Blockchains Are Poised To End the Password Era (technologyreview.com) 129
schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.
Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
Sorry (Score:2, Informative)
"The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
Sorry, ethics died a year ago.
Re: (Score:2)
Re: (Score:2)
> the sole responsibility of the user
My mom just called me because she lost "her yahoo" again. Tell me again about people being responsible for their private key infrastructure again?
Re: (Score:2)
Are Blockchains Poised To End the Password Era?
Re: (Score:2)
Exactly. Yubikey does this now. You have a secret private key that never leaves the security hardened device. The device will accept any token and encrypt it with the private key ("sign it"). The website or resource can decrypt with your public key to authenticate you.
No blockchain necessary here. Blockchain would add nothing.
Re:Sorry (Score:5, Insightful)
"The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."
We literally need none of those people, they're just the buddies of the people who write stupid articles like this.
Re: (Score:1)
Yeah, I voted this swill down as "stupid" this afternoon -- apparently that convinced them it would get a lot of clicks and needed to run post haste. LOL
Re: (Score:2)
Re:Sorry (Score:5, Informative)
Quite to the contrary of the article, some experts (derided as "geeks" in the article) are currently exploring what the blockchain is all _not_ good for or at least not any better than traditional solutions. Unfortunately, that likely includes basically everything, with a slight chance that some variant of the failed "currency" angle ("Bitcoin") may be salvageable if there is a way to reliably curb speculation and create stability.
In fact, I am currently supervising a BA thesis in this area and I expect that a mostly negative result will save the industry-partner a ton of money. I also already told the student that a negative result can certainly get a good grade if argued and justified well (same as a positive result, really). I have a second thesis lined up with a different student and industrial partner. Will be interesting to see what the outcomes are, but I do expect a "not now" or a "not ever unless special conditions are met".
Incidentally, "ethics" in the commercial space these days means "how can we manage to not get caught and still get rich". And please keep out the sociologists and designers, they really are mostly useless with very few exceptions.
Re: (Score:2)
NASDAQ is introducing a BTC futures market in 2018. Futures markets have the effect of smoothing thrash and adding longer term stability to a commodity.
Re: (Score:2)
I know. That is why I think the "currency" angle may be salvageable. Will be interesting to see whether that works or not.
Re: (Score:2)
Re: (Score:2)
Usefulness as a currency and usefulness as a speculation object are mutually exclusive. Bitcoin is currently a complete fail as currency.
Re: (Score:1)
Bitcoin is currently a complete fail as currency.
This is either ignorant or an outright lie: it fails to acknowledge the actual uses of bitcoin as a transaction medium. In brief many of the transactions e-gold was used for, bitcoin has taken over.
I don't any bitcoin at all (I wish I did), but come on, if you're advising BA theses, you better get your head screwed on straight.
Re: (Score:2)
You seriously do not get it. Fascinating. It is fortunately I do not supervise your thesis, you would fail completely. Your analytical skills suck.
Re: (Score:2)
Your analytical skills suck.
And you had none. Your post is pure insults.
But I can insult you too: if you think the only use for bitcoin is a speculation object, you're just ignorant. Fortunately ignorance can be cured, stupidity is forever.
Re: (Score:2)
You seem to have overlooked a little, but critical component of my statement: The word "currently". Incidentally, Bitcoin is not really anonymous either. Unless you are very careful and add extra measures, you can often be identified after a few transactions to several others. It just takes some effort.
Re: Blockchain may not be all good, but it ain't a (Score:2)
A blockchain might function as a web accessible smart card or key fob which functions for all accessible websites. This keyfob would need to be protected in some way.
Re: (Score:3, Insightful)
This keyfob would need to be protected in some way.
While your picture is somewhat correct and somewhat wrong, this really is the key-point. Incidentally, this is already the key-point with a password, but there it is relatively easy to do. All those that got weakly protected customer passwords stolen in the last few years were just grossly incompetent in protecting them. It is well known (to experts) how to do that right: salt, hash, iterate and in newer times add a large-memory property. PBKDF2 was the standard since at least 2000 and and is still doing re
Re: Blockchain may not be all good, but it ain't (Score:2)
The block chain stores your/my public keys, and I guess any public keys of entities you/I do business with.
Where do your/my private keys go? And how are they kept secured?
Re: (Score:2)
I have no idea.
Re: Blockchain may not be all good, but it ain't (Score:2)
Re: (Score:2)
Indeed. I can actually not see any added value compared to a simple distributed database, like the PGP key servers. To me, it seems that the efforts to justify the value of the blockchain for _something_ are getting more and more desperate. A typical hype-cycle.
Re: (Score:2)
I know next to nothing about blockchains, and cryptocurrencies have always looked to me like the dumbest financial "innovation" since the South Seas Company. But I sort of vaguely thought that blockchains MIGHT be useful as sort of the digital equivalent of Notarization of paper documents. For example, imagine a trust set up by lawyers for any of the thousand usual nefarious purposes or maybe even some legitimate purpose. The trustee is incarcerated for unrelated acts having to do with failing to touch t
Re: (Score:2)
Incidentally, "ethics" in the commercial space these days means "how can we manage to not get caught and still get rich".
As described by my ethics people where I work, ethics literally means following company policy. If you are following written company policy, then it's ethical, and if not, it isn't. Whether it's legal or moral has no bearing on if it's ethical.
Re: (Score:2)
The problem is on your side: You are clueless. Decentralization must happen in order to have an impact. It will not happen here, at least not anytime soon. And I do understand that, while you are obviously a "tech cheerleader". Ask yourself how many past trends you perceived as game-changers and what actually became of them. And then maybe read up on the Dunning-Kruger effect. At the end of that process you may be able to understand why I am qualified and capable to supervise these theses. Or you may not.
In
These are experts ... (Score:4, Informative)
... with, apparently, no experience:
... a startup that's developing a blockchain network specifically for managing digital identities.
Re: (Score:2)
Ad (Score:2, Informative)
See subject
Admin hell (Score:2)
Re: Um... that's exactly when Private Keys are bes (Score:2)
Otherwise what advantage does public and private keys for an individual offer over Kerberos NTLM authetication against a domain controller?
If you're talking about multiple servers on different domains, then you're actually talking about implementing a SSO configuration for multiple domains using pre-shared keys in place of pre-shared passwords.
Pre-shared keys require less typing, but are no
Re: Publish your PUBLIC key. Keep passwords local. (Score:2)
Re: (Score:3)
Every password is a private key.
It may not be a private key in a public/private key pair. But it's a secret (key) that is known only to you (private).
It may or may not be used in the same crytographic manner (hashing vs. encryption) as, a public/private key pair. But it's a secret (key) that is known only to you (private).
Re: (Score:1)
Every password is a private key.
It may not be a private key in a public/private key pair. But it's a secret (key) that is known only to you (private).
That's not correct. It's transmitted over the network and is also known by the server on the receiving end so that they can validate whether or not it's correct. A private key, on the other hand, is never known on the receiving server since it's never transmitted over the network, unlike a password.
Re: Password can be SHARED secret (Score:2)
However, more important is the claim I was making that a password is an effective solution for certain security vulnerabilities created by other solutions.
Re: Centralization of credential info is the probl (Score:2)
Re: (Score:2)
Proof of identity isn't the same as SSO. Whenever you access "https" the server is proving its identity to you, since you access its public key (certificate) and trace it up to the root certificate that you already have installed. The server does not "sign on" to your desktop to prove its identity or use some kind of password or login authentication.
The blockchain can eliminate the need for getting blessed by a root certificate like Verisign (Verisign is very expensive, at $400/yr). That can open the doo
Re: Um... that's exactly when Private Keys are be (Score:2)
Blockchain seems like a good idea for maintaining the integrity of public information.
However I can't fathom a solution for a consumer for which blockchain provides sufficient security. Who or what is the ultimate authority? Is it turtles all the way down?
Re: (Score:2)
"Not really sold on the verification by way of digital signature."
Me either. But surely it's good enough for sites like slashdot where I really don't much care if someone logs in as me.
Re: (Score:2)
Encryption without identity is vulnerable to a man-in-the-middle attack. The whole point of root certificates is verifying your identity and checking documentation of ownership of a website before they give you a certificate. If it were just encryption, sans identity, then https wouldn't accomplish anything, and any one in the middle can just encrypt with their own self-signed certificate and you haven't achieved a secure end-to-end session. A stolen certificate is rare, and when it does happen, there's
Re: (Score:3)
If you're always signing into something like that, then you should have already setup a public/private key solution for yourself, fool.
Seriously. This is why our computing experience sucks; we've got fools like "fluffernutter" running things.
Work smart, not hard.
Many systems don't support such a setup. Most systems (servers, networking gear, UPS, building/infrastructure management, etc.) still require a simple password as the lowest level authentication mechanism.
And how the FUCK would a key pair help? You still need to present the private key somehow. Carry it with you? Gee, better not carry it in plaintext, so you better encrypt it in some sort of reversible way. With a password.
DERP.
And finally, working smart doesn't mean you don't have to work hard. Why no
Re: (Score:2)
If you've ever used kerberos or any other key management system, you'll realize that the password is only asked once when it has to read your password-protected private key from cold storage (disk) and thereafter it uses ephemeral keys stored in volatile memory and never bothers with asking for your password again until you reboot or shut down.
Re: (Score:2)
Re:Admin hell (Score:4, Insightful)
Erp? How does that help anything? If you're not providing your password each time you authenticate, then somewhere it exists in an accessible form to some automated system. Using keys? You need to encrypt them (with a password). There's no getting around it. A password is at the heart of all proper authentication schemes because it is the only method that is even possible to be secure. It is the secret, the "something you know", that exists only in your head. Nothing changes if you use it to encrypt a key or a keychain or a password database or whatever else.
Re: (Score:3)
And as somebody that uses certificate-based logins (ssh) regularly, I wonder what problem they are trying to solve....
Re: (Score:3)
Re: (Score:2)
Makes sense. So they are trying to scam VC's basically.
Re: (Score:2)
Re: (Score:1)
And as somebody that uses certificate-based logins (ssh) regularly, I wonder what problem they are trying to solve....
A better problem to solve would be to have a more intuitive UI for managing client side TLS certificates. It would be nice if I could just use a client side TLS certificate to authenticate myself on Slashdot instead of (or in addition to) a username and password.
Sounds idiotic (Score:2, Interesting)
Blockchain wallets have to be secured, else anyone can impersonate the user and do what they will with the contents. So what would a blockchain credential system be? An online password wallet, in effect, exactly as secure as the protection on the wallet... which is either going to be what you have (an app on your device) or what you know (a password).
Re: (Score:1)
It is idiotic, but since it uses “blockchain” in it that means they’ll easily score heaps of VC money to burn for years.
bottleneck vunerability? (Score:5, Insightful)
If everyone uses one private/public key set for everything, then if that is compromised then the third party gets access to absolutely everything and can impersonate the user?
For those of us who use different usernames/emails/passwords from server to server that seems like a downgrade in security.
Tell me I'm wrong and I'm missing something. I've used PGP in the past and use keys for SSH logins but I've never used blockchain related stuff.
Re: bottleneck vunerability? (Score:2)
Re: bottleneck vunerability? (Score:4, Insightful)
A downgrade in security most definitely, but it should have the same pros and cons of a password manager.
Re: (Score:2)
As an individual quite possibly as an organization not so much. Right now attackers go after the authentication/authorization server / infrastructure (very often AD but not always). Its the first and primary target because if they can compromise that odds are good some of the following become true:
1) They can authorize some existing account they have access to already
2) They can change the authentication information for an account they want access to
3) They can get the authentication information in bulk,
Re: bottleneck vunerability? (Score:2)
However, there will most likely be a window of opportunity before the "certificate" gets revoked, that is there is a window before the block chain is forked by a trusted authority, or otherwise before the integrity of the block chain is restored and the fraudulent access chain is no longer trusted
Re: (Score:2)
There is no third party that needs to be trusted.
Basically, you would open an account with your bank, and tell them that you have already registered id/PhantomHarlock. They would give you specs for a public key pair and a subidentifier. You'd create a private key to their requirements and publish the corresponding public key under the subidentifier they will be looking for.
When you go to log in, you type in your username and their system consults the global distributed database. It finds the subidentifie
Re: So 2 factor authentication? (Score:2)
Where does the audit trail of blockchain come into play?
Re: (Score:2)
No, it's 1 factor. It relies on 1 thing you know (your private key) presented over a single channel (the internet).
Re: (Score:2)
It is either 1 or 2 "factors" depending on user choice. That it isn't obvious says a lot about the uselessness of that system for classifying authentication schemes.
I didn't really explain how the blockchain figured into it, but after that it is a textbook-standard public key authentication system with some dress-up for the web. We could do it today if we wanted to.
The blockchain part is for key management, also known as "the hard part of PKI". Basically, you only need to communicate one identifier to ev
Re: So 2 factor authentication? (Score:2)
Re: (Score:2)
If you trust the bank's published public key, then you're not getting anything beyond the current method of trusting their SSL cert.
Having a one time challenge presented is pointless within the context of an SSL-encrypted session.
There's simply no benefit to such a scheme over creating a username and password for each site and using a password manager.
The most impact you could have is the authenticating system's database not having to keep a copy of your hashed password for someone to eventually steal and t
Re: (Score:2)
SSL involves trusting a few thousand third parties. The system I described would have zero. That would be worth the price of admission by itself.
Second benefit: you can change your key just by updating your public record. No need to contact the other party and let them know.
Third benefit: no one but you can change your key.
Re: (Score:2)
As far as I can tell, the blockchain bit is clickbait. They're talking about public key encryption and signing.
LOL (Score:5, Funny)
users can gain permanent control over who can access their data
So yea that's definitely not going to happen.
"CryptoCurrency" Buzzword gets VC money (Score:1)
Translation:
Lets take Public Key/Private Key (ie PGP) methods, combine it with "BlockChain CryptoCurrency" words, and then get suckers that have more money than brains (or tech knowledge) to fund a startup that goes nowhere.
Re: "CryptoCurrency" Buzzword gets VC money (Score:2)
Does the blockchain mindset or methodology provide a superior visualization or understanding of the beat use implementation of the solution?
Can people understand it better, so they can use it better?
Re: (Score:2)
Re: "CryptoCurrency" Buzzword gets VC money (Score:2)
Re: (Score:1)
But those don’t say blockchain in them so good luck getting a Silly-con Valley VC to take notice. This is all just a scam to score VC money from suckers.
What demented nonsense is this? (Score:2)
Of course, nothing like that is true or even desirable. This story is utter nonsense. Credentials (whether passwords, certificates or seeds for OTP mechnisms) are under company control so their servers can access them easily and so they can revoke them fast. The blockchain has absolutely no place here. Incidentally, when it comes to public identities, the blockchain is about as useful as the PGP server network, albeit more complicated and more expensive, i.e. useless. The one thing that makes these identiti
Blockchain: the new 2 mpg car (Score:1)
These days a single bitcoin transaction uses as much electricity as a home does in a week. How long before it requires a similar amount of computation, and by extension, energy, just to open a goddamn file?
Blockchain but what about SQRL (Score:1)
If you are not worried about Blockchain (Score:2)
You should be. The possibility of the ultimate loss of all privacy to the government should be scaring the bee-jeep-ers out of everyone!
Yet another end to passwords? (Score:2)
Re: (Score:1)
Yeah but this scheme is a hot way to score VC money.
So... (Score:2)
Another idiot who doesn't understand the tech proclaiming that it'll replace a tried and true standard when he doesn't really understand the scenarios where his product works or not.
Join the masses of idiots who said biometrics are going to replace passwords, among others.
Should've ignored it. Here's the red flag: "the geeks are working on it right now"
Private key? (Score:2)
Here's a clue for y'all (Score:2)
Whenever someone says 'blockchain', they're almost certainly leading into selling you an inefficient solution that doesn't apply to the problem they think it does.
Just say 'no' to blockchains.
About blockchain, I feel... (Score:2)
I've been intrigued by blockchain for months... but feel frustrated by the (lack of) technical material I can find on the subject.
I definitely want to use (something with what I understand to be the properties of) blockchain for a few different purposes:
You don't say (Score:2)
Oct 29, 1969 to Dec 14, 2017. :( (Score:2)