In this article, we shall analyze the way blockchain technology can improve data protection and create a better, and smarter digital identity when used with HSMs.
The Problem Companies Face with Digital Identities and User Data
In a world ruled by data, customer and private data are at the center of attention. It is not just big tech giants like Google, Yahoo, Microsoft, Amazon, Facebook, etc. dealing with data every day. Banks and insurance companies process millions of pieces of personal data every day through their services. Digital identity, such as user names, user logins and passwords, user national ID document scans, and their cryptographic keys transit every day through central servers and various databases. It is questionable whether this is the right way to act with personal data. Several recent directives such as EIDAS, PSD2, and GDPR require financial companies to better protect a better personal data and digital identity with the idea that users, and only them, should master and control their digital identities.
Securing digital identity can be achieved by two different technologies (which are actually complementary) :
- A Physical form to store digital data e.g. Smartcard technology
- A truly digital distributed network e.g. Blockchain technology
Smartcard technology stores digital certificates and user-related data in a safe environment, such as the secure memory of the smartcard, only accessible after authentication, and having usually FIPS-140 Lvl 3 or higher level of protection. Passports, national identification cards, health cards, etc. already secure user data and secure their digital identity.
The problem is that smartcards are physical tokens that require a contact reader terminal or a contactless transponder to be operated and to communicate with remote servers. Identity smartcards are also typically used with centralized servers. To further complicate the issue, it is nearly impossible to scale for a government agency who has to manage, maintain and share on approved requests that is responsible for providing a service to their citizens.
Figure: A Typical Simplified Blockchain Transaction Flow
The blockchain technology solves the problem by having a distributed chain which “holds” digital assets such as digital identity. Changes to the chain such as addition of a new identity, modification of an identity and sharing of records (full or partial) is managed, controlled and audited. To ensure compliance and highest security requirements, the digital assets must be secured cryptographically including the must have requirements for controlled modification and compliant evident audits.
Figure: A Typical Simplified Secure Blockchain Transaction Flow
Banks, insurance companies, and other financial-related firms could easily lose themselves in a maze of complicated regulations and be at risk of losing customers, getting fined, or involved in legal actions. Therefore, there is a need for a new identity management system.
In what follows, we will detail how blockchain can work to create a better digital identity system together with proven integrated security technology such as HSMs.
How Blockchain Can Create a Better Digital Identity
Users want to manage their digital identities in such a way that their privacy is respected. Additionally, they wish to grant access to only certain organizations to collect, store and share their personal data.
On the other hand of the paradigm, enterprises need to identify and authenticate their end-customers while respecting their privacy but still having the ability to build a profitable relationship with them as well.
A perfect identity management solution would be:
- Private and dedicated to a user
- Persist with the user
- Portable and could be virtually accessed from any place in the world
- Known only to the user, and only the user authorizing access to it
Blockchains are designed so that they remove middleman services, local servers, and local databases. In a blockchain, business entities can, for example, validate their user identities of each other. The digital identities of the users would therefore reside in the blockchain that can be accessed from everywhere and checked from everywhere.
The chain of blocks acts as a “spine” and prevent any tampering of the data since the modification of one block implies the destruction of the whole blockchain. This is a highly reliable source of identification.
A blockchain uses cryptographic operations to build itself. When a new block is added, hashes are computed and are digitally-signed by several parties. In general, blockchain relies on proven known cryptographic methods, and therefore, can only get really secured with a FIPS 140-2 Lvl 3+ grade HSM that can perform signature and hashing operations securely and quickly. It is not possible in general to use pure software-based solutions because such solutions have other limitations including proprietary security mechanisms to meet the security needs.
Banks can use blockchain-based secure digital identity with a FIPS 140-2 Lvl 3+ HSM and solve many of the regulatory issues found in EIDAS and GDPR for instance.
The following figure describes the main flow of a blockchain-based identity management.
Figure: The main flow of a blockchain-based identity management
Such blockchains can be built with permissioned frameworks like Corda or the Hyperledger projects, for instance. With blockchain technology, the blockchain acts as a decentralized digital identity vault where one-time validation is obtained by consensus, rather than by the decision of a central authority.
Once added, the digital identity cannot be altered or removed. This is consistent with what is expected of a digital identity as the user itself is not supposed to change his/her identity.
Consensus works better than a central authority-based validation. It resists tampering and prevents rogue users from forging identities because the validation is “collective.”
In other terms, it’s the whole blockchain that will decide to add or not add a new digital identity.
Of course in the implementations, digital identities will be ciphered and tokenized inside the blockchain, so the credentials to de-tokenize and decipher will consist usually of cryptographic keys, passwords, etc. owned by the end-users.
These user keys could reside on a smartcard, for instance. Of course, to get the same level of security, they must be stored on HSMs on the blockchain system of the bank system that is using them.
Governments may be reluctant to allow the development of such digital identity blockchains, especially if it would be a public blockchain. However, organizations such as banks have a real interest in using them. Their customers may become more and more frightened to let any organization get control over their data and identities. Therefore, these customers may wish to get unified and collective control over it.
For the moment, users may still privilege the digital identity that will give them the highest security and highest recognition over a blockchain-based system. But that trend will certainly change and digital identity blockchains will surely rise. In such a case, HSMs would be needed to make sure that the routine cryptographic operations needed to operate the blockchains are done in a fast and secure way.
References and Further Reading
- Learn more about Utimaco's HSMs for blockchains
- More articles on eIDAS (2018 - today), by Gaurav Sharma, David McNeal and more
- More articles on HSMs (2018 - today) by Terry Anton, Dawn M. Turner and more
Blog post by Dr. Ulrich Scholten