Confidential exchange and sensitive data sharing: a major issue for businesses

30 July 2021 | Digital identity, News

Juliette Mégret

Les échanges confidentiels et le partage de données sensibles : une problématique majeure en entreprise

To exchange information between employees, to obtain the operating statistics of a server, or to synchronize two connected machines on the same production line, data sharing is crucial for any company.

Whether interactions take place between human and machine, between humans, or between machines, protecting sensitive data is essential. Depending on the situation, it might be just as important to protect the interlocutors’ anonymity as the content of the exchange. This may be for privacy issues; for example when an employee communicates with occupational medicine; or for security reasons; for example, the existence of interactions with a digital vault is information that a company generally wishes to keep private.

The Unikname Self-Sovereign Identity (SSI) platform – decentralized digital identities entirely controlled by their owner – developed by Unikname makes it possible to address this issue in a simple and innovative way.

Unikname concepts

The UniknameID, an identifier based on DID

To manipulate an SSI, it is necessary to be able to address it. To this effect, the DIF and the W3C have established new standards, the DID: Decentralized IDentifier. DID are derived from cryptographic material, which makes them non-human readable. In order to correctly address business use cases, including those which require DID to be manipulated outside of the digital world, Unikname has developed two DID methods. Their combination enables the definition of a human-readable decentralized identifier: the UniknameID.

The first DID method is used to refer to crypto-accounts on the unikname.network blockchain. This means that the DID method associates an identity with the couple of cryptographic keys which authenticate all transactions from the crypto-account.

For this DID, the subject and the controller are one and the same. That is to say the identified object – the crypto-account – is controlled by itself. The DID is cryptographically derived from the crypto-account’s public key. Thus all transactions issued from the crypto-account are irrevocably attached to the DID.

In particular, when a crypto-account acquires a UNIKNAME NFT, the associated DID will control this NFT. The UNIKNAME NFT is an apparently random character string to which properties can be attached. In reality, the character string encodes an obfuscated version of a human-readable identifier, the UniknameID. Here we define Unikname’s second DID method: The subject is the UNIKNAME NFT and the controller is the crypto-account that owns the NFT.

A UniknameID is a human-readable identifier that is stored off-chain. It is materialized and obfuscated on unikname.network by a UNIKNAME NFT. The owner of the UniknameID is the only one able to link the explicit and obfuscated forms. Identifier confidentiality is therefore complete. The two DID methods make it possible to control the identity associated with the UniknameID and to sign transactions and messages in its name.

Thereafter, we will say that a UniknameID identifies an entity (human or machine). This entity owns the keys that control the crypto-account that owns the NFT UNIKNAME. It is the UnikameID’s controller.

Verifiable Claims

The concept of Verifiable Claims (VC) is strongly associated with SSI. A VC is a claim made by an entity about a subject and where paternity can be verified and dated by cryptographic mechanisms. These claims can be stored off-chain, completely privately and under the exclusive control of the subjects. The verifications are carried out autonomously without a centralized trusted third party.

In the solution developed by Unikname, VC subjects, as well as issuing entities, are identified by their UniknameID. Thanks to these identifiers and the DID of the Unikname SSI platform, the paternity of the entity and the authentication of the subject can be formally established.

For example, an individual may wish to use a diploma to prove they possess certain skills, without being willing to display it publicly. The subject is then the individual, and the entity making the assertion is the university that issued the degree. The paternity of the university is established by the stamp on the diploma. The individual keeps their diploma to themselves, and shows it only to their employer to attest to their level of education. If the employer has confidence in the university, both to rightly award a degree and to properly manage its certification, it will recognize the skills declared by the degree holder.

Thanks to the standard of verifiable assertions, it is possible to prouve elements of an SSI without having to publicly list all of its attributes.

Cryptographic evidence can be stored by the subject, or written publicly in the properties of the UNIKNAME NFT representing the UniknameID in the blockchain as needed.

With VC, it is also possible to manage authorizations. An access control authority will be able to issue VC for subjects, containing their permission. For example, the security service will issue access rights to a restricted area, a remote control will be authorized to trigger the starting of a car, etc. The verification of these rights is done, again, in a decentralized way, directly by the interested parties. There is no need for an access control manager centralizing all authorization verifications. This is a major improvement: such an entity represents a privileged target for an attacker, and its availability is essential. By decentralizing this function, we both get rid of a single point of failure and increase its availability.

The Unikname Network blockchain

In a company, it may be interesting to associate UniknameID with employees as well as connected objects. The human-readable aspect of UniknameID will be a real plus for system administrators (who are still humans 😉) regardless of the type of entity it designates.

Unikname Network Blockchain

The SSI Unikname platform offers a confidential information sharing service between identifiers. The mechanisms described above make it possible to use the unikname.network blockchain as a Decentralized Public Key Infrastructure (DPKI) to authenticate these exchanges. This decentralized infrastructure guarantees low maintenance costs and high availability. Two points that are crucial for the management of a company’s information system.

The many cases of exchanges secured by Unikname

A strongly secured chat

By distributing UniknameID to all collaborators, a company can establish a strongly secured internal chat.

By using mechanisms involving DID and VC, Unikname guarantees the integrity of the exchanged messages as well as the expeditor’s authenticity. Thus, when a person receives a message from a collaborator, it is signed by its UniknameID. The recipient can then be certain that the message has not been forged and that the declared expeditor is the true author of the message. This is an essential component for many exchanges, in particular for messages containing sensitive mission instructions.

Bots can also be integrated into the chat solution, to raise alerts for example. A UniknameID is assigned to the bot. The corresponding private key is stored on a server. Every message sent by the bot will be signed with their UniknameID. The company and its employees will always have the guarantee of the origin of the information.

All messages exchanged via the Unikname solution are end-to-end encrypted, which guarantees true confidentiality of the messages.

Interactions between connected objects

A connected object is designed to accomplish a specific and sometimes sensitive task: opening doors, triggering an alarm, deactivating an electricity supply, etc.

These tasks are triggered by the reception of data, or by the analysis of a situation. There is a significant risk of security breaches when guarantees of integrity and authenticity fail.

 

Les interactions entre objets connectés

By identifying these objects with UniknameID, we provide these guarantees. Data exchanged between objects are also encrypted, in order to protect the content of the interactions. The overall security of the system using these objects is significantly increased.

Exchange of verifiable data

Sécurisation du partage des données

The messages exchanged between entities can be simple messages but also be based on verifiable claims as defined above. Thanks to this standard, the level of confidence granted to a system where each entity is identified by a UniknameID is high.

Administrators of this system can easily define which entities are capable of making assertions about subjects, or of granting them permissions. Thus, any instruction can be legitimized, and any advanced information can be verified.

Homogeneity of sharing systems

The strength of the Unikname SSI platform, in addition to being «private by design», lies in its universality. UniknameID enables all types of data sharing: messages exchange, document sharing, synchronization of connected objects, attribution and verification of rights, etc, managed in a simple application and dedicated to the needs of the company.

Conclusion

At Unikname, we are convinced that the use of Self-Sovereign Identity in society will quickly become essential. The guarantees of security, confidentiality and trust that they provide will address a large number of issues. 

UnikameID defines SSI that are easy to use and deploy at very low cost. They have been designed and developed to fit naturally into the business environment, and to allow sensitive information to circulate in a confidential and authenticated manner.