Blockchain for assured cross-domain digital identities

This article explores a blockchain-based solution that can help assure the digital identities of people and systems that communicate across segmented network security environments (such as information exchanges between an endpoint that resides on a classified network and another that resides on an unclassified network). Cross-domain information exchanges are critical to national intelligence and military use cases.

Trusted digital identity is at the heart of securing any online transaction because authentication and authorization decisions all rely on the assured identity of the communicating parties. But assuring the digital identities of parties transacting across segmented networks is especially complex and operationally cumbersome, and risks inappropriately revealing sensitive identifying attributes of the transacting endpoints. Distributed blockchain identity ledgers that immutably bind a subject entity’s unclassified W3C Decentralized Identifier (DID) to its public key and domain-specific service endpoint addresses can provide a common root of trust spanning stove-piped network segments, and enable trusted public key enabled (PKE) cross-domain interactions between entities without the operational complexities and identity spillage risks of traditional centralized PKI solutions. A multi-domain blockchain identity network provides assured digital identities with near-real-time public key distribution, revocation, and authentication, and protection from identity spillage without using a centralized registry, centralized identity provider, third-party certificate authorities (CA), CA-signed cross-certificates, and complicated, extended CA-ICA trust hierarchies.

The problem: Stove-piped, domain-specific digital identities

Traditional public key infrastructure (PKI) relies on trusted centralized third-party Certificate Authorities (CA) and Intermediate Certificate Authorities (ICA) to digitally sign certificates that attest to the digital identity of a given subject and its associated public key and other identifying information. To issue these credentials at scale, a root CA signs certificates for multiple ICAs that may in turn sign certificates for other ICAs, and ultimately sign certificates for end users in a lengthy CA-ICA-subject trust hierarchy. Trust hierarchies can become quite extended and complex, particularly when subjects (entities) from different trust hierarchies need to interact and then cross certificates are used to establish trust relationships between different CAs. The DoD PKI External Interoperability Landscape diagram on the DoD Cyber Exchange site illustrates the complex, ever-growing tree of parent-child relationships between CAs emanating from the Federal Bridge CA that’s operated and maintained by the US Federal PKI Management Authority.

Communication between segmented network environments — for example, communications between an unclassified network endpoint (the low side) and a classified network endpoint (the high side) — further complicates assuring digital identities. In addition to the operational and administrative complexities of operating under a different root CA for each network segment, cross-domain authentication and authorization risk violating non-attribution requirements by unintentionally spilling sensitive or classified identifying information to the far-side domain, which is a particular concern in intelligence-collection activities. Attribution-spillage can occur when identifying attributes in a subject entity’s digital PKI certificate (such as name and organization) and in network and application configuration attributes (such as hostnames).

Provisioning and maintaining up-to-date certificates, identifying information, and performing timely certificate revocation checks are also more difficult when performed across network segments. For example, even changes to a U.S. military service member’s rolodex-type personal information (such as their email address) made in the US milConnect system can take up to several weeks to replicate across the Department of Defense’s global address list (GAL).

These complexities and security vulnerabilities discourage and limit trusted information exchanges across security domains.

The blockchain-enabled cross-domain digital identity solution

Distributed blockchain identity ledgers that immutably bind a subject entity’s unclassified W3C Decentralized Identifier (DID) to its public key and domain-specific service endpoints can provide a common root of trust that spans stove-piped network segments and enable trusted public key-enabled, cross-domain interactions between entities.

A permissioned, public, unclassified blockchain identity network with nodes located on all participating network segments (security domains) provides unclassified trusted digital identities and public key enablement (PKE) for all participating entities (person and non-person). The cryptographic controls and consensus mechanisms that are built into distributed blockchain ledgers enable subjects (known as DID controllers) to self-register and immutably bind and distribute their DID-specific cryptographic material throughout all nodes of the domain-spanning identity network. Because DIDs and their cryptographically-bound, identity-related metadata (DID documents) are by design intended to contain only unclassified information, they may be safely distributed across security domains through the blockchain identity network consensus mechanism. DID authentication is performed quickly by looking up the DID’s public key on a local domain node. Changes to a DID document, such as revocations, are quickly replicated across all domains and nodes that use the blockchain consensus mechanism.

A DID document specifies a DID’s authentication and authorization mechanisms (which can also include traditional centralized PKI certificates) and also enables discovery and communication with the subject entity via its blockchain published service endpoints. A service endpoint located on each network domain enables trusted interactions with the DID subject commensurate with that domain’s classification. In this way, appropriately classified subject identity attributes can be shared without risk of inappropriate identity spillage.

For example, a DID subject (OrgA) may have service endpoints located on both an unclassified network and a classified network. Unclassified interactions with OrgA could be performed via its Unclassified Service Endpoints on the unclassified network. Classified interactions with OrgA (using the same DID) can be performed via its Classified Service Endpoint on the classified network. OrgA may have classified or sensitive identifying attributes, which will only be revealed through communications using its classified network service endpoint.

The value to you

A multi-domain blockchain identity network provides assured digital identities across segmented network environments without a centralized registry, centralized identity provider, third-party certificate authorities (CA), CA-signed cross-certificates, or complicated, extended CA-ICA trust hierarchies. It does this with near real-time public key distribution, revocation, and authentication, as well as protection from identity spillage. It can also leverage existing centralized PKI as additional authentication mechanisms.

Removing centralized, third-party dependencies with this self-sovereign identity (SSI) solution streamlines operations, improves reliability and resilience, provides scalability, and increases PKE performance. DID document-specified service endpoints located on each network security domain provide the ability to selectively release identifying information about the subject, minimizing the risk of identity spillage and providing a trusted non-attribution service.

Find out more about how blockchain can provide an assured cross-domain digital identity solution at the IBM Developer Blockchain hub. And you can read my other blockchain-related posts on the IBM Blockchain Pulse blog.

I look forward to more great conversations on the advantages of blockchain as a cross-domain digital identity solution.

Timothy Olson