Another Data Breach! Can SSI Save Your Data?
Are you a victim of a data breach?
Well, if you’ve been using online services, your likely answer will be a yes or “I don’t know!” If you said a “no”, you’re probably the lucky few remaining intact on earth!
The reality is your data could have been stolen many times over, with or without your knowledge because hackers are getting smarter and have access to more sophisticated tools by the day. The recent breach at BigBasket and Dominos is yet another example of the huge security threat that’s looming over our heads every day! And of course, the many breaches at Facebook, Target, Twitter, Zoom, etc. over the last few years is sure to leave even the most optimistic person worried about his/her online identity.
So, why is this happening?
The existing technologies are not conducive enough to provide the required levels of security necessary to protect your data from hackers. Breaking this down a bit, there are two aspects to the problem.
- Central repository — All information is stored in a central repository, so all that a hacker has to do is hack into one central system and steal millions of records.
- Lack of control — The owner of a credential has no control over where his/her data is stored, how it is shared, and who has access to it.
Though many people may argue about the potential advantages with central repositories such as its convenience, there are also many disadvantages to it, especially with respect to security.
A potential alternative can be Self-Sovereign Identity (SSI), where data is stored in a decentralized environment and protected by public key cryptography.
What is Self-Sovereign Identity?
Self-sovereign identity or SSI in short, is a digital framework where an entity owns its identity and controls the way it’s shared in a decentralized setup.
Let’s break this down a bit. In the offline world, you carry a card (driver’s license, passport, Adhar card, SSN, etc) for identification and you can choose whom to show your card to. SSI is its closest equivalent in the digital world.
Further, in the physical world, you can always lose your card or it can get stolen from your wallet. But with SSI, the underlying cryptography makes it difficult to access your personally identifiable information by any unauthorized entity.
Both these aspects make SSI a secure and an easy way to identify yourself online and more importantly, to control the way your data is shared.
How does SSI protect your Information?
So, how does SSI protect your information, and what’s this cryptography all about?
Every piece of PII could be a credential that is issued by an entity and owned by another entity. For example, a digital passport is issued by the government of a country (Issuer) and it is owned by the person whose name is on the passport (Holder).
Now, this holder can decide to show it to an airline to book a ticket. Here, the airline company has the responsibility to check if the passport is issued by the concerned authority, belongs to the holder, and is valid at the time of travel. In this sense, the airline is the Verifier.
In the SSI world, your passport details could be issued to a holder in the form of a Verifiable Credential (VC) that is stored safely and is shared by the holder when needed, to one or more verifiers. This VC is encrypted to prevent the wrong people from accessing it. In fact, this is the key aspect that ensures your credentials are safe at all times.
Here is a sample VC that’s digitally signed by the issuer and the holder
The cryptography used is called the Public Key Infrastructure (PKI) that comprises a pair of public and private keys where the holder keeps the private keys, but shares the public keys.
Let’s see how it works.
- Firstly, the issuer and the holder agree and create a unique set of private-public key pairs. The issuer generates a VC, digitally signs using its private key, and encrypts the data using the holder’s public key.
- This VC is sent to the holder who can decrypt it using its private key.
- Next, the holder can choose to save the VC in a custodial wallet like the one offered by Affinidi or another decentralized wallet.
- When needed, the holder compiles a set of VCs like date of birth, government ID, etc into a verifiable presentation that is digitally signed with the holder’s private key and encrypted using the verifier’s public key.
- The verifier can decrypt using its private key and validates the digital signature of both the issuer and the holder using their respective public keys to ensure the authenticity of the issuer and the holder. Once verified, the holder gets access to the services offered by the verifier.
From the above workflow, quite a few things stand out.
- The transactions happen through a secure peer-to-peer channel and no central authorities are involved. So, the chances for hackers to attack a central authority are non-existent.
- Cryptography ensures that your information is tamper-proof and cannot be hacked easily
- These credentials are private and completely under the owner’s control, so the owner decides how his/her data can be shared and with whom.
- No personal data is stored on any server
- Highly interoperable as the same VC can be shared with anyone.
So, can SSI safeguard your information from hackers?
Possibly, given that the information of all users are not in a centralized database, users have complete control over their information and how it is shared, and the same is secured with the underlying public-private key infrastructure.
Sounds interesting? Ready to take the plunge to build SSI-based applications for the world?
Affinidi provides building blocks for an open and interoperable Self-Sovereign Identity ecosystem. Check out our developer portal for more information. Join our mailing list to stay abreast of exciting developments at Affinidi.