The future of identity management
By Dave Elliman
The question might be ‘who am I?’ How do I prove that I am in fact ….me?
Personal data is widely recognised as valuable, data being the new oil and all that. Governments, companies large and small are desperate to use your information to provide a personalised experience. Your movements, purchases, online searches, sleep patterns and friends are all available to those who wish to purchase — or even steal — personal data. And we’re still predicting more devices, more data and a wider global spread. Indeed, as devices spread across the global south, more people have access to online services such as education and medical health diagnostics but they are also targets for various players who would manipulate them. In such an environment, we all want ways to protect our digital identities; self-sovereign identity offers a neat solution to that perennial problem of ensuring that you are, in fact, you.
Self-sovereign identity (SSI) is an approach for managing digital identities in which an individual or business has sole ownership and control of their personal data in whatever form it takes. Individuals with self-sovereign identity can store their data to their devices and provide it for verification and transactions without the need to rely upon a central repository of data. The primary goal is to allow users to have complete control over how their personal information is kept and used.
Digital identity requires a way to identify yourself, current approaches usually involve using a service to authenticate a user and return an encrypted token that can be used as a key to access systems and thus ensuring the user is who they say they are. Conversely, in SSI designs an intermediary isn’t needed. This means that a user’s self-sovereign identity can be registered to a claim, such as a block on a blockchain. The person can then share that identifying data when making a transaction with a payment service or government. In addition, giving the access control back to the user allows them to control exactly what data is shared, to whom and for how long.
Not many of us want all of our personal information to be available for the world to see, but we could use a verification system to make that some information available to others without them knowing what that information actually is. One candidate technology is called “Zero-Knowledge Proof” or ZKP. We provide our information only to the government and then it is cryptographically secured on a blockchain using a hash function. In this approach, the hash value will be available to those you want to share it with and they’ll be able to verify your identity from that hash — but they’ll never actually have to see your personal information.
This can be implemented as a system called Self-Sovereign Identity with Zero-Knowledge Proof. This allows individuals to have complete control of their personal information without having to reveal it to others. Although the government requires it to prove citizenship and personal identity, they do not have to be shared with every company or agency that requests it.
What’s happening today is that personal information is being sent to all over the place, with individuals having little-to-no control over where it’s stored on servers, nor even any idea how securely their data is being stored. It then only takes one exploit by hackers to get that information.
“What Self-Sovereign Identity with ZKP proposes is to obscure the actual information while verifying the individuals identity.”
With Zero-Knowledge Proof, we have a prover, who is the individual, and a verifier, who needs to verify an individual’s identity. In this case, all the prover needs to show a verifier is the value of X, without showing the actual information. All this requires is a proof of knowledge to verify that the individual is who they claim to be. This is a form of digital fingerprint that can prove an individual’s identity. The validity of the proof lies in using a cryptographic hash function that proves without a doubt that the identity is valid.
When you use a hash function on a set of variable data, as in the case of personal information (they are not all the same length), the output can be consistently of a fixed value. Therein lies the verification, because tampering with it is highly improbable, requiring extreme computing power or luck. When data is hashed, the inputs cannot be easily determined based on the output. In the case of Self-Sovereign Identity, the individuals personal information can be stored in a private database that can even be centralized under the government. However, the information is then hashed and the value is stored on a separate database that is public and uses a blockchain.
The reason a blockchain is used in this scenario is to provide a transparent, immutable, reliable and auditable way to share the public information. This can implement a ZKP protocol that allows provers (individuals) to feed a hashed value to verifiers (credit companies, banks, hospitals, etc.) in order to provide identification. In the process the verifiers will know it is correct without having to actually see it. The way this works is the public database will store the hashed value on a distributed decentralized network of nodes, that have validated the information through a consensus mechanism. This is required to establish the truth. Verifiers will then compare the hashed value from the prover to the hashed value stored on the public blockchain.
So one might argue that it’s easy to know an individual’s personal information, even their social security number.To further secure the information requires the use of a digital private key that only that individual can possess. This is then required to “unlock” the information to prove to the verifier their identity. The private key is also hashed along with the personal information, and the output value should always be unique. Individuals will be identified by their “public address” which is calculated from a unique private key that no one else has.
With a system that verifies identity without revealing the actual information, there are plenty of advantages for online transactions. Individuals will have to worry less about their digital identity being stolen when they transact business on the Internet. When individuals manage their own information, it decentralizes who controls it and where it is stored. Less control and less points of failure when individuals are allowed to take control of their own digital identity. Another advantage of using an identity system is that it can interoperate with other systems to verify an individual’s identity. It would be much faster and requires less hassle and data entry on computer systems. With digital identification systems, the verification process can be over within seconds.
Originally published at https://www.thoughtworks.com on February 19, 2020.