Identity Access Management on the Blockchain

I’ve been looking at Blockchain technology recently (with some level of confusion), in regard to it’s potential application to IAM, and more generally around the cryptocurrencies that have emerged following Bitcoins success – it still remains to be seen how the Bitcoin implementation will continue operating once all coins have been mined, as the model shifts to a more transactional fee based set-up, but certainly the underlying technology and approach is intriguing. Applied to the authentication world, the concept of ‘letting everyone in’ as opposed to the more traditional (and share holder friendly method..) of ‘keeping people out’ feels like the right approach given technological trends towards ‘openness’ (and the fact most black-hats are uber-intelligent techies either pushing a particular social/moral/political agenda or simply doing it for the ‘thrill’ – both communities that won’t be disappearing any time soon), but the lack of an incentive component (more on that shortly) seems prohibitive.

First things first, I highly recommend these sources to understand the blockchain model in more detail How the Bitcoin protocol actually works | DDI & Learn Bitcoin: Transaction block chains | Bitcoin |Khan Academy, but essentially, Bitcoins implementation relies on two broad themes – openness and incentive (arguably a good model for any technology ). The openness piece is the sharing of a peer to peer public ledger of transactions (the blockchain), which everyone on the network has an up-to-date copy of (e.g. via your Bitcoin wallet), and which everyone can use to validate transactions – one never actually owns a Bitcoin per se, simply a record of your assigned Bitcoins held in the public ledger. The incentive piece is what makes the model work – and was the piece up until recently I was having difficulty understanding. First we have to understand the Bitcoin miner.

The concept of a Bitcoin miner is an individual that validates transactions and then broadcasts the validity of those transactions back to the wider network – there are obvious issues with this; if it was a simple validation look-up, then I could hack the system, begin double/triple spending Bitcoins, or hack the entire blockchain for my own nefarious ends. So instead, before I can communicate out that a set of transactions are valid, I have to solve a puzzle, to prove that my validation of the transactions is true; this is known as the ‘proof-of-work’, and requires huge computational power (making it largely impossible to hack the system) given I need to run millions of calculations to find the correct answer.

The puzzle involves something called a hash function (Bitcoin uses the SHA-256 Hash function), and essentially I have to produce a hash string based upon two inputs – firstly, the combination of all transactions currently in my block awaiting validation, and secondly, a variable modifier, known as the ‘nonce’.  The Bitcoin protocol requires that the generated hash be lower than a set ‘target’ (this target is constantly modified to ensure a set threshold of solvability, measured in time taken to solve, usually set at around 10 minutes) – once I generate a hash which satisfies the target, then the problem is solved. At this point, I’m able to broadcast my message that the transactions are valid to the entire network, and then subsequent nodes (users) on the network can use my produced hash to validate the problem (given they all have the same set of transactions in the block to use as input, given the public nature of the ledger, they should be able to produce the same hash – if they cannot, then my solution is not valid and the transactions invalid). This hash is then stored against the current block, connected to all prior blocks (and their hash codes), creating the ‘block chain’.

 Note: the above diagram uses preceding 0’s in place of the ‘target’, which essentially act as the same thing – using the blocks transactions and the ‘nonce’ variable as an input, I need to produce a hash with a set of leading 0’s – once I meet the target set of preceding 0’s, I have solved the problem.

This is the incentive part – why would I spend my time solving these complex problems, investing considerable funds in hardware & processing power? Well, because in solving a problem, I receive a set number of Bitcoins as a reward. Solving these problems becomes increasingly complex over time, requiring more and more intensive compute to calculate the answer – this is why Bitcoin Mining communities have emerged, to harness the power of ‘cloud’ to exploit global processing power. In order to hack the blockchain, I would need to update 1000’s of nodes with modified block hash’s, at huge scale and speed; this makes blockchain practically impossible to hack given the colossal processing power required.

It is this open and transparent approach to maintaining a financial ledger that is most interesting in the technology, the way blockchain is fundamentally changing how a transaction operates – this same paradigm shift could be seen within the Identity Access Management world; we stop building walls for keeping people out, rather opening the front door and letting people in, with processes managed by the community, and data secured by incentive and scale through the blockchain model. As I mentioned earlier, we probably need to see how Bitcoin (and others) evolve past their initial incentive model, to understand whether this is a long-term play, but at this point-in-time, it certainly seems a viable option for IAM.