BLOCKCHAIN, THE BYZANTINE GENERALS PROBLEM, AND THE FUTURE OF IDENTITY MANAGEMENT By Philip Francis
Blockchain is a fast growing emerging technology made popular by the elusive internet currency known as Bitcoin. In its simplest form, a blockchain is a database and ledger system of transactions. Unlike traditional databases that are stored and maintained on private and centralized servers, a blockchain is decentralized, publicly distributed, and transparent. This public distribution means that the data being maintained is effectively unforgeable, incorruptible, and has no center point of failure.
Identity protection is a common problem in today’s digitized world. Seemingly every other week, headlines reveal some hacker has gained access to a centralized server resulting in the theft of millions of financial records, medical records, or identities. This problem is likely to get worse before it gets better. As of 2016, there are 13 billion devices connected to the internet. Many of these devices hold our personal information, bank records, and credit card numbers. By 2020 this number is set to reach 40 billion leaving us more exposed than ever.
Identity theft by the numbers
1: Approximately 15 million United States residents have their identities used fraudulently each year.
2: Close to 100 million additional Americans have their personal identifying information placed at risk of identity theft each year when records maintained in government and corporate databases are lost or stolen.
3: Data breaches totaled 1,540 worldwide in 2014 and led to the compromise of more than ONE BILLION data records.
4: 45% of total credit card fraud were online transactions, where the card did not have to be present
5: Overall costs of identity theft to the American economy is estimated to reach $100 billion annually. The cost globally is easily in the hundreds of billions of dollars.
6: Last year, almost 100 million healthcare records were compromised.
7: Medical records can be purchased for $60 per record on the dark web. Social security numbers can be purchased for $15.
Where does Blockchain come in?
Databases become primary targets for hackers because of the centralized information that resides within them. If the encryption is cracked, the hacker can potentially steal all of the information that is being stored. Blockchain technology offers a unique solution to this problem by decentralizing all of this data. The data therefore wouldn’t exist on one single server, but instead on a distributed public ledger being maintained by hundreds of thousands of computers all over the world. As a result, mass data hacks would be next to impossible to pull off since not one entity is in control of all of the information.
How do individual users secure their data from nefarious actors?
"Byzantine Generals Problem"
Picture a scene from a movie where a castle in the Middle Ages is under attack. There are 200 soldiers inside of the castle defending their king. Outside the castle there are four armies, each with 100 soldiers standing by waiting for commands from their Lieutenants. If they don’t attack simultaneously, they will lose the battle. How can all the Lieutenants leading these armies agree on the same time to attack the castle? There are two standing variables. One being that the "7pm attack" message created by the General needs to be hand delivered via horseback to each Lieutenant. And two, any Lieutenant could be a traitor and try to alter the message in favor of losing the battle. A special lock box was therefore created by the General with two sets of keys, a private and a public key. The public key is given to all four of the Lieutenants and can only be turned clockwise to see what is inside of the box. The General owns the private key which can be turned counter-clockwise to alter the information inside of the box.
The General takes the lock box, turns the private key counter-clockwise, and embeds the necessary information in it that says to attack the castle at 7pm. The lock box is then delivered to the first Lieutenant who takes his public key, turns it clockwise, and sees that the General is issuing an attack at 7pm. The lock box then gets delivered to the second Lieutenant. He decides to take it upon himself to turn the public key counter-clockwise in hopes of changing and corrupting the underlying message of the attack. However, due to the General’s advanced lock, the public key won’t allow him to do this. The message cannot be altered and therefore gets delivered to Lieutenant three and four uncorrupted. The attack succeeds as originally intended.
Now lets relate this to the blockchain. A person can store just about anything of value into a 'digital lock box'. The content inside of the box can only be opened and changed with a unique private key. The information inside of this box can then be shared on demand without the possibility of it being altered, changed, or replicated from its original form. This is the simplified architecture of private/public key cryptography made possible by Bitcoin.
What does the future of identity verification look like?
There are multiple startups working on creating identity solutions on top of blockchain technology. Shocard, a company founded by Armin Ebrahimi in 2015 is looking to function as a mobile ID that can be verified in real time using a combination of cryptography and the immutability of Bitcoin’s public ledger. Ebrahimi sees Shocard as a way for people to securely and instantly verify themselves for insurance incidents, e-commerce providers, banks, or any third party to whom they must prove their identity to.
A user would upload identification documents to the Shocard application. These documents would then be immediately stored and encrypted onto the blockchain. Shocard wouldn’t have to store or hold any of these themselves. The documents are sealed on the blockchain and therefore cannot be altered. A Shocard can be certified by anyone who needs to know your identity. For example, if a bank needed to verify your identification you would send them your encrypted Shocard. The bank then verifies that the data matches the sealed record on the blockchain. Then, the bank creates its own record tied to your Shocard app, encrypted with its private keys. Now the bank will know it’s you anytime it needs to. This verification can be used for account login, account management, credit card authentication, or a number of other reasons. It’s similar to the signature card a bank keeps on file to match with signatures on a personal check.
Example Use Cases for the Banking and Travel Industries
Example 1: At login, instead of typing in a username and password which can easily be forged or hacked, you would simply scan a QR code on the bank’s webpage from your Shocard app. A notification would then pop up on the app asking to provide a finger print for authentication. After providing the fingerprint, you would automatically be logged into your account.
Example 2: Lets say you need to call your bank’s customer service regarding an issue on your account. Traditionally, they might ask you a few security questions. These questions might be, what is your mother’s maiden name? What is your account number? What is your username? All of which could potentially be compromised or socially engineered if your account had been hacked. Instead, with Shocard, a notification would be sent to your app while on the phone with the bank operator. The notification would ask for a finger print to authenticate who you are. After the finger print is verified by the Shocard app, the bank would know for certain it’s actually you on the other end of the phone.
Example 3: Passengers would upload all of their travel documents using the Shocard app. These documents would then be sealed and encrypted on the Blockchain where anyone can verify their authenticity using the public key. Passengers would share this at check-in, airport security, and immigration checkpoints by scanning a QR code. Maybe first time passengers would need to provide the original documents to be verified, but frequent flyers would be able to use this app on demand.
One thing is certain, the identity theft protection services industry is going to see radical change over the next ten years. Shared secrets (usernames/passwords) have turned into a nightmare, centralized key servers are dangerous, ink signatures are easily forged, document and ID cards are 19th century technology, and two-factor authorization services are often inconvenient and unreliable. On top of this, we are going to see a 3x increase in the amount of devices connected to the internet by 2020 making us more exposed to hackers than ever before. I'm not advocating blockchain being the answer to everything, but it seems like a step in the right direction. Companies like Shocard, Solidx, and Civic are on the forefront of this innovation that could potentially cause mass disruption across the entire industry.
Written by Philip Francis / BLOCKCHAIN CONSULTANT PARTNER OF WORLDLINK