Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/25/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Blockchain & The Battle To Secure Digital Identities

This emerging technology is a promising way to verify transactions without compromising your digital identity.

Think about how fragmented your digital identity has become. Every time you enter a password or PIN, wherever you are, you're leveraging some element of your digital identity. Every time you pay with a credit card or recite your Social Security number. Every time you digitally sign a contract.

That holistic digital identity is tied to your physical likeness, finances, conversations, property, and credibility, making it an exceedingly valuable asset. Unfortunately, with pieces of our digital identities being handed out to everyone from retailers to government agencies to employers, those identities are more vulnerable than ever.

It's been well-documented over and over and over again how many lives are rocked by identity theft every year (nearly every reputable source calculates the total in the double-digit millions of people in the U.S. alone). As our digital identities become more disparate and attractive to fraudsters, we need a way to protect our digital selves.

Enter blockchain. Any organization can deploy blockchain — a promising, relatively new technology and methodology — to build trust among users. In its purest form, blockchain lets companies instantly make, approve, and verify many types of transactions by leveraging a collaborative digital ledger and a predetermined network of individual contributors or keepers of the blockchain. Once transactions or other data are inside the secure blockchain ledger, cryptography takes over and verification hurdles drastically decrease the chances of data being stolen.

There are two often-referenced categories of blockchain: private, which is permission-based, and public, which is anonymous. Each has its own strengths, but private, permission-based blockchain has an added layer of protection in that participants in a transaction are known and trackable.

Would we be willing to let blockchain serve as a clearinghouse or executor for our full digital identities? Think of how that could play out in a few different scenarios.

Private aka "Firm Private": This type is already taking hold. Through blockchain, a specific financial institution can verify and facilitate a stock purchase in real time,but after its completion that transaction can also become a part of a digital identity, protected by blockchain. That way, the information doesn't have to sit in a separate, isolated account behind the bank's walls, but can instead be instantly verified, referenced, and acted upon with other digital identity elements. It also allows the bank to retain some level of authority and management.

Public aka "Classic": As the Internet of Things expands, public blockchain can serve as the ledger in scenarios where only certain elements of a digital identity are necessary and a central authority isn't as integral. For instance, buying a burger at a drive-through. The combination of blockchain and a Bluetooth beacon could verify the car associated with a digital identity, verify the Visa Checkout app running on the car's console, communicate to the restaurant's payment system, and debit a bank account the proper amount. All of that can occur without a holistic digital identity being part of a known or closed network, sharing and accessing only the portions of the digital identity that are relevant to the sale.

Private Shared aka "Industry Private": This is a hybrid type of blockchain that could be the happy medium for financial institutions or stock exchanges, as digital identities and transactions are managed by a "circle of trust." Changes don't require mass approvals nor does the private shared blockchain allow just anyone to read and amend, but it keeps power from being consolidated in a sole authority's hands. So in the stock purchase example, a few interconnected industry stakeholders would need to approve the transaction — perhaps a bank, the stock exchange, and the Federal Trade Commission — before it becomes a verified part of the blockchain and of an individual's digital identity.

Those scenarios may be theoretical, but there are already many real-world applications leveraging blockchain. The Leonardo da Vinci Engineering School in Paris uses blockchain to validate and secure diplomas. The Royal Bank of Canada is experimenting with blockchain to authenticate and secure cross-border remittances. Blockchain is even being used for smart contracts that manage solar energy ownership and exchange across smart grids. Whether it's used between private financial institutions or in the public IoT, blockchain is securing elements of digital identities and lives.

Blockchain players still need to take some security measures in order to store, unite, and effectively use entire digital identities within the construct. All solutions leveraging blockchain rely on the integrity of the information published in the ledger. Although it isn't possible to corrupt the ledger itself, fraudsters will focus on attacking individual users. It's crucial to implement strong two-factor authentication for all users who contribute to the blockchain. Data encryption is also key, as is device-level security such as Trusted Execution Environments or Secure Elements that protect against potential man-in-the-middle attacks.

Once those security priorities are addressed, blockchain technology is poised to reach its full potential and serve as the guardian for our valuable digital identities.

Related Content:

 

Xavier Larduinat is a manager for innovation at Gemalto, currently in charge of advancing Gemalto as a leading technology brand and provider of solutions that secure the digital world. Prior to the 2001 beginnings of his work in the digital security market, Xavier spent 14 ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/30/2016 | 12:35:49 PM
Hybridization
The idea of the "private" and "industry shared/private" blockchains is, ironically, paradoxical to the underlying idea/theory of blockchain -- in that the technology, being inherently "trustless," is theoretically more trustworthy because it relies on algorithms and distributed computing instead of a centralized authority who can potentially manipulate (or, for that matter, be used to manipulate should the centralized authority become breached/compromised).  And, yet, compliance and other "best-practice" dictates require (or, at least, are interpreted to require) that centralized authority be in charge.

Obviously, something is better than nothing, so it would seem.  But it's a bit funny how these hybrid blockchains have evolved and come to be.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:37 AM
circle of trust
This may be one of the most important aspect of blockchain. Trust relationship between users and banks also users and users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:04:08 AM
Re: Blcokchain...
"... Blockchain holds a lot of promise ..."

Agree. For the fact that encryption strategies have their own flaws.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:02:43 AM
Re: Security failed
"...  it depends on how you use the internet ..."

Agree. You may be a well-educated users and would not click any link that is suspicious. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 11:00:47 AM
Re: Security failed
"...   online security is fake ..."

I would agree with you. That does not mean we need to give up.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/27/2016 | 10:58:06 AM
Digital identity
 

Ultimate goal of Digital identity should be identifying a person by staying anonymous. A challenge we need to achieve.
UmeshKTiwari
50%
50%
UmeshKTiwari,
User Rank: Strategist
10/26/2016 | 3:34:13 PM
Blcokchain...
Blockchain holds a lot of promise... let us see where we are in a year or two..:)
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 9:09:43 AM
Re: Security failed
Probably it depends on how you use the internet and what virtual identity you get. Not everything is so transparent as you'd expect.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/26/2016 | 8:04:22 AM
Security failed
I think the idea of internet or online security is fake. Better say a huge lie. There is always someone who follows every step and any click you do.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...