Who am I ? and Personal Data
Personal data is valuable – authorities and companies want unrestricted access to our personal information as possible in order to create a personalized customer experience. Information on movement patterns, purchases, online research, sleeping habits, and contacts is available to anyone looking to buy or steal personal information.
The core question for Identity Management is: “Who am I?” And “How do I prove that I actually … I am?”
In this context, I still predict more devices, growing amounts of data, and greater global distribution. It is true that the spread of devices in the global south means that more people have access to education and medical health diagnostics through online services. But in this way, they also become the target of various actors who they can manipulate. That’s why we all want to find suitable ways to protect our digital identities. Self-determined identity (SSI) offers a powerful solution to the perennial problem of confirming one’s own identity.
A self-determined identity is one approach to managing digital identities. Here, an individual or company has sole ownership and control over the personal information in whatever form. Individuals with a self-determined identity can store their data on their devices and make it available for checks and transactions without having to rely on a central data store. The main goal is to give users complete control over how their personal information is kept and used.
New ways with blockchain-based authentication
A digital identity requires a way to identify yourself. Current approaches usually use a service to authenticate a user and return an encrypted token, which can be used as a key for access to systems. This ensures that the user is who he or she claims to be. Conversely, no intermediary is required with SSI designs. This means that the self-determined identity of a user can be registered for a claim, e.g. for a block on a blockchain. The person can then share this identification data in a transaction with a payment service or with authorities. In addition, by returning access control, the user can precisely control which data is shared with whom and for how long.
Very few people want all of their personal data to be visible to the whole world. However, we could use a verification system to make this information available to others without them knowing what it is. The technology “Zero-Knowledge Proof” (ZKP) can offer a solution here. We only make our information available to the authorities, where it is cryptographically secured on a blockchain using a hash function. With this approach, the hash value is available to those with whom users want to share it. They can then verify the identity using this hash value – but without seeing the personal data.
This process can be implemented as a system called “Self-Sovereign Identity with Zero-Knowledge Proof”. This gives individuals complete control over their personal information. While laws require proof of citizenship and personal identity, they don’t need to be shared with every company or individual agency that requires it.
The current situation is that personal information is shared indiscriminately. The individual has no control over where the data is stored on servers, nor has any idea how secure this data storage is. It then only takes a single attack by hackers to get this information.
Zero-knowledge proof: proof of identity without revealing any data
The zero-knowledge proof is based on two roles: an individual who has proof of his or her identity and a person who wants to verify this identity. To do this, the individual only needs to name a value X to the person checking, without showing the actual information.
This value X must be such that it proves the identity of the individual. X is a type of digital fingerprint here. The validity of this fingerprint is based on the use of a cryptographic hash function. Different personal data result in a different value X. The verification is based on this circumstance because manipulation of this value requires extreme computing power (or luck) and is therefore highly unlikely. The personal data themselves cannot easily be calculated from the value X.
In the case of self-determined identity, the personal data of the individual can be stored in a private database that can even be centralized by the authorities. However, the information is then hashed and the value X is stored in a separate database that is public and uses a blockchain.
Using a blockchain provides a transparent, immutable, reliable, and verifiable way to share public information. As a result, a ZKP protocol can be implemented which enables the individuals to transmit a hash value to the checking authorities (credit companies, banks, hospitals, etc.) in order to enable identification. In this way, the checking authorities know that it is correct without actually having to see it. The public database stores the hash value in a distributed, decentralized network of nodes that have validated the information through a consensus mechanism. This is necessary to determine the correctness.
It could be argued at this point that it is easy to get hold of a person’s personal information or even their social security number. In order to further secure the information, it is, therefore, necessary to use a digital private key that only this individual can have. This is then necessary in order to “activate” the information and thus provide the checking authority with proof of identity. The private key is also hashed along with personal information. The output value should always be unique.
There are many advantages to online transactions with a system that verifies identity without revealing the actual information. Individuals will have less to worry about their digital identities being stolen when doing business on the internet. When individuals manage their own information, this system decentralizes who controls it and where it is stored. There are fewer controls and fewer sources of error when individuals are allowed to take control of their own digital identity. Another benefit of using an identity system is that it can interact with other systems to verify a person’s identity. This would make the verification process faster and result in fewer problems and data entry into computer systems. With digital identification systems, the verification process can be completed within seconds.