Decentralized Digital Identity

Decentralized digital identity is an emerging digital identity model that is enabled by the development of the blockchain technology. The decentralized identity model is at the core of self-sovereign identity (SSI), which grants individuals full control of their own personal data. A decentralized identity platform for SSI consists of three essential components, namely an identity trust fabric, an identity wallet and an identity management system. 

  1. Identity Trust Fabric (ITF) a distributed ledger for immutably recording proofs of digital identity and managing cryptographic public keys. It enables a decentralized, common trust point without an intervening central authority. 
  2. Identity Wallet — an application for generating, binding, maintaining and presenting digital identity of an individual user. It also provides an interface to a device’s local secure environment that stores and manages cryptographic keys.  An identity wallet could be installed on a mobile device, a workstation or a cloud platform. 
  3. Identity Management a decentralized system for providing management, availability and protection of decentralized digital identity. This includes identity proofing and authentication for service providers and identity wallet recovery for individual users.  

Core Functionality 

A decentralized identity platform facilitates interaction between three parties: an individual user (holder)a service provider (verifier) and a trusted third party (issuer). It provides the following core functionality: 

  1. Registration  a user registers with a trusted third party through an identity proofing process. 
  2. Issuance  the trusted third party approves the registration and issuer a verifiable credential to the user. A cryptographic proof of the verifiable credential will also be recorded in the ITF.
  3. Presentation  the user generates a verifiable presentation from the verifiable credential and presents it to the service provider. 
  4. Verification  the service provide verifies the presentation by comparing it with its cryptographic proof in the ITF. 
  5. Access — the service provider approves the presentation and grants the user access to its service

 

Core Strengths 

  1. Security — a traditional, centralized service provider keeps record of digital identity for verification and authentication of their users. This presents a single point of failure, which can be exploited by malicious hackers. decentralized identity platform reduces this risk by enabling credential verification with the ITF. 
  2. Privacy — an identity wallet allows users to control and manage their personally identifiable information (PII) on their personal devices. This help reduce the role of central repositories for PII storage. 
  3. Interoperability the ITF provides a common trust point and promotes collaboration between different organizations. An organization could seamlessly verify a credential from another organization through the ITF. 
  4. Resilience  the decentralized and distributed nature of the blockchain technology provides great resilience against arbitrary system failure including power outages and malicious attacks.

 

References

  • H. Farahmand, Blockchain: The Dawn of Decentralized Identity, Gartner Research (2018).
  • J. Care and A. Khan, Market Guide for Identity Proofing and Corroboration, Gartner Research (2019).

Terminology

Authentication is a mechanism that proves and authenticates the identity of an entity. A successful authentication enables the entity to access a system. 

Authorization occurs after a successful authentication. Authorization determines what permissions or rights an authenticated entity has and then grant it access to authorized services and resources. 

A blockchain is a list of immutable records, called blocks, that are cryptographically linked. Each block contains a cryptographic hash of the previous block. Integrity of the whole blockchain can be verified by iteratively verifying the hash values all the way back to the original genesis block. A blockchain that is distributed over a network is called a distributed ledger. 

Cryptography is a study of techniques for secure communication over insecure channels such as the internet. Two major categories of cryptography are symmetric-key cryptography and asymmetric-key cryptography. Symmetric-key cryptography uses a single key for both encryption and decryption. On the other hand, asymmetric-key cryptography uses two separate keys: a public key for encryption and private key for decryption. 

A decentralized identifier (DID) is a globally unique identifier (URI) that does not require a centralized registration authority because it is registered with a decentralized network. 

A digital identifier is a unique information used to identify people, organizations, or things within a context. Examples of digital identifiers are social security numbers (SSN), e-mail addresses and decentralized digital identifiers. 

A digital identity of an entity is a unique fact of who or what the entity is in the digital world. A digital identity that is connected to a real-world Identity is called a digital twin. 

A digital signature is a cryptographic scheme for verifying authenticity of digital messages and documents. A digital document that is cryptographically signed is tamper-evident. In asymmetric cryptography, a private key is used for signed a document whereas a public key is used for verifying the document. 

A distributed ledger is a blockchain that is distributed across several nodes in a network. To record a new transaction into a distributed ledger, the nodes in the network must vote by a consensus protocol. Once a consensus is reached, all nodes update themselves with the copy of the new ledger. Examples of consensus protocols include Proof of Work, Proof of Stake and practical Byzantine Fault Tolerance. 

An entity is any singular, identifiable and separate object, e.g. an individual, an organization, a system, etc. 

A hardware security module (HSM) is a physical computing for managing and safeguarding cryptographic keys. A HSM contains a secure storage for cryptographic keys and crypto-processor chips for executing cryptographic operations such as key generation and digital signature. 

A cryptographic hash function is a one-way function for converting a digital message into a seemingly random bit array of a fixed size. For a given hash value, it is infeasible to reverse-engineer the hash function and obtain its original message, called the hash preimage.  

A holder is a role of an entity that holds a verifiable credential, created by an issuer. A holder can present her verifiable credential in the form of a verifiable presentation to a verifier. 

An identity of an entity is a unique fact of who or what the entity is. 

An identity management (IM) is a framework of policies and technologies for ensuring that the people in an enterprise have appropriate accesses to resources. 

Identity proofing is a process of verifying and authenticating the identity of an individual accessing an application or a service. It prevents fraudsters from gaining an access to sensitive data of legitimate users. Identity proofing includes, for example, verifying that uploaded credentials such passports and driving licenses are valid. 

An identity trust fabric (ITF) is a storage for cryptographic proofs of decentralized identities and verifiable credentials. An ITF enables decentralized trust between credential issuers, credential holders and service providers without relying on a centralized authority. An ITF can be built on a distributed ledger. A decentralized public key infrastructure (DPKI) is a component of an identity trust fabric. 

An issuer is a role of an entity that asserts claims about itself or another entity. An issuer creates a verifiable credential from these claims and send to a holder. 

A public key infrastructure (PKI) is a system for managing cryptographic public keys. A PKI system includes hardware, software, policies and roles, such as a certificate authority, for creating, managing distributing, storing and revoking public key certificates. A public key infrastructure that is built on a distributed ledger is called a decentralized public key infrastructure (DPKI) and forms a component of an identity trust fabric. 

Self-Sovereign Identity (SSI) is a concept where individuals are empowered to own, control and manage their digital identities without an intervening authority. An SSI platform can be implemented by using the blockchain technology as an identity trust fabric. 

A verifiable claim is an assertion made about an entity, which is tamper-evident and can be cryptographically verified. 

A verifiable credential is a set of one or more verifiable claims about an entity. A verifiable credential is created by an issuer and held by a holder. 

A verifiable presentation is a presentation of a verifiable credential, which is tamper-evident and can be cryptographically verified. A verifiable presentation is created by a holder and verified by a verifier. 

A verifier is a role an entity that verifies a verifiable presentation from a holder. A verifier is also known as a relying party or a service provider. 

A zero-knowledge proof (ZKP) is a cryptographic protocol by which one party (called the prover) can prove to another party (the verifier) that she knows something without revealing its underlying information or content. One application of a ZKP is selective disclosure for minimal revealing information in a credential. 

Evolution of Digital Identity

Digital identity is information on an entity that is used by computer systems such as the internet. Here, an entity does not limit to a person and could also be, e.g., an organization, a device or even software. Since the beginning of the internet, digital identity has been continuously changing through time. Starting as centralized identity silos, digital identity has gradually evolved toward more and more decentralization, as outlined below. 

1. Centralized Identity 

Digital identity started with the centralized identity model where organizations establish point-to-point trust with each user. In this model, the organizations own and manage all digital identities, leaving the users themselves almost no control over their own digital identities. Since information is siloed, this model causes significant redundancy and inefficient storage of personal information. Storing and protecting personal information is also a liability that requires large operating costs. 

 

2. Federated Identity 

The next stage of the identity model is known as the federated or server-centric model where digital identity is shared between trusted organizations, enabling domain-to-domain trust. This model breaks the identity silos and reduces redundancy with, e.g., Single Sign-on (SSO). The federated model was promoted by the invention of several protocols, including Security Assertion Markup Language (SAML), OAuth and OpenID Connect (OIDC). 

 

3. User-Centric (Mobile) Identity

In recent years, smartphones have emerged as persistent devices that can be digitally protected by, e.g., biometric information. This enables delegation of trust from organizations to mobile personal devices. In online banking, for example, SIM cards in mobile devices have been utilized as an identity tool for legally binding authentication and transaction signing. 

 

4. Self-Sovereign Identity

With the rise of the blockchain technology, the self-sovereign identity model has emerged as the most recent stage of digital identity. A blockchain serves as a decentralized and distributed tamper-evident log for digital identity and provides a common trust domain, known as the Identity Trust Fabric (ITF). This model enables full control and management of their own personally identifiable information (PII) without the need for a centralized authority.

References

  • H. Farahmand, Blockchain: The Dawn of Decentralized Identity, Gartner Research (2018).
  • J. B. Bernabe, J. L. Canovas, J. L. Hernandez-ramos, R. T. Moreno and A. Skarmeta, Privacy-Preserving Solutions for Blockchain: Review and Challenges, IEEE Access 7, 164908-164940 (2019).
  • I. A. Domingo, SSI eIDAS Legal Report: How eIDAS can legally support digital identity and trustworthy DLT-based transactions in the Digital Single MarketEuropean Commission B-1049 Brussels (2020).

New : 2020 Guidance for Decentralized Identity and Verifiable Claims

Get the guide