registry

read / write Address is the uPortID

Distributed Database

references Stored on Ethereum’s blockchain

Example: uPort

• Attributes stored in the distributed database

15 Julian Roos

How are Identity Attributes Managed?

Proxy Registry

read / write Address is the uPortID

Distributed Database

references Attributes are stored here Stored on Ethereum’s blockchain

Example: uPort

• They are not verified
• Only attributes can be “verified”
• For this a decentralized public key infrastructure (PKI) is needed

16 Julian Roos

How are Identities Verified?

PKI

Stores public keys of uPortIDs and allows to share signed data

Example: uPort

• Attributes are signed by other uPortIDs with their private key

17 Julian Roos

How are Attributes Verified?

Attribute uPortID B

reads

uPortID A

Verifies attribute Signs attribute and gives it to A through PKI

PKI

Stores public keys of uPortIDs and allows to share signed data

Example: uPort

• Another identity can now get the already signed attribute

18 Julian Roos

How are Attributes Verified?

Attribute uPortID A uPortID C PKI

Stores public keys of uPortIDs and allows to share signed data Wants verification Give signed attribute

Example: uPort

• The other identity can now verify that the signature comes from another uPortID
• It is now up to C to decide whether it trusts B and therefore A’s attribute

19 Julian Roos

How are Attributes Verified?

Attribute uPortID A uPortID C PKI

Stores public keys of uPortIDs and allows to share signed data Wants verification Get public key of B Verifies signature

• f B

• Private key is only stored on the user‘s phone
• What happens in the case of him losing his phone?
• Trustee system:
• If the user loses his private key, trustees can vote to change the private key of his uPortID
• Malicious trustees can also take control over a uPortID, even if the owner did not lose his

private key  trustees have to be trusted

20 Julian Roos

uPort Trustee System

• First fork of Bitcoin‘s blockchain
• Aims at improving decentralization, security and privacy
• Does not enable self-sovereign identity
• Identities are names with respective JSON values stored on Namecoin‘s blockchain
• Stored data can include name, email, url to a photo, fignerprints of cryptographic keys,c

crypto addresses and other things

• Identities have to be renewed every 35,999 blocks

21 Julian Roos

Namecoin

Example: Namecoin

• A Namecoin address (that possess namecoins) can create a name that is associated with

that address

• Write id/YourName in the namecoin software

22 Julian Roos

How is an Identity Created?

Namecoin address Namecoin identity

creates

Attribute: Namecoin address

Stored on Namecoin’s blockchain

Example: Namecoin

• The owner of the identity i.e. the owner of the namecoin address can add further

information

• Storage space for all attributes is limited to 520 bytes

23 Julian Roos

How are Identity Attributes Managed?

Namecoin address Namecoin identity

Add attributes

Namecoin address Email key fingerprint

Stored on Namecoin’s blockchain

• Identites are not verified
• Their attributes are also not verified
• Namecoins main use case is to verify addresses or cryptographic keys from someone
• One needs to know the others namecoinID for that

24 Julian Roos

How are Identites Verified?

$ namecoind name_show "id/khal" { "email": "khal@dot-bit.org", "bitcoin": "1J3EKMfboca3SESWGrQKESsG1MA9yK6vN4", "namecoin": "N2pGWAh65TWpWmEFrFssRQkQubbczJSKi9" }

25 Julian Roos

NamecoinID Example

• started in 2014
• Berlin startup
• Developing an open source decentralized identity management system
• Uses hierarchical deterministic keys (HD keys)
• HD keys are generated from a seed
• Child keys can be derived from the parent key (connection not visible without the seed)
• Parent key can monitor and control each child key
• Jolocom uses HD keys to enable the use of sub identites (to control who gets to know

what)

26 Julian Roos

Jolocom

Jolocom Identity Medical records Driver license Degrees

27 Julian Roos

Example of Sub Identites

• A lot of proposals exist
• Different approaches with different advantages / disadvantages
• Offeres advantages over current identity management (e.g. through the possibility of sub

identities or easier online verification)

• Self-sovereign identities can be the identities of the future
• Self-sovereign identities rely on verified attributes to be useful  some need for authorties

to verify the attributes

28 Julian Roos

Conclusion

29 Julian Roos

Questions?

• Is a global open source decentralized identity network
• Governed by the non-profit Sovrin Foundation
• Source code comes from Evernym
• Users can create portable, self-sovereign digital identites
• Uses verified credentials
• Runs on a permissioned blockchain  Nodes need to be authorized
• Authorized nodes are run by trusted identities so-called stewards
• Current stewards are companies (IBM) and research facilites (T-Labs)
• Currently no government or bank is a steward

30 Julian Roos

Sovrin

• Mainly developed for banks and traveling with airlines
• Combination of ShoCardID with already trusted credentials (e.g. passport)
• Uses ist own server to store relevant information
• Can use multiple blockchains at the same time

31 Julian Roos

ShoCard

• Aims at enableing decentralized internet
• Replaces core infrastructure like DNS, PKIs and storage backends
• Offers identity management
• Identities can exisit for people, companies, websites and more
• Identities can contain public and private information
• Information can be validated by peers as well as authorities

32 Julian Roos

Blockstack

• Introduction
• Explain important concepts
• Explain identity management systems
• Compare technologies
• Conclusion

33 Julian Roos

Agenda

Question 1: Do the technologies enable self-sovereign identity Sovrin: Yes Jolocom: Yes uPort: No, because everyone with a uPortID can check the attributes of another uPortID  Violates the requirement that users can choose what to share with someone and what not ShoCard: No, has a central server  relies on a central authority Blockstack: ???

• Does not claim to have it
• Does not have any obvious contradictions
• Identity management design is just described briefly

Namecoin: Data stored as unecrypted JSON values  anyone can read the data

34 Julian Roos

Comparison of technologies

Question 2: Are there built in incentives for the nodes to stay honest (e.g. mining rewards)? Sovrin: No, but nodes need to be authorized  less likely to be malicious Jolocom: Yes, Ethereum blockchain  miners get the ether cryptocurrency uPort: Yes, also uses Ethereum blockchain ShoCard: Depends on the Blockchain they use; can switch to one with mining rewards Blockstack: Like ShoCard Namecoin: Miners get rewarded in NMC (Namecoin‘s cryptocurrency)

35 Julian Roos

Comparison of technologies

• Introduction
• Explain important concepts
• Explain identity management systems
• Compare technologies
• Conclusion

36 Julian Roos

Agenda

• A User can have multiple uPortIDs
• UportIDs are unlinkable (if not linked by oneself)
• Eveyone with a uPortID can check one others attributes
• Attributes stored as JSON attribute structure

{ "@context": "http://schema.org", "@type": "Person", "publicKey": "0x044c31ed1499dce76ee7711c7238...", "publicEncKey": "Py+NXzHgacNMTzj9Ufe4S2KPuzR...", "name": "First Last" }

37 Julian Roos

uPortID

Question 2: Are there built in incentives for the nodes to stay honest (e.g. mining rewards)? Sovrin: No, but nodes need to be authorized  less likely to be malicious Jolocom: Yes, Ethereum blockchain  miners get the ether cryptocurrency uPort: Yes, also uses Ethereum blockchain ShoCard: Depends on the Blockchain they use; can switch to one with mining rewards Blockstack: Like ShoCard

38 Julian Roos

Comparison of technologies

• Verified claims
• verified by someone e.g. an authority
• Belong to an identity as attributes
• Stored as files with the statement and verification

Example: Statement: User is employed by company X Verification: Signature from company X

39 Julian Roos

Verified credentials

Als Grundlage dient der Corporate Design Style Guide der TUM. Die Präsentationsvorlage ist auf gute Lesbarkeit und klare Darstellung von Informationen

• ptimiert.

40 Julian Roos

Hier steht eine Überschrift

• max. 2-zeilig

Bei kleinen Aufzählungen auf Aufzählungszeichen verzichten und ggf. zusätzliche Leerzeile Nur die wesentlichen Punkte nennen und Themen auf verschiedene Seiten splitten. Punkt 1 Punkt 2 Wenn Unterpunkte in einer Aufzählung nötig sind ist ein Einrücken mit – möglich

• Unterpunkt 1

− Unterpunkt 1 − Unterpunkt 2 Bei größeren Listen die Standardeinstellung • verwenden

• Unterpunkt 1
• Unterpunkt 2
• Unterpunkt 3

41

• Dr. rer. nat. Erika Mustermann (TUM) | kann beliebig erweitert werden | Infos mit Strich trennen

Aufzählung

Ø - Strecke 39 km/Tag (14.360 km/Jahr) Ø - Geschwindigkeit 25 km/h Ø - Verfügbare Ladezeit 22 h/Tag Kosten Kleinwagen mit Verbrennungsmotor Einsatzgebiet Stadt und Umland

42

• Dr. rer. nat. Erika Mustermann (TUM) | kann beliebig erweitert werden | Infos mit Strich trennen

Tabelle ohne Farbe und kein Rand innerer Seitenrand links 0 cm, oben z.B. 0,5 cm (für genug Zeilenabstand innerhalb)

Tabelle – Beispiel 1

Ø - Strecke 39 km/Tag (14.360 km/Jahr) Ø - Geschwindigkeit 25 km/h Ø - Verfügbare Ladezeit 22 h/Tag Kosten Kleinwagen mit Verbrennungsmotor Einsatzgebiet Stadt und Umland

43

• Dr. rer. nat. Erika Mustermann (TUM) | kann beliebig erweitert werden | Infos mit Strich trennen

Tabelle mit schwarzem Rand innerer Seitenrand links 0,15 cm, oben z.B. 0,5 cm (für genug Zeilenabstand innerhalb)

Tabelle – Beispiel 2