Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/25/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Blockchain & The Battle To Secure Digital Identities

This emerging technology is a promising way to verify transactions without compromising your digital identity.

Think about how fragmented your digital identity has become. Every time you enter a password or PIN, wherever you are, you're leveraging some element of your digital identity. Every time you pay with a credit card or recite your Social Security number. Every time you digitally sign a contract.

That holistic digital identity is tied to your physical likeness, finances, conversations, property, and credibility, making it an exceedingly valuable asset. Unfortunately, with pieces of our digital identities being handed out to everyone from retailers to government agencies to employers, those identities are more vulnerable than ever.

It's been well-documented over and over and over again how many lives are rocked by identity theft every year (nearly every reputable source calculates the total in the double-digit millions of people in the U.S. alone). As our digital identities become more disparate and attractive to fraudsters, we need a way to protect our digital selves.

Enter blockchain. Any organization can deploy blockchain — a promising, relatively new technology and methodology — to build trust among users. In its purest form, blockchain lets companies instantly make, approve, and verify many types of transactions by leveraging a collaborative digital ledger and a predetermined network of individual contributors or keepers of the blockchain. Once transactions or other data are inside the secure blockchain ledger, cryptography takes over and verification hurdles drastically decrease the chances of data being stolen.

There are two often-referenced categories of blockchain: private, which is permission-based, and public, which is anonymous. Each has its own strengths, but private, permission-based blockchain has an added layer of protection in that participants in a transaction are known and trackable.

Would we be willing to let blockchain serve as a clearinghouse or executor for our full digital identities? Think of how that could play out in a few different scenarios.

Private aka "Firm Private": This type is already taking hold. Through blockchain, a specific financial institution can verify and facilitate a stock purchase in real time,but after its completion that transaction can also become a part of a digital identity, protected by blockchain. That way, the information doesn't have to sit in a separate, isolated account behind the bank's walls, but can instead be instantly verified, referenced, and acted upon with other digital identity elements. It also allows the bank to retain some level of authority and management.

Public aka "Classic": As the Internet of Things expands, public blockchain can serve as the ledger in scenarios where only certain elements of a digital identity are necessary and a central authority isn't as integral. For instance, buying a burger at a drive-through. The combination of blockchain and a Bluetooth beacon could verify the car associated with a digital identity, verify the Visa Checkout app running on the car's console, communicate to the restaurant's payment system, and debit a bank account the proper amount. All of that can occur without a holistic digital identity being part of a known or closed network, sharing and accessing only the portions of the digital identity that are relevant to the sale.

Private Shared aka "Industry Private": This is a hybrid type of blockchain that could be the happy medium for financial institutions or stock exchanges, as digital identities and transactions are managed by a "circle of trust." Changes don't require mass approvals nor does the private shared blockchain allow just anyone to read and amend, but it keeps power from being consolidated in a sole authority's hands. So in the stock purchase example, a few interconnected industry stakeholders would need to approve the transaction — perhaps a bank, the stock exchange, and the Federal Trade Commission — before it becomes a verified part of the blockchain and of an individual's digital identity.

Those scenarios may be theoretical, but there are already many real-world applications leveraging blockchain. The Leonardo da Vinci Engineering School in Paris uses blockchain to validate and secure diplomas. The Royal Bank of Canada is experimenting with blockchain to authenticate and secure cross-border remittances. Blockchain is even being used for smart contracts that manage solar energy ownership and exchange across smart grids. Whether it's used between private financial institutions or in the public IoT, blockchain is securing elements of digital identities and lives.

Blockchain players still need to take some security measures in order to store, unite, and effectively use entire digital identities within the construct. All solutions leveraging blockchain rely on the integrity of the information published in the ledger. Although it isn't possible to corrupt the ledger itself, fraudsters will focus on attacking individual users. It's crucial to implement strong two-factor authentication for all users who contribute to the blockchain. Data encryption is also key, as is device-level security such as Trusted Execution Environments or Secure Elements that protect against potential man-in-the-middle attacks.

Once those security priorities are addressed, blockchain technology is poised to reach its full potential and serve as the guardian for our valuable digital identities.

Related Content:

 

Xavier Larduinat is a manager for innovation at Gemalto, currently in charge of advancing Gemalto as a leading technology brand and provider of solutions that secure the digital world. Prior to the 2001 beginnings of his work in the digital security market, Xavier spent 14 ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/30/2016 | 12:35:49 PM
Hybridization
The idea of the "private" and "industry shared/private" blockchains is, ironically, paradoxical to the underlying idea/theory of blockchain -- in that the technology, being inherently "trustless," is theoretically more trustworthy because it relies on algorithms and distributed computing instead of a centralized authority who can potentially manipulate (or, for that matter, be used to manipulate should the centralized authority become breached/compromised).  And, yet, compliance and other "best-practice" dictates require (or, at least, are interpreted to require) that centralized authority be in charge.

Obviously, something is better than nothing, so it would seem.  But it's a bit funny how these hybrid blockchains have evolved and come to be.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:37 AM
circle of trust
This may be one of the most important aspect of blockchain. Trust relationship between users and banks also users and users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:08 AM
Re: Blcokchain...
"... Blockchain holds a lot of promise ..."

Agree. For the fact that encryption strategies have their own flaws.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:02:43 AM
Re: Security failed
"...  it depends on how you use the internet ..."

Agree. You may be a well-educated users and would not click any link that is suspicious. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:00:47 AM
Re: Security failed
"...   online security is fake ..."

I would agree with you. That does not mean we need to give up.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 10:58:06 AM
Digital identity
 

Ultimate goal of Digital identity should be identifying a person by staying anonymous. A challenge we need to achieve.
UmeshKTiwari
50%
50%
UmeshKTiwari,
User Rank: Strategist
10/26/2016 | 3:34:13 PM
Blcokchain...
Blockchain holds a lot of promise... let us see where we are in a year or two..:)
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 9:09:43 AM
Re: Security failed
Probably it depends on how you use the internet and what virtual identity you get. Not everything is so transparent as you'd expect.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 8:04:22 AM
Security failed
I think the idea of internet or online security is fake. Better say a huge lie. There is always someone who follows every step and any click you do.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...