key: cord-0580173-ndk4x1dm
authors: Aydar, Mehmet; Ayvaz, Serkan
title: Towards a Blockchain based digital identity verification, record attestation and record sharing system
date: 2019-06-24
journal: nan
DOI: nan
sha: 65b5ee2523bceba1b4c7566a6631edf0012b51b7
doc_id: 580173
cord_uid: ndk4x1dm

In this study, we investigated the utilization of Blockchain technology in identity systems. We reviewed the drawbacks and weaknesses of traditional identity systems, and discussed the potential benefits of employing Blockchain technology for a more efficient identity system. As a result, we proposed a Blockchain based digital identity verification, record attestation and record sharing system. When compared to traditional identity systems, it makes identity verification and identity based record sharing more efficient and secure, while respecting privacy of identity owners. By exploiting the trust fabric of Blockchain, a Blockchain based identity system eliminates the middle man and wait lines for authentication, authorization, and attestation. It allows individuals to decide what parts of their identity they want to share and with whom they want to share it.

Individuals identify themselves using various identity assets such as their name, national identity number and passport number. Identity assets are recorded in physical identity documents which are attested by central authorities. In the world of the internet, identity owners are required to provide their identity assets to institutions in order to verify their identity. Traditionally, institutions keep sensitive identity assets in centralized data silos. This traditional way of identity management methods are open and susceptible to data breaches, identity theft and fraud, and it has inefficiencies in terms of security, usability, privacy and globalization. As a matter of the fact, it has become crucial to move away from intermediary and provider-controlled identity management models toward user-controlled digital identity.

The advent of Blockchain technology has created an opportunity to transform how relationships between people and institutions are established and maintained. Blockchain technology can deliver secure solutions by integrating trust in the network itself. As for digital identity management, Blockchain enables identity owners to have sovereignty of their identity and identity based personal records, control access to their records and enables identity owners to share minimum amount of information while ensuring integrity and trust.

Our study focuses on using Blockchain technology for identity management. The paper is organized as follow, section 2 explains current problems in traditional identity management methods. Section 3 describes Blockchain technology, explains why the technology fits for a robust digital identity management system, and the main concepts used in Blockchain based identity management systems. In section 4, we describe our solution in details. Section 5 reviews existing solutions in this area, and we follow by conclusion.

We grouped the challenges persists in traditional identity management methods in four categories: usability, privacy, security and globalization.

Customers use a combination of username/password in order to be authenticated for online services, in which they are required to provide their private information in order to create an account. This creates hassles such as too many different login information for each service, trying to remember the login information, and being have to give privacy information to recover an account in case of forgetting the password. For remote authentication, in most cases identity owners are obliged to respond to security questions regarding their personal and sensitive information in order to verify their identity. As a result, users pay a price by spending a great deal of time proving their identity, and risking their privacy by giving up their private identity information. A survey report by Centrify in 2014 indicates that even small businesses with 500 employees lose $200,000 annually to employees due to the amount of time spent with password management [1] .

Identity assets defines an individual. Yet, in traditional ways individual's identity assets are stored by third parties. Third parties, whether it is a website, a company or a government, keep silos of identity data. They often require more information than they need in order to verify individual's identity, as for example, "phone number", "mother's maiden name" and "social security number." Sensitive identity details are often stored in central locations that identity owners are unaware of, shared without their approvals, and exploited for commercial gain.

In traditional ways, each service provider keeps some portion of individual's identity information for identity verification. Hackers are constantly attacking these systems to steal identity information. Any possible breach of identity creates tremendous setbacks both for the identity owner and the businesses. According to Javelin's Identity Fraud Study [2] in 2017 alone, over 16.7 million customers in the U.S. were affected from identity frauds, which costed them a total of $16.8 billion. What is more interesting is that the number of victims affected by identity frauds were increased by 8% comparing to the previous year. Table 1 shows a sample of the important data breaches in recent years. As shown in the table, there is an increasing trend in cyber-security breaches and a rise in their economic damages. A report by Herjavec Group predicts that damages caused by cyber-security breaches will cost the world $6 trillion in a year by 2021 [4] .

In global perspective, identity verification and record attestation is challenging across borders due to the institutional and international boundaries. When a person travels to a different country, identity verification often comes down to a manual process of verifying his/her physical documents (i.e., passports.) In addition, verification of credentials such as Education certificates and credit reports is often slow, disjointed and requires involvement of trusted third parties for attestation. For instance, individuals who have earned a particular college degree in India have to go through trusted third parties, 

The user database of OneLogin was breached with estimation of millions of employee data. 2016

USA-based identity fraud in the financial sector increased from 13.1M in 2015 to 15.4M in 2016. 2016 More than 600 data breaches which compromised over 21M identities. 2016

A breach of over 1 billion user records in the system of Yahoo!, which remained exposed for 3 years between 2013 and 2016.

Another breach at Yahoo! of over 500 million user records in 2014, which remained exposed for 2 years. 2015

Over 175 millions of users' records were exposed in over 780 breaches. 2015

33M user accounts exposed in the Ashley Madison data breach, with an estimate cost of $850M. costing them a significant amount of money and time in order to prove their degree in a U.S. governmental office.

Blockchain is an immutable distributed ledger that stores ownership of digital assets in the form of transactions and blocks. A Blockchain network consists of peers, each keeping the same copy of the ledger data managed through peer-to-peer (P2P) networking. Unlike traditional decentralized peer-to-peer networks, in which each peers act independently, in Blockchain final decision is made through a consensus among the peers. Blockchain was first introduced as the backbone technology in Bitcoin, a digital currency system which eliminates the necessity of trusted third parties in electronic payments but still guarantees trust among the peers [5] .

In a Blockchain ledger, transactions are ownership transfer of digital assets. In Bitcoin system, ownership transfer is called "payment," in which digital asset is the digital currency (also called Bitcoin), and the owners are Bitcoin wallet owners identified by asymmetric cryptographic keys. Specific peers called miners are responsible for approving transactions. When a transaction is initiated, transaction details including sender, receiver, digital asset amount being sent, and the timestamp indicating the time of the transaction is hashed and broadcasted to the pending transaction pool. Miners grab a list of transactions to constitute a candidate block, which also contains a timestamp, the hash value of the candidate block which is generated from the block header and the Merkle root hash value [6] of transactions included in the block, and the hash value of the last approved block in the ledger. The network utilizes a consensus algorithm to approve and append candidate blocks to the ledger. For instance, in Bitcoin network the proof of work (PoW) consensus algorithm is used, in which miners compete to approve candidate blocks by trying to compute a computationally hard Nonce value, which is determined by the cryptographic consensus algorithm and an ever growing difficulty of the network. Once a block is validated, it is appended to the previously approved blocks by referencing to the last block's hash value, constituting a chain of approved blocks in the ledger.

The chaining and distributed mechanism of Blockchain makes tampering the previously approved transactions impractical. Tampering a single transaction in a block would result a different Merkle root hash value of the transactions contained in the block, and a different hash value for the tampered block, and therefore invalidates all the following blocks in the chain due to the hash linking feature of the ledger. This requires the re-calculation of a different Nonce value for all the blocks including and after the tampered block in the chain for the current peer, and for the majority of the peers in the network, with the purpose of verifying the fake transaction. That is computationally impractical in a widely adapted Blockchain network. Thereby, the ledger data stored in a Blockchain network is considered to be immutable.

Blockchain is considered to be a key innovation in the age of digitalization, in which everything is either digital or have a digital representation, and connected. Blockchain's innovative technology have the potential of bringing transparency and trust to digital ecosystem, by assigning everything a digital identity, distributing the storage rather than centralizing, and automating the processes with smart contracts. Therefore, the concept of "decentralized digital identity" is a major part and perhaps the starting point of a Blockchain network.

In Blockchain, asset owners are identified by asymmetric cryptographic (public-key cryptography) keys (explained in section 3.2). Blockchain based identity solutions utilize the concept of asymmetric cryptography, in order to assign digital identity to things. Several aspects of Blockchain makes the technology suitable for efficient and secure identity management:

• Blockchain ledger is immutable and transparent (based on permissions), and immutability and transparency are fundamental for identity management.

• Blockchain is resistant to single point of failure and denial of service attacks.

• Blockchain provides an efficient implementation of public-key cryptography and hashing, which:

can be extended for digital identity ownership.

helps ensuring integrity and authenticity of identity based records.

can be utilized for third-party attestation of records.

helps facilitating permission based record sharing with smart contracts.

• Blockchain eliminates or reduces monopoly in identity management, as it is not controlled by a central authority, which also enables identity and record integration in global scale.

• Blockchain supports incentives via crypto-currencies, which can be utilized for certain tasks such as providing incentives to the participants for data sharing.

It is noteworthy to state that, with the view to fully exploit the functionalities of a Blockchain based digital identity solution, a mainstream adoption of the system is crucial. Although Blockchain technology enables novel innovations in the area, Blockchain has not yet reached a large scale adoption in its current technological state. According to a survey by Johansel et al. [7] , scalability bottlenecks, lack of the progress in accessible data and APIs, and issues with disk space and bandwidth are the major hurdles of Blockchain for a conventional adoption. Swan [8] , on the other hand, presented technical limitations for adaptation of Blockchain in the context of security, usability, size and bandwidth, throughput and latency, versioning problems and wasted resources in transaction approval. Li-Huumo et al. [9] revealed that Blockchain research studies mainly focus on Bitcoin system, and only 20% of the studies concentrate on obstacles of Blockchain technology from the view of security and privacy.

Zheng et al. [10] brings up the concerns regarding privacy of individuals identity in conventional Blockchain networks such as Bitcoin, stating that associating identity owner's pseudonyms identifiers to IP addresses is possible [11] , and that transactional privacy cannot be guaranteed by conventional Blockchain networks [12, 13] .

Public-key cryptography (asymmetric cryptography) [14] is an encryption technique has been used for decades, which makes use of a key pair involving a private and a corresponding public key. Asymmetric cryptography enables encryption and decryption of messages using two separate keys, in a manner that a message encrypted with a public key can only be decrypted with the relevant private key that belongs to the key pair, and vice-versa. While private keys are meant to be only known by the key owners, public keys are open to others. In Blockchain, public-key cryptography is utilized for asset ownership and for verifying the authenticity of transactions. Figure 1 shows an example of public-key cryptography utilization in message sending for encryption and decryption. In the example, sender Bob uses receiver Alice's public key for the purpose of encrypting a message, and delivers the encrypted message to Alice. The encrypted message can only be decrypted by means of Alice' private key. The mechanism ensures that only Alice is able to retrieve the original message as long as Alice maintains her private key. Hashing is a mathematical mechanism of generating a fixed size value from input data. It is impractical to regenerate the original input given its hash value. In Blockchain, hashing is utilized in hashing transaction and block data. Bitcoin system uses SHA256 hashing algorithm which was originally designed by United States National Security Agency (NSA). SHA256 is also being used for decades in many sectors and services that requires solid security such as in financial services, and it has proven to be secure. Table 2 shows sample inputs and output of SHA256 hash function. authenticity and ensure integrity of the message in peer-to-peer communication, which is achieved using public-key cryptography and hashing. As an example, in Figure 2 , Bob sends a message to Alice using digital signatures. Bob encrypts the hash of original message with his private key. This action is called signing. Bob sends original message and signed message to Alice. Alice applies the same hash function to the original message and decrypts signed message using Bob's public key. Alice, then compares these two results. If they are equal, than it means that the message was indeed came from Bob and was not tampered. In Blockchain, Digital signatures are utilized in verifying authenticity of digitally signed transactions. For instance, in Bitcoin system, only transactions initiated by the asset owner itself are verified, which means asset owners can only spend the assets they own, and this is ensured via the concept of digital signatures.

3.3. Self-sovereign identity Self-sovereign identity (SSI) is an identity model in which any person, organization, or thing fully owns and controls their own data, and it is not governed by centralized authorities, and it can never be removed from the identity owner. The requirements of an SSI model are described as below [15] :

• Identity owners have full control over the data they own.

• Integrity, security and privacy of owner's identity are ensured by the system, a central authority is not required for trust.

• Provides full portability of the data, which means that identity owners can use their identity data in where they want (for instance in accessing an online service.)

• Any changes to the data is transparent, and transparency is sustained by the system.

Decentralized identifier (DID) is an identification mechanism which assigns a standard, cryptographically verifiable, globally unique and permanent identity to individuals, organizations, and things, which is completely under the identity owner's control and does not depend on central authorities. Public-key cryptography is used in DID, as each DID contains an asymmetric key pair (a public and an associated private key.) The control of a DID is managed through the control of DID's private key. DIDs provide an identity owners a lifetime encrypted private channel with another identity owner. Identity owners use DIDs to identify themselves. Each DID resolves to a DID document (DID descriptor object), which contains DID's cryptographic keys, publicly available metadata (if any) regarding the DID owner, and resource pointers for the discovery of endpoints for initiating interactions with the DID owner.

Credentials are proof for identity owners to assert their license or qualification on certain things. They are widely used in individuals' daily lives. Driver's licenses, university diplomas and travel passports are example of credentials. Verifiable credentials are machine readable, privacy respecting, cryptographically secure digital credentials of identity owners. Verifiable credentials support self-sovereign identity, such that identity owners accumulate credentials into an identity account and use the credentials to prove who they are.

Verifiable credentials usually involves a third-party attestation, but it can also be self-attested. Attestation is done by exploiting the concept of digital signatures. An attester (issuer) having a DID creates a verifiable credential by signing identity owner's records using its private key, and the credential is cryptographically verifiable by a verifier using the attester's public key. Verifiers count on the credibility of issuers to trust the credentials.

We propose a Blockchain based digital identity solution which makes use of attribute based data sharing, self-sovereign identity, decentralized identifiers, verifiable credentials, and allowing identity owners to use trust relationships that they already have with trusted partners. The system enables identity owners to prove that they are who they claim to be (authentication, i.e., login systems) and making a certain claim involving third-party certifications (attestation, i.e., proof of education degree certificates). The aim of the proposed system is to provide a framework that is scalable, globally usable and providing both privacy and security by design. Figure 3 shows the overall workflow of the proposed solution. In the system, individuals and institutions are assigned to a digital identity through a decentralized platform orchestrated by Blockchain. The system does not store any private user identity data, not even encrypted version, in public ledger. The system only keeps the proofs of transactions for the verification in Blockchain. Identity owners fully control the user identity data and solely determine whom to share their identity data. Identity owners receive their cryptographically signed documents in the form of cryptographically verifiable credentials from the related institutions, and keep them in their mobile wallets. Consequently, the system also reduces the time spent in tasks requiring verification of user identity and eliminates the need for central authority in verification and management of identity data.

In the system, individuals and organizations identify themselves with self-sovereign identities, which they fully control their identity based records without relying on a central authority. It can also be extended to devices in internet of things (IoT) domain for providing device identification and authentication. SSI consists of multiple decentralized identifiers (DID), one for each relation the identity owner has with other identity owners. The advantage of using different DIDs for each relation is that in case the keys from a particular DID are compromised, the other DIDs of the user stay protected. Under identity owner's control, each DID is globally unique and includes a cryptographically verifiable PKI (public, private key pair). Each DID resolves to a DID document, a DID descriptor object (DDO) which is stored on the Blockchain. A DDO includes the public key associated with the corresponding DID and metadata needed to prove ownership the corresponding DID, and endpoints of the DID objects to initiate trusted peer interactions between the ledger entities.

The details of cryptographic key pairs (public and encrypted private keys) of DIDs that belong to the user's self-sovereign identity are stored on user's devices, such as mobile phones. While public keys are stored in nonencrypted form, corresponding private keys are stored in encrypted form. A private key is encrypted in a way such that it can only be decrypted using a biometric signature of the identity owner, as fingerprint, facial feature, an iris or a retina. Encrypting private keys provide multi-factor and identity owner-specific authentication in order to be allowed access to the identity details. Figure 4 shows an example of how self-sovereign identity is stored on a user device and pairwise decentralized identifiers.

Authentication is the process for identity owners to prove ownership of their identity. It is often required in individuals' daily life for purposes suchlike security checks, being granted access to specific services. Our system uses public-key cryptography based authentication.

Identity owners are required to prove that they have control of the private key of a public key associated with their identity. Verifier side (for instance a website) encrypts a random string with this public key and sends it to identity owner. Using the private key, identity owner decrypts and retrieves the original string. Then, it sends the string back to the verifier. Verifier checks it against the original string, and authenticates identity owner if they are equal. Figure 5 illustrates how public-key cryptography based authentication works in the system. 

In proposed system, identity based record sharing is achieved through the concept of verifiable credentials. As explained in section 3.5, credentials contain data about an identity owner regarding their license or qualification on certain things. Each credential needs to be digitally signed by the issuer of credential. There could be two type of credentials; a self-attested credential is issued and signed by the identity owner itself (i.e., user publishes and signs his/her own data), and a third-party credential which is generally issued and signed by a third party (i.e., attestation and notarization services.) Credentials data can be in the form of free-text, graphic or pre-defined credential definition (schema). Our system encourages identity owners and third-party credential issuers to use a pre-defined credential definition in order to make the content of credentials machine readable. Schemas are important to define and make credentials machine readable. Our system allows schemas to be published on the ledger. By making use of RDF and ontologies, a great deal of already defined schemas can be utilized such as ontologies regarding personal data, medical data and university diplomas.

For a credential to be issued by third parties (issuers), issuers first need to authenticate identity owners. Once authenticated, issuer picks an appropriate credential definition, constructs and signs the record with its private key, and delivers the signed record to identity owner. As an example, using our system, driver licenses can be issued digitally in the form of verifiable credentials. For this reason, a government department publishes a credential definition for driving licenses onto the ledger. The credential definition contains references to attribute names and types from credential schema, which holds information such as the driver name, license number, license issue and expiration dates and license type. A license authority grabs the license schema from the ledger, fills out driver's information accordingly, and cryptographically signs the form, which generates a digital version of a driving license in the form of verifiable credentials. License owners keep the digital credential on their devices. Authorities are able to verify that the driving license is owned by the driver, was signed by a legitimate license authority and is valid. Credential definitions kept in the ledger are indexed and made searchable. This enables users to discover which authorities or organizations issue credential definitions that they need.

Verifiable credentials can be exchanged digitally between identity owners, involving individuals and institutions. Figure 6 shows an example of exchanging credentials of a University degree certificate. In the example, a University supplies its former student a verifiable credential proving her educational degree, using an existing claim schema from the ledger, and via pairwise decentralized Identifier "A". The University graduate presents the digital credential to her company using pairwise decentralized identifier "B". The company confirms that her employee's educational credentials are valid by verifying authenticity of the verifiable credential.

A verifiable credential can also be issued upon a request from another third party. In this case, identity owners have already proven their identity with an institution (credential provider), and also need to prove their identity with another institution (credential requester,) using the trust relationship they have with the credential provider. In order to do so, credential requester authenticates identity owner, and redirects identity owner to the authentication system of credential provider. Based on the requested information, credential provider provides a verifiable credential to identity owner. Identity owner signs the verifiable credential with his/her private key, and forwards it to the authentication system of credential requester. Credential requester retrieves the DID of identity owner and DID of the credential provider, and verifies digital signatures of them using their public keys from DIDs. This whole process can be performed online in seconds, enabling identity owners digitally proving their identity and credentials to credential requesters. The process assists in satisfying Know Your Customer (KYC) requirements, by enabling organizations linking their online services with verifiable credentials, while ensuring that information is only shared with the consent of identity owners. A consent proof of these actions is kept on the ledger without revealing sensitive information of parties involved. For instance, if identity owners have proven their identity with their bank, they can grant permission to share their financial data such as credit score with a telecommunication company in order to request a new service from the telecommunication company, as illustrated in Figure 7 .

Verifiable credentials are issued to and kept by identity owners. Verifying a credential involves verifying that the credential is owned by the identity owner and issued by a trusted authority, and that the credential is still valid, i.e. it has not been revoked by the issuer. Therefore an efficient revocation mechanism is needed which does not put a lag on the system (asynchronous), respects the privacy of the identity owner (private) and is not controlled by central authorities (decentralized.)

Our system keeps a revocation registry on the ledger. Credential issuers are responsible to publish revoked credentials to the revocation registry. The registry is a cryptographic accumulator, which includes credentials or the specific attributes of a credential that have been revoked, in addition to the corresponding credential definitions. A cryptographic hash value of a revoked credential is calculated and kept in the revocation registry. Verifiers check existence of the hash value to test whether the credential has been revoked.

When an identity owner shares a verifiable credential with a verifier, a proof of the sharing agreement (consent receipt) is generated and kept on the ledger. A concept receipt is signed by both identity owner and the verifier, and it includes their DIDs and the shared attributes names and data types without any of private information. The proof of a concept receipt is a cryptographic hash of the receipt, which is stored on the ledger. By this mechanism, tamper-proof evidences of sharing agreement of verifiable credentials are maintained, in case they are required in the future.

For a blockchain network, storage is a vital issue to be considered from perspectives of identity management, scalability, security and privacy. To avoid potential security and privacy problems, no private data is stored on the Blockchain ledger in our system. Even encrypted and hashed versions of private data are not stored as the encrypted data on Blockchain might become vulnerable to advanced quantum machines in the future [16] . Keeping sensitive private data on the ledger carries a risk that if the private keys of the identity owner are compromised, the identity owner's data can be revealed to public. Thereby, in our system Blockchain is mainly utilized to lookup decentralized identifiers and identity owners. It only stores the consent proof of data sharing between the identity owners and the revocation registry. Since the proofs of data are stored on the blockchain rather than the identity data themselves, the scalability is not an operational challenge.

There have been some recent solutions about Blockchain based applications focusing on digital identity. Moreover, several reports [17, 18, 19] originated by governments state the disruptive potential of Blockchain and the opportunities of exploiting the technology for digital identity.

Hyperledger is an initiative by The Linux Foundation that aims to create common open source Blockchain frameworks and tools that anyone can use freely. The members of the initiative are from a diverse industries including banking, technology, consulting, retail, governments and academia.

Hyperledger Fabric [20, 21] is a Blockchain foundation for creating private permissioned Blockchain applications with a modular design. A Hyperledger Fabric based Blockchain system includes actors such as client applications, asset owners, orderers and peers; each having a digital identity complies with X.509 digital certificate standard [22] . Identities are essential in Hyperledger Fabric, since apart from asset ownership, resource and access permissions management are also determined by actors' identities. Hyperledger Fabric also has the concept of principal which includes additional properties of actors' identities such as identity owner's unit, organization and permissions. Verifiable digital identities in Hyperledger Fabric are provided through Certificate Authorities (CAs) within the network. A Certificate Revocation List (CRL) is also kept by the system which stores digital identity certificates that have been revoked. Hyperledger Fabric also has a built-in Membership Service Provider (MSP) which identifies legitimate digital identities of the Blockchain network, and represents the organizations in which a digital identities belong. Another distinctive feature of Hyperledger Fabric is that it allows private channels that can be used for permissioned private data sharing.

Another Hyperledger project primarily built for self-sovereign decentralized identity supporting privacy by design, Hyperledger Indy [20] is a publicpermissioned distributed ledger project. It develops a set of identity specifications, artifacts, libraries, tools, and reusable components for creating decentralized identity on Blockchain to enable identity interoperability across applications and distributed ledgers. Hyperledger Indy supports data minimization. It enables identity owners to store their identity based records.

Applications don't need to store individuals' personal data, instead they store a link to the identity. Identity owners are able to control access to their personal data. Hyperledger Indy's identity model supports decentralized identifiers and verifiable credentials.

Sovrin [23] is a live distributed ledger built for decentralized identity that uses Hyperledger Indy's codebase. Sovrin ledger is public since it is designed to provide a self-sovereign digital identity for all. However its governance model is permissioned, that means the Blockchain nodes in Sovrin are governed by private organizations called "stewards."

Sovrin makes use of decentralized identifiers and verifiable credentials.To increase scalability, Sovrin uses two types of Blockchain nodes: a network of validator peers which have transaction write access to the ledger, and a bigger network of observer peers storing write-protected copy of ledger to handle requests for read.

Since Sovrin uses a public Blockchain, it is important to outline what is stored on the ledger. According to Sovrin, decentralized identifiers and associated DID documents with verification keys and endpoints, schemas and credential definitions, proof of consent for data sharing, public credentials and revocation registries are stored on the ledger, whereas private data of any kind (including hashed personal data) and private proof of existence are not stored on the ledger [24] .

SecureKey [25, 26] is a Blockchain based identity and authentication provider that allows customers to assert their identity information online using trusted providers that they already completed the Know Your Customer (KYC) process with, such as governments, telecommunication companies and banks. SecureKey ensures that personal data is privately shared with explicit consent of identity owner. Figure 8 illustrates an example of identity information sharing with customer consent, in which a consumer visits a telecommunication provider website, selects the device she desires, consents to share her identity information and her credit score provided by her bank, and the telecommunication company verifies her information in order to approve the requested service.

SecureKey uses a permissioned Blockchain network based on Hyperledger Fabric, in which participating organizations such as banks are central in managing the nodes of the Blockchain network. In the Blockchain ledger, the proof, provenance and permissions are stored. Consumer's identity information remains to be kept by the providers that consumer has trust. SecureKey also uses an incentive mechanism to data sharing, such that the credential requester pays to the credential provider. SecureKey architecture enables privacy with a triple-blind identity sharing, in that the data provider never knows the service a consumer is accessing, and the data requestor does not have to know the exact credential provider other than knowing the business type of the credential provider.

ShoCard [3] is a project developing an identity-platform built on Blockchain. Identity details are stored in a digital file called "ShoCard" which is owned by identity owner and usually stored on the owner's mobile device. Identity owners have a public-private key pair for controlling of their identity. ShoCard system enables attribute based data sharing. Individual's identity details are broken up to separate attributes. Each attribute is hashed and then signed by private key, and sent to be stored in a Blockchain. Figure 9 illustrates ShoCard's attribute based self-certification system.

ShoCard system architecture consists of a Blockchain layer which includes multiple public and private Blockchain networks, and a layer for ShoCard core services built on top of the Blockchain layer. Its system architecture also includes Sidechains and server cache, and applications layer that works on ShoCard services, and includes the SDKs and mobile applications.

In another related work, Walmart filed a patent [27] to protect a method that allows obtaining Electronic Health Record (EHR) of an individual from a Blockchain database even the individual is unable to communicate. In Figure 9 : ShoCard attribute based self-certification (Taken from [3] ).

this system, personal medical data is managed on Blockchain. Individuals have access to their own record by controlling an asymmetric key pair, which is specific to their identity. The system is particularly useful in cases of emergency, in which the patient is unconscious or incapacitated and unable to provide the physician with critical information relating to pre-existing conditions or allergies that may influence the direction in which treatment will be given when know.

In their system, the public key along with an encrypted private key (that was originally encrypted with a bodily feature of the patient), are kept in a wearable device. Patient's public key and the encrypted form of the associated private key can be obtained by scanning the wearable device via RFID. A separate biometric scanner device is used to obtain a bodily feature such as finger print or retina of the patient, and the encrypted private key can be decrypted using the biometric signature of the patient (fingerprint, an iris, a retina, and a facial feature, for instance.) The asymmetric key pair enables accessing the medical records of the patient stored in the Blockchain.

Bitnation [28] provides identity registration on Blockchain in order to enable geography-independent world citizenship unbound by governments. Bitnation can provide services like world citizenship, Blockchain passports, marriage certificates and emergency identifiers for refugees. A Bitnation identity requires concretely proving that the candidate existed at a definite time and location, and his/her existence was cryptographically signed by another group of identity owners. Bitnation uses Ethereum [29] network, and utilizes hashing, digital signatures and smart contracts.

Bitnation partnered with Estonian government for Estonia e-residency program [30] , which offers people who are not from Estonia or not a resident of Estonia a door to enter services like business ownership, digital contracts signing, banking, taxing, payment processing and notary services.

Uport [31] is a self-sovereign identity platform based on public Ethereum Blockchain. Like Sovrin, Uport supports attribute based data sharing, decentralized identifiers and verifiable credentials, and it does not store any private data on the public ledger. However, as oppose to Sovrin it uses a public Blockchain, and a cost is associated with transactions in the network.

In this study, we focused on laying a foundation for "decentralized digital identity" in Blockchain as "self-sovereign digital identity", supported by modern cryptography and verifiable digital credentials. We described the problems and challenges exists in traditional identity management methods in terms of security, privacy, usability and globalization. We reviewed existing solutions in the literature, and proposed a system which leverages powerful features of Blockchain to realize a true private, secure and globally usable digital identity solution, in which identity owners fully own and control their portable identity and identity based records without depending on centralized authorities. For future work, we intend to explore possibilities of integrating our solution on mobile applications, and creating a cryptocurrency to fuel the incentive of consent based data sharing through the concept of verifiable credentials.

Centrify survey results

2018 identity fraud: Fraud enters a new era of complexity

White paper: Identity management verified using the blockchain

White paper: 2017 cybercrime report

Bitcoin: A peer-to-peer electronic cash system

Protocols for public key cryptosystems

A comprehensive literature review on the blockchain technology as an technological enabler for innovation

Blockchain: Blueprint for a new economy

Where is current research on blockchain technology?-a systematic review

Blockchain challenges and opportunities: A survey

Deanonymisation of clients in bitcoin p2p network

A fistful of bitcoins: characterizing payments among men with no names

The blockchain model of cryptography and privacy-preserving smart contracts

A method for obtaining digital signatures and public-key cryptosystems

Self-sovereign identity

Bitcoin and quantum computing

Survey on blockchain technologies and related services. fy2015 report

Blockchain technology: Possibilities for the u.s. postal service

Distributed ledger technology: Beyond blockchain, UK Government Office for

An introduction to hyperledger

Architecture of the hyperledger blockchain fabric

Internet x. 509 public key infrastructure certificate and crl profile

Sovrin: A protocol and token for self-sovereign identity and decentralized trust

Sovrin: What goes on the ledger?

Identity now: A whitepaper for banks trying to determine the role they should play in evolving identity ecosystems

Identity now: The vital role telecommunications companies play and the tremendous opportunity in evolving identity ecosystems

Blockchain for identity management, The Lynne and William Frankel

A next-generation smart contract and decentralized application platform

Uport: A platform for self-sovereign identity