Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/25/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Blockchain & The Battle To Secure Digital Identities

This emerging technology is a promising way to verify transactions without compromising your digital identity.

Think about how fragmented your digital identity has become. Every time you enter a password or PIN, wherever you are, you're leveraging some element of your digital identity. Every time you pay with a credit card or recite your Social Security number. Every time you digitally sign a contract.

That holistic digital identity is tied to your physical likeness, finances, conversations, property, and credibility, making it an exceedingly valuable asset. Unfortunately, with pieces of our digital identities being handed out to everyone from retailers to government agencies to employers, those identities are more vulnerable than ever.

It's been well-documented over and over and over again how many lives are rocked by identity theft every year (nearly every reputable source calculates the total in the double-digit millions of people in the U.S. alone). As our digital identities become more disparate and attractive to fraudsters, we need a way to protect our digital selves.

Enter blockchain. Any organization can deploy blockchain — a promising, relatively new technology and methodology — to build trust among users. In its purest form, blockchain lets companies instantly make, approve, and verify many types of transactions by leveraging a collaborative digital ledger and a predetermined network of individual contributors or keepers of the blockchain. Once transactions or other data are inside the secure blockchain ledger, cryptography takes over and verification hurdles drastically decrease the chances of data being stolen.

There are two often-referenced categories of blockchain: private, which is permission-based, and public, which is anonymous. Each has its own strengths, but private, permission-based blockchain has an added layer of protection in that participants in a transaction are known and trackable.

Would we be willing to let blockchain serve as a clearinghouse or executor for our full digital identities? Think of how that could play out in a few different scenarios.

Private aka "Firm Private": This type is already taking hold. Through blockchain, a specific financial institution can verify and facilitate a stock purchase in real time,but after its completion that transaction can also become a part of a digital identity, protected by blockchain. That way, the information doesn't have to sit in a separate, isolated account behind the bank's walls, but can instead be instantly verified, referenced, and acted upon with other digital identity elements. It also allows the bank to retain some level of authority and management.

Public aka "Classic": As the Internet of Things expands, public blockchain can serve as the ledger in scenarios where only certain elements of a digital identity are necessary and a central authority isn't as integral. For instance, buying a burger at a drive-through. The combination of blockchain and a Bluetooth beacon could verify the car associated with a digital identity, verify the Visa Checkout app running on the car's console, communicate to the restaurant's payment system, and debit a bank account the proper amount. All of that can occur without a holistic digital identity being part of a known or closed network, sharing and accessing only the portions of the digital identity that are relevant to the sale.

Private Shared aka "Industry Private": This is a hybrid type of blockchain that could be the happy medium for financial institutions or stock exchanges, as digital identities and transactions are managed by a "circle of trust." Changes don't require mass approvals nor does the private shared blockchain allow just anyone to read and amend, but it keeps power from being consolidated in a sole authority's hands. So in the stock purchase example, a few interconnected industry stakeholders would need to approve the transaction — perhaps a bank, the stock exchange, and the Federal Trade Commission — before it becomes a verified part of the blockchain and of an individual's digital identity.

Those scenarios may be theoretical, but there are already many real-world applications leveraging blockchain. The Leonardo da Vinci Engineering School in Paris uses blockchain to validate and secure diplomas. The Royal Bank of Canada is experimenting with blockchain to authenticate and secure cross-border remittances. Blockchain is even being used for smart contracts that manage solar energy ownership and exchange across smart grids. Whether it's used between private financial institutions or in the public IoT, blockchain is securing elements of digital identities and lives.

Blockchain players still need to take some security measures in order to store, unite, and effectively use entire digital identities within the construct. All solutions leveraging blockchain rely on the integrity of the information published in the ledger. Although it isn't possible to corrupt the ledger itself, fraudsters will focus on attacking individual users. It's crucial to implement strong two-factor authentication for all users who contribute to the blockchain. Data encryption is also key, as is device-level security such as Trusted Execution Environments or Secure Elements that protect against potential man-in-the-middle attacks.

Once those security priorities are addressed, blockchain technology is poised to reach its full potential and serve as the guardian for our valuable digital identities.

Related Content:

 

Xavier Larduinat is a manager for innovation at Gemalto, currently in charge of advancing Gemalto as a leading technology brand and provider of solutions that secure the digital world. Prior to the 2001 beginnings of his work in the digital security market, Xavier spent 14 ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/30/2016 | 12:35:49 PM
Hybridization
The idea of the "private" and "industry shared/private" blockchains is, ironically, paradoxical to the underlying idea/theory of blockchain -- in that the technology, being inherently "trustless," is theoretically more trustworthy because it relies on algorithms and distributed computing instead of a centralized authority who can potentially manipulate (or, for that matter, be used to manipulate should the centralized authority become breached/compromised).  And, yet, compliance and other "best-practice" dictates require (or, at least, are interpreted to require) that centralized authority be in charge.

Obviously, something is better than nothing, so it would seem.  But it's a bit funny how these hybrid blockchains have evolved and come to be.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:37 AM
circle of trust
This may be one of the most important aspect of blockchain. Trust relationship between users and banks also users and users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:08 AM
Re: Blcokchain...
"... Blockchain holds a lot of promise ..."

Agree. For the fact that encryption strategies have their own flaws.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:02:43 AM
Re: Security failed
"...  it depends on how you use the internet ..."

Agree. You may be a well-educated users and would not click any link that is suspicious. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:00:47 AM
Re: Security failed
"...   online security is fake ..."

I would agree with you. That does not mean we need to give up.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 10:58:06 AM
Digital identity
 

Ultimate goal of Digital identity should be identifying a person by staying anonymous. A challenge we need to achieve.
UmeshKTiwari
50%
50%
UmeshKTiwari,
User Rank: Strategist
10/26/2016 | 3:34:13 PM
Blcokchain...
Blockchain holds a lot of promise... let us see where we are in a year or two..:)
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 9:09:43 AM
Re: Security failed
Probably it depends on how you use the internet and what virtual identity you get. Not everything is so transparent as you'd expect.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 8:04:22 AM
Security failed
I think the idea of internet or online security is fake. Better say a huge lie. There is always someone who follows every step and any click you do.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).