It has been almost a couple of months since my last Real World Applications of Cryptocurrencies post, but its back with a bang. Following on from my previous post on Art & Collectibles & the Codex Protocol, which you can find here, I will be discussing how User Authentication will be disrupted with the emergence of the blockchain and cryptocurrencies.
Overview
Cybercrime is a major problem in today’s tech-driven world, and it’s only getting worse; it’s the fastest growing crime in the United States. The cyber security market is expanding rapidly, purely driven by the rise in cybercrime. According to a Cybersecurity Ventures report, the cyber security industry saw a growth of over 350% between 2004 and 2017. It grew from $3.5Bn to $120Bn in just over a decade with governments and institutions investing billions upon billions in cyber security.
The report also points out how cybercrime will cost the world $6Tn in 2021, an increase of 200% from the $3Tn figure in 2015. Digging a bit deeper into numbers, in a recent survey, the UK Government, reported that over 43% business have “experienced a cyber security breach or attack” in the past year alone.
The Problem
As mentioned in the previous section, governments and companies spend billions on cyber security. Cyber attacks can come in a multitude of forms but in this post I will focus on user authentication attacks. These include (definitions taken from techopedia and rapid7):
- Brute-Force and Dictionary Attacks — in which an attacker tries to log in to a user’s account by systematically checking and attempting all possible passwords and passphrases until the correct one is found.
- Pharming — redirects website traffic through hacking, whereby the hacker implements tools that redirect a search to a fake website.
- Phishing — is the fraudulent act of acquiring private and sensitive information, such as credit card numbers, personal identification and account usernames and passwords. Using a complex set of social engineering techniques and computer programming expertise, phishing websites lure email recipients and Web users into believing that a spoofed website is legitimate and genuine.
- Malicious Browser Add-ons — the act of intercepting sensitive information (i.e. passwords and cookies) by serving browser add-ons.
- Man-in-the-Middle Attacks (MITM) — allow attackers to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation they should normally not be able to listen to.
- Social Engineering Attacks — the non-technical cracking of information security. It applies deception for the sole purpose of gathering information, fraud or system access.
Currently, usernames & passwords are the predominant way to authenticate users. Unfortunately, due to human nature, password-based authentication is extremely weak. Humans are not great at creating effective passwords and very often choose easy-to-obtain passwords. On occasion, when people do create effective passwords, these are often written on a piece of paper or an electronic document making them significantly less secure. Additionally, passwords are likely to be re-used for multiple logins or infrequently changed.
Just to give you an idea how serious this problem is, Verizon’s 2016 Data Breach Investigations Report found that 63% of confirmed data breaches involved weak, default or stolen passwords.
In order to solve this problem, multifactor authentication (MFA) has been introduced in many places. MFA is the process in which you need to confirm your identity using additional ‘factors’ (using an app on your phone, a code via SMS, etc.). Unfortunately, this secondary security measure, isn’t fool proof either, as there have been numerous cases of accounts being compromised even with MFA enabled.
An alternative to 2FA is certificate based authentication, in which users are securely authorized by exchanging a digital certificate instead of a username and password. This solves some of the issues with username & password authentication (like phishing, MITM) but not everything.
Certificate based authentication is built using a centralized Public Key Infrastructure (PKI). The backbone of PKIs are digital certificates (that can only be issued by centralized authorities) which are used to cryptographically link ownership of a public key with the entity that owns it. This offers stronger security (but not fool proof) as a trusted part mutually authenticates the client and server through a secure channel. Unfortunately, these certificates are centrally managed and vulnerable to cyber attacks. You can find more information on digital certificates and PKIs, here.
To conclude this section, there are two major issues with user authentication today; the weakness of passwords and the centralized instances of PKI.
The Proposal
REMME caught my attention when researching this particular problem.
REMME is a solution leveraging an open source protocol whilst utilizing the blockchain to replace traditional centralized instances of Public Key Infrastructure (such as Certificate Authorities, Registration Authorities, Lightweight Access Directory Protocol etc.). It’s doing so with a blockchain based Network of Trust, built on top of Hyperledger Sawtooth.
In simpler terms, REMME utilizes the blockchain in order to provide the ability to log in to any service (that implements REMME) more securely by getting rid of the need for passwords.
REMME is a Ukrainian company launched in 2015 by Alex Momot and Kate Pospelova and was the winner of the Microsoft Blockchain Incentive award in 2017. On October 2017, REMME launched a pilot program for companies looking to trial their ecosystem. Since then, it has attracted interest from almost 300 global enterprises coming from a variety of industries, including, Ukrinmash, Infopulse, Hotmine, Constitutional Health and Changelly.
How It Works
Simply put, REMME is creating a distributed Public Key Infrastructure (PKId) with the blockchain acting as central authority.
REMME will provide the ability for users to generate/revoke their own certificates. Once these are generated, nodes will need to validate the transaction. Upon validation, a unique identifier of the certificate (it’s hash), it’s state (whether it was issued or revoked), the public key and expiration date, are stored on the blockchain. This essentially creates an immutable record to validate certificates required for authentication.
When a user wishes to authenticate, they will be able to do so with a simple click. A check will then be performed on the blockchain to verify that the device’s certificate is correct with entry granted entry once verified.
You might be wondering what happens if this device gets lost or stolen? The REMME team provides an excellent explanation with what will happen in this scenario, here.
To complement their protocol, the REMME team is building a number of Decentralized Applications (dApps), including:
- REMME WebAuth— a white label authentication system that will allow users to log on to services without a password. You can try the WebAuth demo, here, with details on how to do so, here.
- REMME Enterprise — Secure access to internal corporate systems utilizing X.509 self-signed certificates for authentication and secure user access, at a device level without the need for username & passwords.
- REMME for IoT — Authorization for device-to-device communication
Additionally, REMME is creating an SDK which gives developers the ability to create their own dApps on the REMME blockchain.
As a matter of fact, REMME has just rolled out a part of their solution on their testnet. This includes the following:
- The REMChain, consisting of 5 masternodes (to maintain the testnet)
- The REMChain Block Explorer dApp
- The REMChain Node Monitoring dApp
- The REMME WebAuth Demo dApp
You can find more information about the above and their testnet release, here.
As a matter of fact, REMME’s testnet contains all necessary functionality for the complete life-cycle of digital certificates. REMME invites developers to explore how the technology works and compliment the already existing use cases by implementing their own ideas on the protocol.
The REMME team has created a brilliant video showing how it all comes together, which you can find below.
To keep up to date with their latest developments, make sure you visit their website and join their community. If you want to dig even deeper into their technology, make sure to check out their blog at REMME.
The Solution
By introducing the PKId and a suite of dApps to accommodate it, REMME is killing 2 birds with 1 stone — username & passwords weakness and the centralized nature of today’s PKIs. It is in prime position to solve the issues discussed above (and improve upon them), in the following ways:
- Better Credential Storage — By leveraging the blockchain, REMME removes the need for centralized storage making user credential leaking virtually impossible.
- Reduced Costs — As governments, companies and individuals spend more and more money to secure their systems and processes, REMME eliminates the need for much of this, thus bringing costs down.
- Removal of Human Factor — The human factor is the weakest link in the cyber security chain (phishing, common passwords, etc.) and by removing it from the equation, improves security significantly.
- Stronger Protection — REMME removes the weak parts of cyber security from the equation; most notably passwords and centralized PKIs which are the most vulnerable part of cyber security.
You can find a full list of cyber attacks REMME can protect against, here.
How Are Remme (REM) Tokens Used?
REM will be central to all operations in the ecosystem and will act as a utility token to access PKId and the dApps built on top of it. REM can be used in the following ways:
- Certificate Generation — Products wishing to use REMME will pay REM to generate certificates for their clients, employees, partners, etc.
- dApp Creation — Developing and releasing a dApp on top of the REMME Protocol will require REM.
- Staking — REM can be “frozen” (staked) in order to setup a masternode (250,000 REM required). Once staked (and approved), masternodes “have the opportunity (if the consensus algorithm chooses them) to sign the block transaction and get a reward”. You can find more about REMME’s masternodes, here.
How many claps does this post deserve? How about a follow?
If you enjoyed this post, please feel free to 👏 clap 👏 many times (you know you want to!), give my blog a 👣 follow 👣 and 🤲 share 🤲 with your friends. There’s a limit of 👏 50 claps 👏 you can give to each post, so I urge you not to try and exceed that limit… you might break Medium!
Speaking of which…
If I still have your attention, please leave a comment and let me know what else you would like to see me writing about. You can find links to my social media and sign up to my newsletter below.
contact@ermos.io
You can also show your support by donating to the following address:ETH: 0x4c7195E074cf0Ab6F77Bdb7C97Fd2567066Bb712
Disclaimer: All information and data on this blog post is for informational purposes only. My opinions are my own. I do not provide personal investment advice and I am not a qualified licensed investment advisor. I make no representations as to the accuracy, completeness, suitability, or validity, of any information. I will not be liable for any errors, omissions, or any losses, or damages arising from its display or use. All information is provided as is with no warranties and confers no rights.