Fundamentals of Blockchain - Part III
Authentication and authorization of blockchain
Authentication, identity authentication more specifically, is the verification of the identity of the user (natural or legal person, or of an information system). In the case of IT verification, the most commonly used methods are depending on what the person:
• has (for example, a digital signature key in hardware or software form, a mobile phone to which a one-time token is delivered),
• what he knows (password, PIN,…) or
• what it is (biometrics).
In the case of blockchain entries without central authority, development focuses on non-interactive methods of authentication, primarily through digital signatures („key authentication”). A digital signature requires that the person who is to be identified holds a private (hereinafter referred to as "private") key that will cryptographically sign the sent message.
The relevant public key is then distributed in some trustworthy manner by the verifier - either as a so-called a digital certificate issued by a qualified trust service provider (qualified certificate) or by assigning a key to the person directly in the blockchain by a qualified person.
Authentication is closely related to provenance - the origin of the information. The signed record also carries undeniable information about the author.
Authorization is the process by which a person is assigned the authority to perform an activity in the information system - for example, whether the person has the opportunity to make a proposal, read the record, or approve the use of resources. Authorization usually follows authentication, when the system already knows who is accessing it, but has yet to verify that it can access it.
However, exceptions are schemes where authorization depends on the holder, not on the person of the holder ("everyone who has the key has access to the warehouse, regardless of his identity", "everyone who has the relevant decryption key has access to the encrypted document"), or the authorization requires the cooperation of several persons ("the contract must be approved by at least two managers").
Authentication and authorization in blockchain are performed by verifiers automatically, algorithmically. From a usability point of view, it is important that the solution provides authentication and authorization schemes that are appropriate for the specific application.
|
Access depending on |
Number of participants |
|
|
one |
More than one |
|
|
Identity |
A simple system of accounts, every user has one account,
authentication using private key of the person or certificate, each account has assigned capability. |
A flexible system of accounts, where, in addition to the accounts belonging to the persons concerned, there may be group accounts with advanced rules of administration (e.g. access to a company account is available to either the managing director or the majority of the board of directors). Access to such accounts requires the participation of the necessary participants. |
|
holder |
A system where each resource / resource group is assigned a key, key holders can manipulate with resources. |
A system where each resource / resource group is assigned a key, key holders can manipulate with resources. More keys may be required for manipulation (e.g. "two out of three" schemes). |
Possible solutions for blockchain access
In the case of a distributed, fully replicated database, it should be added that each connected computer has this database available. Therefore, other means, such as cryptography, where the resources are encrypted and a decryption key is required to read, must be used to deny read access to the content.
If someone obtains the decryption key, access to that content cannot be removed in the future. This also applies to DLTs that control read access - once content is made available to someone, it is not possible to ensure that they lose access to it.
Similarly, it is possible to make copies of a physical file - if someone is in possession of the file, it can be assumed that information from him will be available in the future.
Comparison of blockchain to traditional database technologies
Leaving aside "small" databases, traditional databases used in industry or government in most cases use client-server technology. The client (user) connects to the central node - server. Depending on the granted access rights (authorization), the server allows it to read, create, change and / or delete data.
The database is always under the control of a dedicated administrator. In this case, the term administrator does not necessarily mean one natural person - a system administrator, but an organization with its roles and processes is responsible for the state of the database (for example, Cadaster Administration, court keeping court files, law enforcement agencies leading investigative files, or IT department of the corporation maintaining its own data warehouse).
In this solution, the administrator has technically unlimited control over the database, its contents and rules. A potential problem is the compromise of the administrator, whether on a technical or personnel level, which would allow the attacker to bypass the rules and unjustifiably change or delete the data, or to write down facts that contradict the rules. Experience shows that this is not just a theoretical threat.
Blockchain is a decentralized database without a single dedicated administrator. All records are shared and verified in a wider group of validators and are unchangeable and permanent.
Blockchain is therefore suitable precisely where there are either high requirements for data integrity, where the credibility of the central authority is compromised, in other words its ability to prevent unauthorized access, or creating a sufficiently credible authority would be too expensive.
|
Feature / Solution |
Centralized system |
Private blockchain |
Consortium blockchain |
Public blockchain |
|
Privacy |
high |
high |
medium |
low |
|
Security |
low |
medium |
high |
the highest |
|
Scalability |
the highest |
medium |
medium |
low |
|
The power of central authority |
the highest |
medium |
medium |
none |
Comparison of centralized system and blockchain
Consensus algorithm
As already described, a blockchain can be understood as a distributed database, where all participants see the same content at the same time. To reach this consensual state, the so-called algorithms- consensus protocols.
The problem of byzantine generals and the tolerance of byzantine errors
A similar problem appeared in theory of games a long time ago known as the "problem of byzantine generals": a group of byzantine generals, from which each leads a section of the army, surrounds the city.
They need to agree on whether to attack or not. To succeed, everyone or none must attack - if only part of the army attacks, they risk defeating and losing a large part of the army, which is the worst possible outcome.
Some generals want to attack, others don't. Some of the generals can also cooperate with the enemy and manipulate the decision to the detriment of the mission. Since each general and his army are in a different place, they communicate with each other only by messengers.
However, the messengers are not reliable - they may be captured, or they may exchange the message that is being transmitted.
Byzantine fault tolerance (BFT) means the system's ability to deal with "Byzantine" faults (part of the group pursues its own goals, communication may not be reliable, etc.).
The consensus algorithm is BFT the way in which the group reaches the same decision on inclusion, meaning not including a transaction or block.