You are on page 1of 18

Advanced trust

services
facilitated by the
Industrial-Scale
Blockchain
technology

Risto Laanoja
Security Engineer

Outline
Guardtime
KSI
What it does
How it works
Trust assumptions
KSI / blockchain applicability in providing eIDAS trusted services
Standardization challenges

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

1. Company Overview

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Introducing Guardtime

Who we are:
Systems engineering company, fundamental and applied research into cryptographic applications
Founded in 2007 in Tallinn, Estonia
Offices in Amsterdam, Palo Alto, Tallinn and Tartu
71 people

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

2. KSI Technology
An Industrial Scale Blockchain

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Keyless Signature Infrastructure (KSI):


An Industrial Scale Blockchain
KSI enables real-time
massive-scale data
integrity validation.
The technology
overcomes two major
weaknesses of traditional
blockchains:

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Scalability

Settlement time

One of the most significant


challenges with traditional
blockchain approaches is scalability
they scale at O(n) complexity i.e.
they grow linearly with the number
of transactions.

In contrast to the widely distributed


crypto-currency approach, the
number of participants in KSI
blockchain distributed consensus
protocol is limited. By limiting the
number of participants it becomes
possible to achieve consensus
synchronously, eliminating the need
for Proof of Work and ensuring
settlement can occur within one
second.

In contrast the KSI blockchain


scales at O(t) complexity it grows
linearly with time and independently
from the number of transactions.

KSI Signature
The KSI Signature is a
piece of meta-data which
enables the properties of
the data to be verified.

Upon verification, KSI Signature


allows to assert:
Signing time
Signing entity
Data integrity

KSI uses only hash-function based


cryptography to make these
assertions without relying on trust.

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

KSI Properties
KSI Signatures provide
proof of time and integrity
of electronic data as well
as attribution of origin.
The KSI System has
been in production use
since 2007.

Open Verification: For KSI Signature


verification, one needs to trust publicly
available information only - verification does
not rely on trusted insiders or security of
key-stores.
Massively scalable: KSI performance is
practically independent of the number of
clients or amount of data signed / verified.
Portable: Data can be verified even after
crossing geographical or organizational
boundaries or service providers.
Supports Real-time Protection: KSI
Signature verification requires milliseconds,
which allows clients to perform continuous
monitoring and tamper detection.

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Long-term validity: Proof is based only on


the properties of hash functions and does
not expire.
Carrier Grade: The KSI system architecture
is able to deliver 99.999% availability.
Offline: The KSI system does not require
network connectivity for verification.
Post-Quantum: The proof stays valid even
assuming functioning quantum computers,
i.e. does not rely on traditional asymmetric
or elliptic curve cryptography.
Absolute Privacy: KSI does not ingest any
customer data; data never leaves the
customer premises.

Introducing the Hash Calendar Blockchain


A global asynchronous Aggregation
Tree summarizing all submitted Hash
Values is built every second and
destroyed after all clients have
received their hash chains.

Calendar
Blockchain

The same tree is never rebuilt.


Only the Global Root Hash Values of
the Aggregation Tree are kept in a
public Calendar Blockchain.

Global
Aggregation
Tree

The Calendar Blockchain has exactly


one entry for each second since
1970-01-01 00:00:00 UTC
Hash Values

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Hash Chains

KSI Signatures Are


Proof of Data Integrity
HASH VALUE

Integrity is verified by
recreating the hash value
in the calendar using the
aggregation hash chain.
To connect to a widely witnessed
physical artifact, the publication
code can be recreated using the
calendar hash chain.
The widely witnessed root hash
cannot be recreated from altered
input data if the hash function used
is second pre-image resistant.
10

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Calendar

AGGREGATION HASH CHAIN

HASH VALUE

AGGREGATION HASH CHAIN

CALENDAR HASH CHAIN

PUBLICATION CODE

KSI Signatures Are


Proof of Signing Time

CALENDAR

The order bits encode the path


from the root to the leaf and prove
the time offset of the leaf from the
publication time P of the root hash
value if the hash function used is
second pre-image resistant.

THERE IS NO TRUSTED TIME SOURCE


11

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

ORDER BIT

HASH VALUE

Signing time is encoded


into the shape of the
calendar hash chain.

PUBLICATION CODE

Time = P - 10

Introducing Identity
HASH TREE OF THE PARENT
AGGREGATION SERVER

Identity: the result of an


authentication request (whether
PKI, LDAP, Biometric etc) as an
identity tag in the KSI distributed
hash tree.
This works for machines.
For a true digital signature system
for humans we need nonrepudiation. Proposal: BLT
signature scheme.

12

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

IDENTITY TAG

IDENTITY TAG

PARENT SERVER

Root hash request from


server A

Root hash request from


server B

CHILD SERVER
A

CHILD SERVER
B

3. KSI in eIDAS context

13

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

KSI and eIDAS trust services


Signature / seal:
- Identification, RA work are hard!
- Employ PKI authentication or external identity
provider
- Cryptomathic and other vendors: no secure
element necessary?
- Verifying user certificates at signing time
simplifies the validation data
Time stamping: natural fit, post quantum
indemnification
Preservation service:
- Long term integrity guarantee
- No insider threat
Registered delivery: proof of sending, receiving,
time, integrity
14

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Registered
delivery
Electronic
signature
Electronic
seal

KSI blockchain
applicability
Electronic
time stamp
Preservation
service

Interoperability
Relying party protection: Independent verification

Interoperability: hard question

There is a copy of calendar blockchain in each Gateway


appliance, public information

Notary service to translate the formats?


Validation Authority (privacy?)

Root of trust is publication printed in globally available


newspaper
It is possible to create self-contained extended
signature token for true offline verifiability
No service provider help necessary

15

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Reality of business use:


Server-side processing, "apps", fixed workflow.
Preservation: usually closed systems.

4. The Message
Standardization challenge for non-traditional
technology

16

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

The message
Risk-based accreditation process
Trust services are based on different technologies
with very different trust assumptions. Qualification
procedures must be based on actual risk, not
baseline of measures/features.
Example: time-stamping service provider audit
included ETSI TS 102 023 (Policy requirements for
time-stamping authorities) conformance check; fine,
we found some keys with formal management
procedures and HSM protection.

Standards should be technology neutral. Freedom to create


profiles, use alternative (future) algorithms and protocols.
Example: XAdES locks time-stamp to RFC 3161 format.
Signature field has algorithm ID though.
Example: evolution of Guardtime signature token: started with
the profiling of RFC 3161: used it as a container, specified our
own signature format with registered OID inside. Positive: few
insignificant applications were able to time-stamp data (no
verification). Switched to proprietary format: 40% smaller, local
aggregation for very high-volume local data signing.
Security primitives might not be plug-in replacements. Example:
many post-quantum secure schemes must keep state (e.g.
spent keys), KSI needs service URIs.

17

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Thank you

Risto Laanoja
risto.laanoja@guardtime.com