The Identity of the Future (SSI) and what it can bring to IoT
During the COVID-19 confinement, there has been a three-fold increase in digital identity theft, according to figures released by the Federal Trade Commission (FTC). Sovereign identity under Blockchain technology brings benefits of decentralisation and data custody to the final user and the IoT sector by fulfilling the CIA triad. (Confidentiality, Integrity and Availability).
Current IDP / SP system
Currently the Digital Identities system works in a centralised IDP / SP way making it so that a regular user has no control over what happens to his or her data. IDP refers to an Identity Provider and SP to a provider of other services for natural persons. In certain cases a Service Provider can be an Identity Provider as in the case when we log in to a website where we have previously registered with all our data.
Digital Identity is nothing more than a set of attributes related to an entity (thing, person or process) in a unique way and that allows proving the identity to third parties in a digital way. The same entity can have different digital identities, each represented by one or more unique attributes as shown in the example of Facebook and LinkedIn.
Sovereign Identity (SSI) and key concepts
The solution to such centralisation comes with sovereign identity (SSI). This is a type of identity that is managed in a decentralised way thanks to technologies such as Blockchain, DLT or AI. Sovereign or self-managed identity is based on two standards that are being developed by W3C (World Wide Web Consortium).
Firstly, there are Decentralised Identifiers (DID), which are unique, global, user- managed identifiers stored in a decentralised manner and available for cryptographic verification at any time. On the other hand, there are the verifiable declarations (VC) which is nothing more than an open standard defined by the W3C equivalent to a physical credential where information related to the issuer is shown (a photo, an ID number, attribute information, etc.) and can be cryptographically verified in a private and secure way. Finally, another important concept is the "Zero Knowledge Proof" protocol that allows simply revealing the necessary information without anything else. Third parties can be allowed to verify a piece of information without the need to access this information.
What sounds convenient, however, can be a security risk, because not only are we submitting our data, but it is also being stored.
Nik Scharmann, Project Manager "Economy of Things" at Bosch.
SSI in IoT
The IoT sector is growing and is increasingly being used for larger systems, yet security gaps and new vulnerabilities continue to emerge all the time. Some of the top threats within the IoT sector published by IBM in 2017 where SSI could help were: authenticating and authorising devices, managing device updates, ensuring reliable communication, and ensuring data privacy and integrity.
The CIA triad
To have a proper IoT network, the CIA triad (Confidentiality, Integrity and Availability) must be taken into account, in addition to integrity and scalability. Confidentiality aims to have a secure way of having all data protected against unauthorised access. Integrity aims to provide a guarantee that the data received, distributed and produced was sent from a trusted device. Finally, availability is to ensure that authorised users have uninterrupted access to system information and resources. Viable solutions can be provided with the use of SSI in IoT and bring benefits such as increased revenue, cost reduction and risk reduction.
Benefits of SSI in IoT
SSI enables increased value in IoT by reducing the level of risk to businesses through cryptographic methods for identity validation. In addition, SSI would enable increased revenues due to new business case opportunities in areas that required more security and trust to minimise risks. Finally, device operation and maintenance costs could be saved by simplifying machine-machine device interactions and enabling greater automation of business processes.
An interesting blockchain solution for SSI is Hyperledger Indy. It is a permissive public network that contains two ledgers. The first one takes care of listing all nodes, their keys and addresses and the other one takes care of the network members and their roles.