Cypherium
Published in

Cypherium

Cypherium | Enabling Decentralized Identity with Cypherium-ID

1. Poor user experiences and other inadequacies of traditional identity authentication systems

Back in 1997, Microsoft already attempted to make use of federated identity to allow users to log into multiple websites using the same identity. However, this system was unable to remember user preferences and offered poor user experiences. Therefore, Microsoft focused all its efforts in developing a centralized identity management system, but the shortcomings of a centralized management system quickly became apparent. Once the identity provider has displaced or damaged his data, all other merchants and clients will be affected as well. Subsequently, the industry has developed more advanced models of identity authentication as listed below:

OAuth (Open Authentication) provides an authorization layer between users and service providers, which allows third-party websites to call various information stored within the service provider’s servers with permission granted from the user. Users do not need to provide their passwords because all information exchange is performed through an access token. Users will set the rules and validity period of the permission access token.

FIDO (Fast Identity Online)’s objective is to disrupt current online identity authentication technologies centered around password-enabled access and ensure the interoperability of strong authentication technologies developed by various IT manufacturers. This is hoped to subsequently reduce the user’s reliance on passwords, including ‘password-less’ solutions (such as biometric authentication) that complies with UAF standard and Two-factor authentication (2FA) (using passphrases and specific devices). The diagram below shows the outlay of FIDO:

Apart from having advantages in addressing ‘technology silos’ in various identity authentication methods, FIDO also aims to solve the risks of centralization and inconveniences in keying in information brought about by traditional mobile authentication methods such as using passphrases or SMS verification. However, we might also recognize that there is still some distance away from realizing mass adoption.

The traditional authentication methods provided various learning points that we can adopt in more advanced authentication methods, however, there still lie huge shortcomings in terms of identity management, permanent storage, the connection of multiple nodes, privacy and surveillance issues. Cypherium blockchain provides a decentralized solution to the shortcomings mentioned above.

2. Cypherium’s solution to identity using blockchain

Cypherium blockchain uses PBFT and multisig as its core consensus algorithm. It can be a public chain, but it can also switch relatively easily into a consortium blockchain or private blockchain depending on different user needs. It has a dual-chain structure consisting of Key Blocks and Transaction Blocks, and it can simultaneously support Java (SDK 1.8) and the Solidity smart contract language (Ethereum smart contracts). Java smart contract is able to partition various components within the contract to enable separation of computing and business-level execution.

Cypherium blockchain also provides API access for application development, and all on-chain transactions performed through the application can get validated in microseconds, core consensus TPS can reach above 5,000. If sharding were to be taken into consideration, the network could process up to 200,000 TPS which perfectly fulfills the speed requirements of identity verification and checking.

The functions above had laid down a solid foundation for Cypherium to perform identity management and authentication such as multi-node storage for identity, speedy identity authentication, privacy solution, and rewards allocation.

The architecture of Cypherium for identity management and authentication is as follows:

Service layer provides a basic blockchain solution, including three types of logic structure: a blockchain service module, a smart contract service module, and an administrator management module. With different timestamps and scenarios, different modules will be activated. For instance, the inclusion of new nodes will activate the registration function under the administrator-management module.

Interface layer provides the basic blockchain application interface in the upper layer. We have identified entities such as merchants, users, identity service providers, regulatory bodies so that the interface layer can provide basic identity authentication service. For instance, providing an authentication interface to merchants and users and providing supervision authentication to regulatory bodies, while at the same time allowing for the initial registration and distinguishment of identities.

The interface layer and service layer together create a trust model and provide basic blockchain services for external applications. This model will disrupt existing centralized identity management systems and at the same time take into account the needs of user privacy protection and supervision requirements by regulatory bodies.

We will then explain the process of registration and authentication below.

User registration process flowchart is as follows:

  1. The identity service provider receives a registration request initiated by the user.
  2. Identity service provider then selects user registration request and sends back a set of policy requirements to the user.
  3. A set of private and public keys will be created at the user’s end and this set of private and public keys is unique to the user, identity service provider, and the blockchain.
  4. According to the policy requirements, the user makes required selections, chooses personal public key and sorts through other optional attributes, and sends back to the identity service provider. At the same time, the user is also required to provide various supporting documents.
  5. Identity service provider verifies the supporting documents provided by the user and stores the user’s public key and related user profiles after documents are verified. User data is not stored in the local server but rather through hashing the attribute data and adding the signatory properties, in order to be ‘authenticated’.
  6. Authenticated data will be broadcast onto the blockchain and cryptographically stored.
  7. Notice on user registration success will be sent.

User authentication process flowchart is as follows:

  1. The merchant sends a randomized challenge to the user and requests user to authenticate data requested per policy requirement.
  2. According to the authentication request, the user selects the data attributes authenticated by the identity service provider from his end to fulfill policy requirements.
  3. The user provides signatory, uses his public key to cryptographically hash attribute data requested by the merchant and provide public key provided by the identity service provider and other related information to the merchant.
  4. According to the information given by the identity service provider, merchant requests for the public key of the user, blockchain ‘authentication’ information and other related information.
  5. Identity service provider responds to information requested by the merchant.
  6. Merchant’s end application automatically scouts the blockchain for ‘authentication’ information.
  7. Merchant hashes the supporting data provided by the user and compare to the blockchain ‘authentication’ proof publicly signed by the identity service provider in order to verify the validity of the ‘authentication’ information.
  8. After verification success, user data is not stored locally but rather through encryption through hashing of valid data and adding of signatory properties, thereby creating new ‘authentication proof’ (with timestamps and other metadata) and sent to the blockchain for record keeping.
  9. Notice on user authentication success will be sent.

Through identity registration and authentication protocol, Cypherium uses asymmetrical cryptography to ensure the security of the value transfer when users, merchants, identity service providers are exchanging information. The sender has to use his private key to decrypt the data, then encrypt the data using the recipient’s public key and send over to the recipient. The recipient has to authenticate the data using the sender’s public key and finally uses his private key to decrypt the data.

Step 2 in the authentication process exhibits the user’s control and permission to his own data. Trust being realized through the decentralized exchange of data through the blockchain is exhibited in step 8 in the process where the ‘authentication proofs’ signed and stored in the blockchain in the authentication by the current merchant can be used by other merchants when they want to authenticate the same user.

A protocol that takes into account of all participant’s registration and authentication needs is made possible due to the base infrastructure Cypherium that provides.

Leveraging on the Cypherium blockchain service module which enhances the reliability and anti-attack capabilities of the system to realize a decentralized user data management.

Using Cypherium smart contract module, we are able to customize scenarios to create ‘contracts’ that fulfill the requirements of both parties. Therefore, using code to enforce conduct and law is not too distant from us anymore and it can better assure fairness. Administrator management module maintains the order of all participants and increases the scalability of the system.

Firstly, the existing mechanism of services based on trust is not mature. Based on market demand, interests between identity service providers and identity service users, we can integrate the strengths of Cypherium blockchain into existing trust services and identity authentication solutions to create a new trust model based on the blockchain and provide a unified trust model across the entire network. This will support common access among various identity service providers, providing various formats of identity authentication, as well as a fusion of authentication methods of the identity information source.

Next, all authentication is peer-to-peer, with user data being stored within the mobile phone terminal and blockchain only acts as an authenticator. Data management organizations can save hefty costs without having to maintain a centralized database because the validity of the authentication is both verified and maintained by participants of the network, therefore third-party trust agents have lost their value.

Under the Cypherium framework, the exchange of information between systems will not be interrupted by compatibility and mutually exclusivity issues which would result in high cost and difficulty in connection. As all systems use the same technology protocol, rules of authentication between participants will strictly follow the protocol consensus written into the blockchain and cannot be tampered with.

Lastly, programmability of Cypherium smart contract can allow complete automation of the authentication process customized based on different scenarios set by the management organization. Through embedded preset authentication rules programmed into the smart contract, the authentication can be automatically completed if all the preset requirements are fulfilled. This increases user experience and work efficiency.

3. Use cases

3.1 Personal identity management and authentication

When people travel abroad, participate in group activities or immigrate, methods for personal identity management and authentication are very similar. We will use a more complicated use case in airports as an example.

When going through security checks at the airport, we have to repeatedly show our passport, boarding pass, go through facial recognition and other procedures. All the information collected creates a digital identity which is crucial to interactions between the user and service provider, the service process flowchart is as follows:

The registration process

After a user downloads an APP, a Cypherium ID and related private and public keys will be generated. The user then uses the APP to take a picture of their identity document (eg. passport, driver’s license etc). APP then reads and extracts the metadata of the identity document (such as name, identity number) etc and cryptographically stores it locally within the APP. The extracted data will then be cryptographically processed (hashing, encryption etc), creating an authentication passphrase and be sent to the blockchain. All metadata (such as name, passport number, etc) will be hashed and stored within the private keys and sent to the service provider’s interface server after the transaction has been signed in order to record the authentication passphrase stored in the blockchain.

After registration, the process of the first authentication

  1. The user shows physical identity (passport etc) to the merchant and merchant checks if he is the real owner of the physical identity. This procedure is the same as security checks at the airport.
  2. After step 1 is completed successfully, the user can show a QR code through the APP and merchant scans the QR code and links to the user management server.
  3. Merchant then searches and retrieves the user’s record on the blockchain, verifying ownership such as ensuring that the Cypherium ID provided by the user matches the one in records, stored data matches physical identity and facial recognition results match the identity records.
  4. When ownership authentication is completed, the merchant sends requests to the member management server to authenticate the user, the server then generates an ‘authentication certificate’, which includes Cypherium ID, ID photo, authentication success token. Authentication certificates will then be hashed and sent to the blockchain for storage after being signed. It will be indexed in the server storage system.
  5. User management server then issues ‘authentication certificate’ to the user.
  6. The user receives the ‘authentication certificate’ from the APP and cryptographically stores it locally and it can be used for future authentication purposes from other merchants who have the same request. User end APP will now store the following information (securely encrypted information or secure envelope): indicators towards the user management server and corresponding records in the blockchain, ID photos used to compare with facial recognition, authentication certificates from the first authentication (token), indicator towards records of the authentication certificates.
  7. Firstly, we will sign off the securely encrypted data from the front end APP, then send the symmetrical password to the user management server (backup is also available on the user end) for future search. The private keys will be stored locally on the APP.

Second-time authentication and the following processes

When the user is at another location, user end (even without network connection) authentication process is as follows:

  1. Merchant requests for authentication.
  2. The user shows QR code and provides corresponding private keys to the merchant.
  3. Merchant scans the code, connects to the user management server and queries the blockchain for relevant information (uploaded information will also include first-time authentication outcome).
  4. Blockchain and user management server respond with relevant information.
  5. When the merchant receives the information, the APP will automatically complete the following process:
  • Authentication of securely encrypted data and blockchain metadata using user’s public key
  • Authentication of physical identity (ID photo) and compare it to the securely encrypted data
  • Using the previous public key to verify the authentication certificate, corresponding blockchain records, ID photo and the access token of the previous merchant

6. Comparison of facial features.

7. Authentication success.

3.2 Identity tracking of goods and products

The export and import of raw materials require the judgment of whether the raw materials (such as wood, diamonds, and precious metals) come from state sponsors of terrorism, forced labor or terrorist organizations. Frequently, unscrupulous traders will confuse the real country of origin through movement of the raw materials through countries with preferential trade agreements which causes the loss of tax income and indirectly provides support to illicit activities.

Therefore, it is very important to have a tracking mechanism that utilizes the blockchain and tracking methods are very similar to people traveling abroad — we just have to register an identity for the goods.

  1. A user can use the APP to take photos of the raw materials and how they are positioned after being packaged.
  2. APP will cryptographically store the image and other key data (quality, quantity, differentiating methods, merchant information etc) in the local server and upload to the customs’ server.
  3. Data that is read and extracted will be cryptographically encrypted (hashing, encryption), creating an authentication passphrase that is sent to the blockchain. Important metadata will also be hashed, generating a Cypherium ID and then stored in the APP’s private key and sent to the member interface server after being signed in order to record the authentication passphrase stored in the blockchain.
  4. When the raw materials first cross a border, the merchant will show customs their physical identity (passport, declaration form etc). The customs will then do basic declaration checks on the quantity and quality of the materials. Merchants also have to show a QR code via the APP and the customs officer will scan the code and connect to the user management server and query the blockchain for the records of the raw materials. Information like appearances of the materials, how the materials are being packaged and positioned, different methods are being queried and through IoT devices, the customs will identify the raw materials and compare the images of the appearances and positions of the raw materials.
  5. When the verification has been completed, the customs officer will update the outcome of the declaration check and generate a new transaction record and send it to the Cypherium blockchain to request user server to approve the merchant’s customs declaration check.
  6. Repeat the same process for steps 4 and 5 for the next customs declaration check.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store