Slashdot Mirror
Blockchains Are Poised To End the Password Era (technologyreview.com)
schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.
Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
"The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
Sorry, ethics died a year ago.
... with, apparently, no experience:
... a startup that's developing a blockchain network specifically for managing digital identities.
It little behooves the best of us to comment on the rest of us.
See subject
As someone who needs to sign in with a password to a server possibly a hundred times a day, this sounds like it could possibly be hell.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Blockchain wallets have to be secured, else anyone can impersonate the user and do what they will with the contents. So what would a blockchain credential system be? An online password wallet, in effect, exactly as secure as the protection on the wallet... which is either going to be what you have (an app on your device) or what you know (a password).
If everyone uses one private/public key set for everything, then if that is compromised then the third party gets access to absolutely everything and can impersonate the user?
For those of us who use different usernames/emails/passwords from server to server that seems like a downgrade in security.
Tell me I'm wrong and I'm missing something. I've used PGP in the past and use keys for SSH logins but I've never used blockchain related stuff.
Your talking about public and private usage, when the real discussion seems to be about "Single Sign-On", or SSO.
Otherwise what advantage does public and private keys for an individual offer over Kerberos NTLM authetication against a domain controller?
If you're talking about multiple servers on different domains, then you're actually talking about implementing a SSO configuration for multiple domains using pre-shared keys in place of pre-shared passwords.
Pre-shared keys require less typing, but are not always the ideal solution. How do you enable a more fine grained security approach to minimize the damage when a system is physically vulnerable? Say you turned your back and somebody tried to log into one of those server while you were working on another machine in the cubicle or office?
users can gain permanent control over who can access their data
So yea that's definitely not going to happen.
I browse on +1 so AC's need not respond, I won't see it.
Translation:
Lets take Public Key/Private Key (ie PGP) methods, combine it with "BlockChain CryptoCurrency" words, and then get suckers that have more money than brains (or tech knowledge) to fund a startup that goes nowhere.
But those don’t say blockchain in them so good luck getting a Silly-con Valley VC to take notice. This is all just a scam to score VC money from suckers.
Using the private key for authentication, but not storing it on the machine, but rather in your head, is a very effective means of improving security even if the machine is not locked.
Of course, nothing like that is true or even desirable. This story is utter nonsense. Credentials (whether passwords, certificates or seeds for OTP mechnisms) are under company control so their servers can access them easily and so they can revoke them fast. The blockchain has absolutely no place here. Incidentally, when it comes to public identities, the blockchain is about as useful as the PGP server network, albeit more complicated and more expensive, i.e. useless. The one thing that makes these identities worth more is signatures of (at least somewhat) trusted third parties on the public key, but only if they actually verified the identity.
Seriously, stop pumping Bitcoin with utterly stupid stories. Let it crash already and let those greedy and stupid enough to have bought late suffer.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
These days a single bitcoin transaction uses as much electricity as a home does in a week. How long before it requires a similar amount of computation, and by extension, energy, just to open a goddamn file?
So your describing it as part of a three factor authentication, where two factors are pairs of PGP keys, where both public keys are stored in publically accessible databases, and the third factor is a temporary secret?
Where does the audit trail of blockchain come into play?
If you're always signing into something like that, then you should have already setup a public/private key solution for yourself, fool.
Seriously. This is why our computing experience sucks; we've got fools like "fluffernutter" running things.
Work smart, not hard.
Many systems don't support such a setup. Most systems (servers, networking gear, UPS, building/infrastructure management, etc.) still require a simple password as the lowest level authentication mechanism.
And how the FUCK would a key pair help? You still need to present the private key somehow. Carry it with you? Gee, better not carry it in plaintext, so you better encrypt it in some sort of reversible way. With a password.
DERP.
And finally, working smart doesn't mean you don't have to work hard. Why not work smart and hard?
As I understand it, blockchain is like a bunch of trees growing in synchonicity. Exact duplicates. If a tree doesn't grow exactly the same, it is considered defective and cut down.
A blockchain might function as a web accessible smart card or key fob which functions for all accessible websites. This keyfob would need to be protected in some way.
Every password is a private key.
It may not be a private key in a public/private key pair. But it's a secret (key) that is known only to you (private).
It may or may not be used in the same crytographic manner (hashing vs. encryption) as, a public/private key pair. But it's a secret (key) that is known only to you (private).
No, it's 1 factor. It relies on 1 thing you know (your private key) presented over a single channel (the internet).
This keyfob would need to be protected in some way.
While your picture is somewhat correct and somewhat wrong, this really is the key-point. Incidentally, this is already the key-point with a password, but there it is relatively easy to do. All those that got weakly protected customer passwords stolen in the last few years were just grossly incompetent in protecting them. It is well known (to experts) how to do that right: salt, hash, iterate and in newer times add a large-memory property. PBKDF2 was the standard since at least 2000 and and is still doing reasonably well with good parameters. Don't use it for new designs though. Argon2 is the new standard. Both are not hard to use, but you need to know about them and understand why they work and that relatively low level of expert knowledge was already not available in all these hacked companies.
So the blockchain really has no place here as it does not solve the problem, and it also does not make it easier to solve.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It is either 1 or 2 "factors" depending on user choice. That it isn't obvious says a lot about the uselessness of that system for classifying authentication schemes.
I didn't really explain how the blockchain figured into it, but after that it is a textbook-standard public key authentication system with some dress-up for the web. We could do it today if we wanted to.
The blockchain part is for key management, also known as "the hard part of PKI". Basically, you only need to communicate one identifier to everyone you do business with. You don't need to tell them when you revoke a key and you don't need to trust them to keep your key safe. You could use the same key for everyone, or different keys, and it makes no difference.
Namecoin allows decentralized registration of identities and allows people to publicly attach metadata to them. You register a name and you own it as long as you keep renewing it, which is dirt cheap and getting cheaper over time (which was by design). Any time you want to, you can update the metadata attached to it, which is a JSON structure of arbitrary complexity. No third party can take it from you, or override your choice of what data to attach to it.
See that "Preview" button?
Makes sense, but still doesn't give me a complete picture.
The block chain stores your/my public keys, and I guess any public keys of entities you/I do business with.
Where do your/my private keys go? And how are they kept secured?
There is currently a technology out there right now that addresses all the problems inherent in profile/passwords, i.e. they get shared, lost, site must hold a secret for user. SQRL (https://www.grc.com/sqrl/sqrl.htm) handles all that and more so why not just implement that tech? Admittedly there is going to be some cost but when/if it scales up it will the answer to all of those questions.
You should be. The possibility of the ultimate loss of all privacy to the government should be scaring the bee-jeep-ers out of everyone!
Caution: Contents under pressure
How many times have we heard about some new technology that is going to obviate the need for the lowly password?
Offline access will need to be protected with passwords anyway.
As long as the password is not stored using reversible encryption, then it is for most practical purposes a private key, and not a shared secret.
However, more important is the claim I was making that a password is an effective solution for certain security vulnerabilities created by other solutions.
I don't see an advantage to blockchain in your comment. Blockchain is used to make PKI management eaiser? I can't visualize the entire concept, start to finish. In order to understand what advantage blockchain has over other options, or to understand where vulnerabilities might occur. I wouldn't know how to implement blockchain to manage PKI for my own use, not in a manner I trusted to be secure.
Another idiot who doesn't understand the tech proclaiming that it'll replace a tried and true standard when he doesn't really understand the scenarios where his product works or not.
Join the masses of idiots who said biometrics are going to replace passwords, among others.
Should've ignored it. Here's the red flag: "the geeks are working on it right now"
Proof of identity isn't the same as SSO. Whenever you access "https" the server is proving its identity to you, since you access its public key (certificate) and trace it up to the root certificate that you already have installed. The server does not "sign on" to your desktop to prove its identity or use some kind of password or login authentication.
The blockchain can eliminate the need for getting blessed by a root certificate like Verisign (Verisign is very expensive, at $400/yr). That can open the door to consumers self-signing their data (no sane consumer would pay $400/yr to Verisign), and eliminates the need for "logging in". Any server can verify your identity through your own digital signature the same way your browser verifies a server's identity through its digital signature.
If you've ever used kerberos or any other key management system, you'll realize that the password is only asked once when it has to read your password-protected private key from cold storage (disk) and thereafter it uses ephemeral keys stored in volatile memory and never bothers with asking for your password again until you reboot or shut down.
Yes, your private key is protected by a ... password. And nobody's ever had their bitcoin wallet hacked. I'm not saying blockchain technology brings nothing to the table, but it's certainly not a panacea.
"I have never let my schooling interfere with my education." - Mark Twain
Whenever someone says 'blockchain', they're almost certainly leading into selling you an inefficient solution that doesn't apply to the problem they think it does.
Just say 'no' to blockchains.
Not really sold on the verification by way of digital signature.
Blockchain seems like a good idea for maintaining the integrity of public information.
However I can't fathom a solution for a consumer for which blockchain provides sufficient security. Who or what is the ultimate authority? Is it turtles all the way down?
I have no idea.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I'm not sure I do either, getting totally confused by this blockchain concept. I think my comment was intended for another poster who said the blockchain/wallet would act as some kind of PKI management database. Facilitating the use of public and private key pairs for the general public at a lower cost than the current going rates of SSL certificates. So if this thing works, SSL cert vendors might go out of business, as "root" authorities will no longer be required. The blockchain will be the root CA, in some fashion.
SSL public key signatures in blockchains are used as signatures in the history. Like a list of names and signatures on a title deed, it traces the ownership of the currency. There is little to be gained in breaching older segments of the block chain. The history of the chain is used for integrity verification and remidiation of theft attempts.
And that is how I view blockchain, a remidiation tool, not a preventative measure.
So in taking a blockchain which tracks the transfer of nothing, it would appear to reduce or eliminate the remidiation effect. Which leaves me befuddled as to what advantage this blockchain has over a database? Is this simply a peer 2 peer network of public key databases? Or is this a public profile of a person based on the companies they typically do business with?
Nope. I generally don't store my passwords in a centralized database. Merely a salted hash of the password using irreversible encryption. You know, a "public key".
"Not really sold on the verification by way of digital signature."
Me either. But surely it's good enough for sites like slashdot where I really don't much care if someone logs in as me.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Encryption without identity is vulnerable to a man-in-the-middle attack. The whole point of root certificates is verifying your identity and checking documentation of ownership of a website before they give you a certificate. If it were just encryption, sans identity, then https wouldn't accomplish anything, and any one in the middle can just encrypt with their own self-signed certificate and you haven't achieved a secure end-to-end session. A stolen certificate is rare, and when it does happen, there's a revocation process. This is similar to someone else finding out your password and you have to change the password.
Your illustrated problem of a teenager or someone else gaining access is not unique to digital certificates, the same is true with passwords, since passwords are generally used only once per session and the then the rest of the session assumes continuity of identity. If you go to the bathroom or leave your desk, those websites will assume whoever sits down next has the same identity. This is why most offices require employees to lock their terminal before going to the bathroom or leaving for a meeting.
In fact, passwords are generally considered less secure than crypto signatures due to the prevalence of keyloggers. Most secure websites generally recommend 2FA. You can essentially flip the precedence, so the primary login can be the crypto signature instead of the password, and the secondary authentication can be a pin, or mother maiden's name or any arbitrary security question & answer, only when you're doing some thing that requires 2FA like transferring money out of your bank account or changing the security settings.
Keys aren't allowed in my environment, too easy for private keys to get out never to be changed.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I've been intrigued by blockchain for months... but feel frustrated by the (lack of) technical material I can find on the subject.
I definitely want to use (something with what I understand to be the properties of) blockchain for a few different purposes:
For both of these use cases, it seems that BitCoin has already tackled the questions. While, I accept, I could review Bitcoin source code - that would be time-consuming and provide an insight into only one implementation of BlockChain technology.
I'd like to know: are there any good technical resources that tell me how BlockChain technology is implemented - in order that I can establish the effort required to adopt such a technology in the context of a specific application?
This from a guy with a deep, deep interest for that assertion to be true.
Every password is a private key.
It may not be a private key in a public/private key pair. But it's a secret (key) that is known only to you (private).
That's not correct. It's transmitted over the network and is also known by the server on the receiving end so that they can validate whether or not it's correct. A private key, on the other hand, is never known on the receiving server since it's never transmitted over the network, unlike a password.
Are Blockchains Poised To End the Password Era?
Indeed. I can actually not see any added value compared to a simple distributed database, like the PGP key servers. To me, it seems that the efforts to justify the value of the blockchain for _something_ are getting more and more desperate. A typical hype-cycle.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Exactly. Yubikey does this now. You have a secret private key that never leaves the security hardened device. The device will accept any token and encrypt it with the private key ("sign it"). The website or resource can decrypt with your public key to authenticate you.
No blockchain necessary here. Blockchain would add nothing.
- For the complete works of Shakespeare: cat
> the sole responsibility of the user
My mom just called me because she lost "her yahoo" again. Tell me again about people being responsible for their private key infrastructure again?
- For the complete works of Shakespeare: cat
[nt]
File under 'M' for 'Manic ranting'