Online security has become something of an oxymoron. Even the most futuristic advances in AI and edge computing can't protect data all the time. Data simply travels too far and wide for any single tool to keep pace.
The solution involves changing the data packet itself. A new batch of cryptographic tools are rising to encrypt data in a hard shell wherever it travels.
Verifiable credentials, decentralized identifiers (DIDs), and blockchain all use cryptography to prevent the manipulation of data. On the surface, these methods seem interchangeable; each is a single source of truth that verifies the authenticity of data.
Each uses cryptography to secure data. Knowing when to use each type of technology, and how they work together, will prepare organizations not only to better secure their data but for the Web3 future of the entire internet.
The Verizon Data Breach Investigations Report 2020 found that 86% of breaches were financially motivated. 58% of this year's compromised personal data was "nearly twice the percentage in last year's data", according to the report.
Bank statements, W-2s, house titles, electronic healthcare records, and social security statements are just a few examples of data available for the taking. Such documents are known as verifiable credentials. They are issued by a central authority and tied to critical personal assets such as citizenship, financial status, driving ability, and health. As such, they hold enough value that their authenticity needs to be confirmed.
When verifiable credentials are placed online, they become vulnerable to theft. Everywhere the data travels -- a bank's server, lender, employer, transcript office, DMV, etc. -- becomes fair game for opportunists. Even if everyone on the internet had an encrypted file server, login credentials could still be made available by plugins or security holes in web applications.
Seen in this light, online security appears broken. I prefer to call it "in transition". The problem isn't sub-par encryption. The problem is changing the way that credentials travel online. The means transforming the credential itself into an indecipherable shell, accessible only by someone who obtains, upon request, the right key.
A paper verifiable credential might use holograms, signatures, and bar codes to prove authenticity. The online version of a verifiable credential is a machine-readable, provable, inalterable data packet.
The data itself, which can be anything from a supply-chain history to your driver's license, is represented in the form of a JSON "payload". A person, for example the supervisor of a supply-chain assembly line or the DMV, signs the payload in the form of a cryptographic signature (basically a data fingerprint). The payload thus pairs with an accountable human or organization, proving credibility.
The hash provided by the accountable human or organization is the DID that accompanies the payload. Together, the DID and the verifiable credential appear garbled online, readable only by designated keys (mathematical proofs that match the DID to its point of origin).
Whoever receives the key to the DID checks for validation, proving both the signature of the issuer and the integrity of the credential. For example: Yes, this part really was manufactured in the right assembly line in Hanoi. Yes, the North Carolina DMV really did issue this person their driver's license.
This is a massive improvement over the unprotected data that currently sits in millions of databases, ripe for theft. The current system of verification involves teams of people validating credentials through efforts such as background checks, reference phone calls, database queries and so on.
DIDs are truly decentralized. You can register an identity from anywhere, storing it on a file system, AWS, in a web browser, thumb drive, phone app, or the blockchain. Verification becomes purely a matter of machine-to-machine communication. Thousands of JavaScript libraries enable users to code DID cryptography. Developers can write JSON apps in less than an hour that allow users to fill out form fields and create a verifiable credential, which in turn can be embedded in just about anything.
Simply put, it enables us to use cryptography and public keys to prove things that would otherwise require human time and effort. You'd be able to prove your income and driver's license to a mortgage company simply by giving them permission to access a DID. Instead of looking at LinkedIn and calling references and conducting background checks, employers could, with an applicant's permission, verify the information to be true online by way of a DID. Machine-readable transcripts, in the form of DIDs, would enable students to transfer course credit seamlessly between institutions, without the need for spreadsheets, emails or people looking up records.
DIDs are a promising technology and a natural next step for security on the internet. They are easily created and disseminated and they function well by themselves. Individual users have almost no reason to put a DID on a blockchain. Worst yet, organizations have cited trouble implementing blockchain; it has been called a solution without a problem. Why bring up blockchain at all in relation to DIDs?
Like the DID, blockchain bypasses the need for a central authority to issue and enforce online rules. Trust is built into the workflow. In fact, the similarities between DIDs and blockchain are exactly what makes them compatible on an organizational level. A single person with DIDs for their driver's license, credit report, and social security number has no need for a blockchain. Many organizations can comfortably use DIDs without reaching for a blockchain. For large and/or complex organizations, however, blockchain is a superior option.
Let's say you're operating a regional e-moped rental company. The e-mopeds are available in cities and require a valid driver's license. A user can apply a DID to easily unlock and re-dock a moped. No need for blockchain in sight.
Now let's say your e-moped company grows. You decide to manufacture the mopeds yourself. Your company goes international, and laws in some countries require insurance. Suddenly you have a much more complex, integrated organization.
How do you know that counterfeit parts aren't sneaking their way into the production line? How can you automatically verify the different licensure and insurance requirements in each country? How do you know if the mopeds in each country were serviced and repaired according to that country's regulations?
Forcing every country's credentials into a single, global database is one answer. In practice, such a database is unlikely to succeed. The IT governance and data management requirements would be monstrous. There would have to be a hierarchy of centralized authority figures to manage each region's data, and ongoing coordination with regards to best practices and data security. At best, you'd have a messy situation.
Blockchain cryptographically connects data records and distributes them to people within the blockchain organization. On a blockchain, records are always there. Anyone within the organization can access them. There is relative assurance that records haven't been tampered with.
To go back to our example, every time a moped is manufactured, every purveyor of materials and each assembly line would issue a verifiable credential that is stored on a blockchain. By the time the completed moped arrives at its destination, it has its own immutable record of manufacture on a blockchain, which can be revisited, assessed, and analyzed at any time. Officials from customs agencies to cities can know where each moped was and when. Your company is assured of where each piece comes from. Service records, insurance records, license records and so on can be tracked in a similar fashion, ensuring easier oversight of data, and automating data management and security.
Basically, blockchain is a log file with cryptography and business rules. It stops the manipulation of data.
Just as the very first motorized cars didn't have seatbelts, doors, or windshields, the early internet lacked fundamental protections. In 20 years, we will likely be looking back on today as a time of primitive safety measures. Verifiable credentials, DIDs, and blockchain are evidence of what's to come: Web3, a more secure, widespread, machine-to-machine internet. They enable all online users to maintain trust by creating a single source of truth. And if 2020 has shown us anything, the notion of a single source of truth is, in fact, priceless.
About Brian Platz
Brian is the Co-CEO and Co-Chairman of Fluree, PBC, an open-source platform for data ecosystems.
Fluree is an immutable, temporal, ledger-backed semantic graph database that has a cloud-native architecture.
Prior to starting Fluree, Brian co-founded SilkRoad technology which grew to over 2,000 customers and 500 employees in 12 global offices.
Brian serves on the board of directors for Fuel 50, one of the highest growth HR technology startups. He is also the co-founder of A List Apart, a web publication, 22 book series, and global conference for the web development community to expand their knowledge.