TECHNOLOGY AREAS: Identity, Privacy, and Cybersecurity
OBJECTIVE: Design information security and privacy concepts on the blockchain to support identity management capabilities that increase security and productivity while decreasing costs and security risks for the Homeland Security Enterprise (HSE).
DESCRIPTION: Blockchain technologies, if incorporated with the security and privacy capabilities required by the HSE, potentially offer a flexible, resilient and potentially lower cost alternative to current Homeland Security Enterprise identity management capabilities.
Current HSE identity management deployments utilize centralized authoritative sources to vouch for the accuracy of the information they collect and maintain. While mechanisms for storing this information can vary (Lightweight Directory Access Protocol (LDAP), databases, Active Directory, etc.), they are ultimately a type of organizationally owned and controlled ledger.
This in turn has led to an ecosystem where processing a transaction to validate information (e.g., birth date) it is necessary to (1) first discover the entity that is considered authoritative for that information, (2) establish the technical means (protocols, data formats, etc.) to interact with that entity, and (3) rely upon the ability and scalability of that entity to validate the information.
Potential examples of this type of interaction within the Homeland Security Enterprise (HSE) are validation of employment status, citizenship, eligibility to work, validation of qualifications of first responders and any other type of interaction that requires a central authority to provide a distributed validation capability.
However, recent innovations around crypto-currencies point to a potential answer to this dilemma. Of particular interest is the underlying technology of the ‘bitcoin’ crypto-currency, which is called the blockchain. The blockchain is in effect a common, public ledger, which utilizes cryptographic mechanisms to verify transactions and information in a decentralized manner.
The potential applicability of blockchain technology goes beyond crypto-currencies (which is simply an application built on top of that technology) to many other uses such as smart contracts, provenance and attribution, distributed validation of information and more.
This SBIR topic is focused on determining and demonstrating if classic information security concepts such as confidentiality, integrity, availability, non-repudiation and provenance as well as privacy concepts such as pseudonymity and selective disclosure of information can be built on top of the blockchain to provide a distributed, scalable approach to privacy respecting identity management.
PHASE I: Analyze the current implementation of the public blockchain technology and develop the concepts and methods needed to demonstrate the implementation of information security principles of confidentiality, integrity, availability, non-repudiation and provenance as well as privacy concepts such as pseudonymity and selective disclosure of information on the public blockchain.
This phase will demonstrate the various information security and privacy concepts and methods using a multi-user information-sharing prototype and provide detailed architecture and technical details that document and explain the implementation. In addition, this phase will explore, analyze and document the feasibility of applying the developed concepts and methods to a private or consortium based blockchain.
PHASE II: Apply the concepts and methods developed in Phase I to the domain of identity management – in particular to the assertion and validation of identity information (i.e., attributes).
Phase II will demonstrate via a prototype how such a system could interoperate with existing identity assertion, validation and attribute sharing infrastructure built on top of current protocols such as SAML 2, OpenID Connect and OAUTH2. It will provide detailed architectural papers, technical details and prototype code that explain and document the implementation. In addition, this phase will explore, analyze and provide documentation on the incentive structures that need to be put into place for the adoption of this technology over the status quo.
PHASE III: COMMERCIAL OR GOVERNMENT APPLICATIONS: Potential HSE Applications of this technology include attribute registries used to share emergency responder qualifications, employment eligibility or organizational affiliations as a precursor to physical and logical access control. Commercial applications include digital contracts, attribution of knowledge work and more.
- Nakamoto, Satoshi. Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved from https://bitcoin.org/bitcoin.pdf
- Buterin, Vitalik. (August 7, 2015). On Public and Private Blockchains. Retrieved from https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/
- Gault, Mike. (July 5, 2015). Forget Bitcoin — What Is the Blockchain and Why Should You Care? Retrieved from http://recode.net/2015/07/05/forget-bitcoin-what-is-the-blockchain-and-why-should-you-care/
- Security Assertion Markup Language v2 (SDO: OASIS), Retrieved from https://www.oasis-open.org/standards#samlv2.0
- RFC 9749: The OAUTH 2 Authorization Framework (SDO: IETF), Retrieved from https://tools.ietf.org/html/rfc6749
KEY WORDS: cryptography, bitcoin, blockchain, identity, attributes
TECHNICAL POINT OF CONTACT: Anil John, 202-254-8789, firstname.lastname@example.org