Like it or not, in order to use APIs and services across the internet, consumers must give up sensitive personal identity details as part of enrollment and membership. While protocols like OAuth and OpenID Connect attempt to mitigate exposure of these sensitive details to untrusted parties, ultimately some risk is still present. Minimizing this risk is viewed by many organizations as being paramount to truly securing our online identity.
To this end, IBM has announced the opening of its zero-knowledge proof platform, Identity Mixer to developers on the Bluemix cloud. The goal of Identity Mixer is to reduce the need for individuals to transmit personal details to online services, instead relying on a “digital membership card” that proves the consumer is entitled to access the service or data they are requesting. Zero-knowledge proof is a cryptographic approach that attempts to assert that a given statement is true in a transaction between two parties: the prover (in this case the identity owner) and the verifier (the service provider). For example, in a transaction context, the idea behind the concept of "zero-knowledge" is that the transactee needn't have any knowledge (in other words, "zero" knowledge) about the transactor other than receiving a form of proof that the transactor is authorized to transact. In the context of APIs, this means the API consumer has the rights to access a given resource on a given API, with the API provider allowing access based on trusting the assertion of truth presented by the consumer.
The premise of the Identity Mixer solution is to take the zero-knowledge approach and extend it in a way that an API consumer has a single private key which in turn is tied to multiple public keys, each of which can generate the distinct cryptographic proofs (tokens) that are necessary to authorize transactions with multiple API providers (verifiers). In other words, each public key and associated downstream cryptographic token not only maps to a specific API provider, but is purpose built for only the information that the API provider requires from the API consumer in order to transact. Generating several public keys from a private key is generally regarded as a bad crypto-security practice: However, according to their Web site, IBM has devised their authentication mechanism based on a specific cryptographic technique that mitigates this limitation. They define their approach as a “superior solution” given that “users can selectively disclose only those attributes that are required by the verifier and can do so without being linkable across their transactions.” The fact that the solution is based on public-key infrastructure (PKI) also means that consumers can transact without the identity issuer being involved in the transaction other than when a certificate needs to be renewed.
The flow therefore moves from this, where the issuer is actively involved:
To this, where the issuer is rarely involved:
In practical terms, this approach will clearly reduce risk of exposure and potential theft, given that only the “statement” required to transact will be transmitted, wrapped in a cryptographic token. The advantage of the Identity Mixer and the zero-knowledge proof technique in general over technologies like JSON Web Tokens is the addition of variability to the flow, making it difficult to track and ultimately decode a consumer's identity over multiple transactions. The fact that the technology is also based on PKI also means the authentication flow is more efficient than, for example OAuth, as new proofs can be minted without the identity issuers involvement (except when certification reissuance is required).
However, as with any framework produced by a large organization, adoption is key. Given how Identity Mixer is provided by a specific vendor on its own cloud offering only, it creates a proprietary burden on both developers and API providers that could amount to an island of technology versus more open, ubiquitous, and standard approaches. So, it will be interesting to see if this proves to be a barrier to entry.
"Zero-Knowledge" Getting Some Traction
Zero-knowledge proof appears to be an area that will be of interest to any organization that values their consumers. Mike Philpotts, the Innovation Partner for authentication at Visa Europe Collab (the Visa Europe innovation hub) describes it as follows:
“Using zero-knowledge proof techniques to remove the need to share, transmit or store private information for authentication sessions has obvious potential for solving some of the existing pain points in the e-commerce world. Stepping up security while at the same time removing the password burden is the sweet spot for authentication in payments, and a definite area of focus for us at Collab”
If other organizations place such value in using this technique we should see some exciting developments. We will continue to monitor and report on new initiatives as they emerge.