Monday, July 29, 2019

Spotlight Series 4: Elastos DID

The Internet is Broken

The internet is broken, has been broken for a long time, and has only the few and far working to fix it. Meanwhile, blockchain technology has finally piqued corporate interest and penetrated the major leagues of tech and finance. Somehow, while TPS (Transactions Per Second), market sentiment, regulatory guidance, and other peripheral matters dominate the mainstream dialogue, the vast majority of industry and government alike remain uneducated to the fact that blockchain's most potent use-case may in fact be the remedy for our broken internet. It's true: blockchain has the potential to radically recalibrate the internet for the data-driven economy of the 21st century; but most blockchain projects continue to devote energy to increasing transaction speeds, at the expense of exploring blockchain's foremost utility.

At Elastos, the utility of blockchain is paramount: blockchain gives users the power to own their data and digital assets in a completely decentralized and secure manner. Every day, news reports of hacked databases, security exploits, and DDoSed servers are published. With millions - if not billions - of IoT devices being deployed in homes around the world, data harvesting and the exploitation of privacy will only continue to worsen over time as new vectors for attack render the internet even more vulnerable than it is today. Rather ironically perhaps, it is becoming increasingly obvious that there exists an inverse relationship between the reliability of the internet and the degree to which we rely on it. If we do not make radical efforts to restore the internet to a decentralized state, it will wreak havoc on the systems of exchange, security, and asset ownership that functional and thriving economies depend on.

Elastos employs blockchain as the infrastructural backbone for a secure and Modern Internet that preserves the rights and privacy of its users. Termed the "Elastos Smartweb," the Modern Internet of Elastos uses URLs to summon decentralized applications, not data. Thus, the value of the Elastos Smartweb lies in its ability to create secure Dapps and to utilize a DID (Decentralized Identifier) to create an authentication mechanism capable of validating user identity. In this edition of Spotlight Series, we introduce the DID Sidechain, examine how it works under the hood, and explore some of its use cases. We will also expound DID's essential role in protecting and assigning value in the Modern Internet, as well as its reverse-compatibility with the pre-existing internet.
 

Tamper-Proof, Interoperable Identification

Today's internet is dominated by the usual suspects: Google, Facebook, Amazon, and the like. Each tantalizes users by offering a customizable, personal account free of charge. Yet, personal accounts have become more a standard requirement than a complimentary offer; only after creating an account can a user access the full suite of services that these platforms provide. In this way, Google, Facebook, and Amazon only grant access to their platforms once a user accepts a unique, in-house ID. Herein lies the problem: each in-house ID is issued separately by each platform, and is thereby managed independently by its issuer, who serves as a centralized data storage facility. Thus, individuals are required to manage several internet identities as they navigate across various platforms. Meanwhile, Google, Facebook, and Amazon become central authorities that hold vast amounts of wealth - digital wealth, that is. If any of these companies - or any other platform-hosting organization that stores medical information, financial records, or other individualized data - is insecure or becomes compromised, all of its personal and sensitive user information will get exposed as a result. To that end, as long as there is a central entity holding large amounts of data, hackers will continue to devise new methods to exploit private data for profit. Worse yet, centralized ID systems effectively concentrate digital wealth, which further incentivizes hackers to extract data from centralized servers by whatever means possible. At this stage, it has become clear that data privacy and user identity are two manifestations of a systemic ill - that is, they cannot be resolved with top-layer solutions. An infrastructural remedy is the only remedy which will be sustainable.

 

In today's world, people do not trust Google or Facebook to issue Universal IDs to the global populous. In fact, citizens will not even trust their own governments to issue Universal IDs  because these IDs are still issued and controlled by powerful central authorities, and therefore require immense faith in their commitment to ethical behavior. Even worse, users are powerless to protect their own data if such a central authority is unable to secure the servers that are responsible for issuing IDs and storing corresponding data. But rather than trusting a powerful entity or group, perhaps individuals can trust in an open source protocol, one which runs autonomously and functions without any central point of vulnerability. This system avoids allocating excessive wealth and power to a singular entity, while also eliminating the potential for exploitation and security failure. These advantages of decentralized, open-source protocols are in fact all features of blockchain, and they make up the core services the DID Sidechain provides users and applications.

By issuing Universal IDs (UIDs) to everyone on the internet, a blockchain automates trust. In a blockchain-based system of exchange, transactions occur only between individuals, and central authorities and intermediaries are effectively dissolved. Blockchain functions autonomously by drawing on a distributed population of miners who work to secure each block on the chain that contains personal data. Such a UID is said to be interoperable, which is to say that it can be used across all internet platforms – Google, Facebook, and Amazon included. UIDs also eliminate the need to place trust in any central authority because the blockchain is decentralized by nature. Thus,  each user's data will be safe and secure, as it is protected by the blockchain. In addition, UIDs make feasible a revolution in user experience, as interoperability enables cross-platform transaction. For instance, users from Facebook Messenger, Whatsapp, WeChat, and Google Chat can message one another seamlessly and instantaneously. With the use of Decentralized IDs (DIDs) that are issued via the Elastos DID Sidechain, users can interact and transact in this fashion. This is only one of the DID Sidechain's many potential use cases.

How is the DID Sidechain Secured?

Elastos employs a hybrid consensus of Auxiliary Proof of Work + Delegated Proof of Stake (AuxPoW + DPoS). In this consensus, blocks are packaged by merged-miners (predominantly Bitcoin miners, but miners of any coin that uses the SHA256 hash function are capable of merged-mining) and then validated and signed by DPoS Supernodes. This is why it is theoretically possible for Elastos to amass as much hashrate – or more – as the Bitcoin network in securing its blockchain. Elastos also employs a main chain-sidechain architecture, where the Elastos blockchain serves as an infrastructural backbone, and decentralized applications (Dapps) are built alongside it in the form of sidechains. By augmenting infrastructural technologies and Dapps horizontally rather than vertically, Elastos achieves near-infinite scalability and avoids congestion on its main chain. With this architecture in place, concerns regarding TPS are non-existent. Because there are various sidechains prototypes that can be developed to handle specific transaction types and to execute different smart contracts, transaction volume is distributed across the sidechain network. For instance, the main chain handles ELA payments and supernode election transactions, whereas the DID Sidechain handles the issuance of Decentralized IDs to apps, users, and devices. The Token Sidechain handles the creation and issuance of fungible and non-fungible tokens without the use of smart contracts. The Ethereum Sidechain is a near-replica of the public Ethereum blockchain which allows Dapps from the public Ethereum blockchain to run on Elastos. The NEO Sidechain runs NEO-compatible smart contracts. In the future, if there is a use case for a different kind of sidechain that is needed, it can easily be developed, thereby leading to a horizontally scalable, diverse, and sustainable ecosystem of Dapps.

In addition, because the Elastos main chain is merged-mined with Bitcoin, merged-mining can be recursively implemented by sidechains as a consensus mechanism. For example, the DID Sidechain is merged-mined with the ELA main chain, which in turn is merged-mined with Bitcoin, thus securing the DID Sidechain with the unrivaled hashpower of BTC. This is an extremely effective method for securing the data and DIDs issued and stored by the DID Sidechain. As previously stated, DIDs can be issued to all users and websites on the internet, as well as to all Dapps on the Elastos Smart Web. The DID Sidechain serves as the trustless zone for the most valuable data of the Modern Internet, which is exactly the reason its consensus mechanism prioritizes security and robustness. Lastly, while creating a DID is completely free, storing data on the DID Sidechain requires nominal transactional fees to support the network.

What is Elastos DID?

A Decentralized Identifier (DID) refers to an ID that can be issued by an autonomous, independent, and decentralized platform that acts as a proof of ownership of digital identity. On Elastos, the DID Sidechain fills this role. While the traditional internet needs a central authority to issue a digital identity in order to avoid naming conflicts, in blockchain-based digital payment systems – most notably, Bitcoin – a wallet address serves as a user's ID to carry out a transaction. In this type of system, each public key is linked to a corresponding private key which is used to sign transactions. Termed public key cryptography, this mechanism supports authentication between strangers and eliminates the need for a third party to confirm the identities of transacting parties. Employing its DID Sidechain, Elastos achieves the same feat, while also providing each user with a unique DID, along with a corresponding private key, public key, and DID ELA addresses. In the Elastos ecosystem, the DID Sidechain serves as the digital identity solution, as it provides DIDs for free. Using their issued DIDs, users can self-identify and self-certify themselves and any transactions and data associated with them to the rest of the internet community. Thus, all individuals on the internet can be truly self-sovereign, and can exchange digital assets – from coins to films, music, books, and games and any valuable data – in a trustless and secure manner, without the aid of a central authority.

The process of DID issuance begins with the generation of a private key. From the private key, the DID, public key, and ELA address are generated. The private key acts as a form of private ownership of digital identity for a user, Dapp, or device, because an individual is only allowed to access the data associated with a DID if it can provide the corresponding private key. The public key is used to verify ownership of digital identity and a DID is the symbolic representation of digital identity similar to a username in a traditional username account system. The Elastos DID Sidechain provides functionalities such as the creation of DIDs as well as read and write interfaces that can be associated with these DIDs.

Each DID has a set of properties that can be saved to the blockchain in the form of Key-Value attributes. In other words, a user is able to put any information they want on the blockchain that is associated with its DID. If a user writes a new value using the same key, the DID Sidechain will only take the latest value as valid and ignore the old values. If a user wants to update the value for a specific key, it will need to get the old value and make modifications to the old value content before inserting the new property, thereby replacing the old value in the process. When reading the DID, the Elastos DID Sidechain Read method returns only the most recent default value. 

 

DID Principle

The original concept of DID dates back to PKI (Public Key Infrastructure). Similar to the traditional PKI system, DID deals with public and private keys representative of a private identity. Similar to how commercial banks issue credit and debit cards that require an authorized password to complete transactions on behalf of the user, in the DID world, the private key serves as a self-issued identity credential that can be used to complete transactions on behalf of the user. The authorized password on a debit or credit card functions within a centralized system, and is therefore prone to attacks. If the centralized servers that store the bank username and password data are compromised or experience an outage, the users have no access to their data. DIDs, on the other hand, are secured by the blockchain and do not require the services of expensive and unreliable intermediaries.

In the simplest case, a bank card cannot be used as sufficient identity verification to purchase an airline ticket, even if the proper KYC has been completed to receive the bank card with the corresponding bank. Instead, an individual has to pay the airline for a ticket and wait while the airline verifies the user's identity with its own KYC process. Because banks do not exchange information with airlines, airlines cannot confirm identity with a bank card alone. When an individual applies the same concept using DID, the barrier that prevents banks from communication with the airline is removed. Based on the present state of cryptography, individuals and organizations can safely confirm the validity of content if it is signed with a proper private key. As long as the receiver (generally, an application) is recognized, attaching a copy of a user's public key with a transaction functions as a secure form of KYC because the public key can only be produced by way of the hash output of the user's private key, which only that user has access to. This relationship and identification mechanism effectively establishes an interoperable relationship between central banks and airlines because it allows them to use a shared KYC process. By using a single DID to sign transactions on both a bank card and airline ticket, users and enterprises alike realize the greatest benefits of PKI: seamless identity verification and transaction process efficiency.

Because identity-related attributes can be stored in every DID, this information is always going to be on the blockchain, and it will neither disappear nor be controlled by anyone. Information is stored on a public chain so anyone can access it by traversing the history of the blocks; such is the power of having an open, transparent, and tamper-proof blockchain. DID owners can write DID property into any content, provided the content is accompanied by their unique signatures – that is, their public keys. Once new content is written to a DID, it cannot be modified or deleted.  This conditionality guarantees the authenticity of the signature, and prevents another user from counterfeiting or forging content to a DID for which it does not have the private key. 

Anything can be written to DID properties: nicknames, emails, and payment addresses, just to name a few. Much like for social media platforms, it is unwise to store sensitive information on a DID because it will be visible to the public. For public information though, a number of radical use cases exist for application scenarios where a third party certificate acts as a proof of evidence. For instance, universities can apply for their own DIDs to use for signing documents. Each university may then sign graduation certificates for each student with its DID. Students may write their own DID property in this signature. Later on, third parties can verify whether the public key of the DID students and universities are legitimate by reading the signature content from the blockchain. From that point on, a system proof is established on the basis of DID.

One might wonder about the implications of storing sensitive and private content on the DID Sidechain. To solve this problem, content stored on the DID property can be encrypted to control access permissions. With this method, even if an individual traversed the blockchain, he or she will be unable to decrypt the actual content. There are two encryption methods that can be used in such cases:

  1. Encrypt text with a password and save the encrypted text on the blockchain. This way, users and third parties will need a password to decrypt the content.
  2. Save the summary content (a unique hash of the entire content) on the blockchain while keeping the user's own plaintext content off-chain. This way, third parties can obtain the hash of the content from the blockchain and users can provide the actual content to third parties. Third parties can verify whether the content provided to them is legitimate, thus authenticating the content provided by users.

The second option is recommended because it has two primary advantages:

  1. From the standpoint of performance, block read and write speeds from the blockchain are limited and the amount of pay-per-use increases when excessive data is being written on-chain. The use of a summary hash can overcome the limitation of the size of DID property on-chain while also increasing the speed of the content and reducing costs.
  2. From the standpoint of security, storing full DID property on chain still leaves minor risk if the user's password is not strong enough. Therefore, the risk of loss of privacy. Therefore, the off-chain storage presents a superior option, as it only stores the hash of the content on-chain and stores the actual content off-chain.

In summary, DID works as follows:

  • It generates a private key, public key, and DID using the Elastos DID Sidechain.
  • Users sign their content using their private keys and use their public keys to verify the signature, thus ensuring that their public keys and DIDs match.
  • Signed content is written to the DID Sidechain.
  • Signed content is the property of a user DID user and it can be provided to third parties as proof that the content does indeed belong to said user.

DID Specification

The state of a DID and all the information contained within it is publicly available on the DID Sidechain. In order to protect sensitive and private user info, it is recommended that Dapps or other services do not require the disclosure of sensitive information in a user's DID attributes.

This can be taken one step further by using a different property name for different users. For example, to insert a user's Telegram ID as one of the attributes, it is easy to identify the user by going through Telegram, thereby dissolving their on-chain anonymity. Even using the hash value as the attribute name for a Telegram ID has its disadvantages because of how hashed values work. An attacker can go through thousands of Telegram IDs in attempt to match the hash of those IDs to the hash recorded as part of the DID property on-chain. In order to avoid such situations, it is recommended to use "Property + Content" hash as the attribute name. Here, the property is a hash of someone's Telegram ID and the content is a hash of the entire content. Using this simple method both secures a user's private data on the DID Sidechain and provides proof that the content does indeed belong to the said DID user.

As an example, a user wants to input the following information on the DID Sidechain:

  • DID: "iHasdflasdfhDASHLFDcxdADSFASD"
  • Telegram ID: "@mr_woods" 
  • Telegram ID Hash: BC9A0629A0053684DB44EB1FC6E56645923A27C43703A9280AB96A02785E166C
  • Content: "I'm loving the use of DID in real life applications"
  • Content Hash: CEE915B410B37A35FDCE69E353584C69254DBE60F677FC4F5BA201588F300272
  • (Telegram ID + Content) Hash: 51BDB382F26AB6F153B6692E152829B4E87C739CB20DE1DC614E4016606D1C62

So, if the user wants to put the above DID on the DID Sidechain, it can store this with the following key-value pair:

{ "51BDB382F26AB6F153B6692E152829B4E87C739CB20DE1DC614E4016606D1C62": "CEE915B410B37A35FDCE69E353584C69254DBE60F677FC4F5BA201588F300272" }

Using a key-value pair does the following:

  • It allows any user to traverse the DID Sidechain to get the above data, but the Telegram ID and the content cannot be derived by the public.
  • Only the user "@mr_woods" can decrypt the above message and prove that the content is actually his by providing the decrypted content to third party providers. Then, all third party providers have to do is get the hash of the content provided to them by the user @mr_woods. From there, they can easily determine if the two hashes match up. If the hashes match up, it proves the content is the user's.
  • The actual content can be stored elsewhere, such as  Elastos Hive, Dropbox, or Google Drive. 

For two strangers to effectively confirm each other's identities, a three-way handshake can complete an exchange of information and verify one another's DID work.

  1. Alice sends her own DID, her public key, and a random number, "RandomNum1" to Bob.
  2. Bob returns his own DID, his public key, "RandomNum1" signature, and random number "RandomNum2," to Alice
  3. Alice verifies this and then sends, "RandomNum2" signature back to Bob
  4. Bob finally verifies Alice's identity.

This completes the verification of the identities of two strangers without the need for an intermediary or central authority.

DID Use Cases Scenarios

While DID presents many powerful use cases in applications that have to do with user identity and authentication, it can also be used to provide proof of ownership for any type of application data. Using DID, a user can securely own data without the need for any intermediaries. 

The following example shows one of the solutions that deals with processes across multiple applications:

Login Process

  1. App1 initiates an authentication request with a Random Number to App2, which has integrated DID (Eg. Elephant Wallet).
  2. User signs the Random Number and authorizes access.
  3. App2 authorizes the request and sends back the user DID and signature of the Random Number back to App1.
  4. App1 verifies the signature.

How DID Works between a User, Trusted Third-Party and the DID Sidechain

  1. Create a DID.
  2. Return the DID.
  3. Provide proof of identity to the third-party (trusted partner).
  4. After verification by a third-party, the Dapp provides the content hash along with the signature to the user.
  5. The user signs the content hash with its own DID and records it on the DID Sidechain.
  6. The DID Sidechain returns the Transaction ID to the user, which serves as authenticated credentials.
  7. The Dapp requests third party documents and/or content.
  8. The User provides the requested information in plaintext, the Transaction ID, and third-party signature over the evidence back to the Dapp.
  9. The Dapp verifies the content and the signature of a trusted third-party, which functions as evidence that the information is legitimate and was given to the user by said trusted third-party.

In addition, Dapp users can also be bound with the DID system so that any user data generated in the application is associated with the user's DID. In this process, a Dapp first uses the system to uniquely identify a user, and the user then generates a piece of binding information and attaches it to its DID. Of course, this process can be executed automatically from within an App. Once the binding is complete, every time the user uses the App, the App can use the user's DID to sign any information, and this information can be written to the DID Sidechain as evidence. 

Elastos DID Service

When an application wants to implement complicated types of business logic, it is rather inconvenient to talk to the Elastos DID Sidechain directly. In such cases, an Elastos DID Service implements the methods that are best suited for each specific business scenario. This helps the Dapp developers by providing them with an easy interface to work with.

Elastos DID Service can be used in two ways:

  1. Using a binary package of the Elastos DID Service: The current version is a .jar package (written as a Java Service). Because it is a REST API service, once the service is run, different methods are exposed which can be used from any programming language, thereby allowing users and developers to flexibly interact with the DID Sidechain from any kind of application.
  2. Providing a Public Server Interface: Public Server Interfaces may be operated by the Elastos Foundation or by any community members or business that wants to provide this service. This way, application developers do not have to run anything on their own. Instead, they can talk directly to a URL that points to the Elastos DID Service.

Elastos DID Service is a complete, stand-alone service that can be deployed by anyone in the world to allow access to other developers. The Elastos DID Service functions as an intermediate layer positioned between the DID Sidechain and the actual application. Its goal is not to change the existing traditional application's business logic, but rather to provide an easy interface to the DID Sidechain without requiring application developers to set up their own DID Sidechain nodes. This system introduces an entirely new business model that applications can seamlessly provide to users.

The internet is outdated and urgently needs to be modernized. While the Elastos DID Sidechain does not fix all of the problems of the existing internet, it plays a vital role in enabling enterprises and digital platforms to issue universal DIDs to individuals, applications, and devices on the internet. The second part of this equation involves the application of Elastos Carrier and Elastos Hive, which work together with the DID Sidechain to provide a holistic solution to the ailments of our current internet. Together, the three conceive a Smart Web of Dapps, which can perhaps be dissected in another edition of Spotlight Series. To summarize, on the traditional internet, users revolve around apps; on the Elastos Smartweb, apps revolve around users.

Next Posts

7 MIN READ
July 19 2019 - Elastos Bi-Weekly Update
7 MIN READ
July 5 2019 - Elastos Bi-Weekly Update
7 MIN READ
June 21 2019 - Elastos Bi-Weekly Update
Copyright © *2019 Elastos Foundation, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.