Analysis of the uPort Self-Sovereign Identity Implementation and Its Security Vulnerabilities

By Kyle Campos

Self-Sovereign identity is an identity management concept that is designed to replace the current central identity management framework. In centralized identity, the users are authenticated by a central authority. This central entity has authority because it stores all the information required to identify a user. Common examples can be passwords and usernames. However, what if a user needs to provide further information about their identity. Examples of this can be credit information, social security information and other sensitive data. This information will also be stored on the central authority. However, herein lies the problem with this form of identity storage. Thousands, even millions, of identities can be stored in one database. This is a large amount of sensitive, and valuable, data. If these databases are accessed by a malicious source, they will have access to many people’s private information. This is happening all over the world with data breaches at various companies. Some companies take their customers’ data seriously, but others do not.

This is where self-sovereign identity comes in. Everyone can be responsible for their own identity and provide as much or as little of their personal information as they want. This model of identification places the burden of storage on the user and takes advantage of blockchain technology to tie the system together. There are four major parts to this system. The issuer, the holder, the verifier and the blockchain identifiers. The issuer is an entity that gives credentials. Examples can be a bank or the government. These places are already trusted, so their credentials hold authority. The second entity is the holder. This is the individual SSI user. They hold identification that applies to them and only them. The final entity is the verifier. This segment is a renter, employer or anyone who would need a credential to verify a fact about an identity holder. An example could be an employer who wants to verify that a holder is a legal resident of a country. All three of these entities lie on top of a blockchain. The blockchain is the glue that allows the trust between these three entities to exist. This is because of the blockchain’s immutable ledger. For example, the government can issue you a license with essential information on it. They then sign onto the blockchain that they indeed gave a license to a specific holder. Then, when an employer wants to check your license to do a background check, they can verify the bank’s signature on the blockchain. This process ensures that the identification was issued and not forged.

Through this method, individual people can have power over their personal details. They can submit as much information as they want to a verifier. They don’t have to give any extra unrelated information that might be compromised in the future.

U-Port builds off the framework of the traditional Self Sovereign Identity Management system. As discussed earlier, Centralized Identity Management requires a central authority to manage an authentication process. uPort is designed to avoid using this central authority. With this system, the control of the identity of a user is transferred from the central authority to the user itself. This is the basis of the uPort user-centric identity.

To accomplish this, uPort utilizes the Ethereum blockchain. The Ethereum blockchain is the foundation that the rest of the U-Port SSI system sits on. This blockchain features smart contracts. These are the pillars of the uPort authentication system. The smart contract is a program written and stored on the Ethereum blockchain. As the blockchain is immutable, these programs form the functional basis of the essential authentication functions of the uPort system. When signatures need to be verified by a holder, issuer, or verifier, they utilize these smart contracts. They are the workhorses of the uPort system.

uPort features the trust network that is the cornerstone of SSI. This is the model of the issuer, holder, verifier and a blockchain. There are several components that uPort has created to make this relationship work. The controller, proxy and registry contracts are essential pieces of this puzzle. These contracts act as identifiers for a user and their keys, control access to identities and keys and provide cryptographic security to the system. These are essential functions of any self-sovereign identity system. The symmetric exchange of keys is how the verification process functions. Without this, it would be impossible to identify different parties and the information they want to exchange. The uPort system also implements several servers with specific functions. These servers add additional features to round out the usability of a self-sovereign identity system. The Chasqui Message Server handles all intercommunications between the user’s mobile application and other decentralized applications. The Sensui Gas Fueling Server provides an ease of access service for uPort customers. This server functions to handle the complex payment method of using the Ether blockchain. By doing this, customers can create uPort profiles instantly and never have to handle cryptocurrency. There are a couple other servers that interface a communication method with the Ethereum blockchain and the IPFS file transfer system. These servers are called the Infura Ethereum RPC and Infura IPFS. This provides a more usable experience on top of this complex framework of communication.

The uPort implementation has gone further to create a mobile application called MyDApp. This app can log into the system, create credentials, issue credentials, request credentials and verify credentials. This extra feature of usability highlights the future of self-sovereign identity systems. The more practiced and friendly this service becomes, the wider it can be implemented. Theoretically, the application for this type of identification is endless. It could replace all other methods of ID, even physical.

In conclusion, uPort implementation is operable and provides many of the intended functions. Users can join the network easily and create their identities with no upfront cost or need to purchase cryptocurrency. They can store their data on an application of their choosing and are provided with a secure method of transfer. It succeeds in giving the user total control over their identity. It gives key management functionality and has methods of key recovery. These features can be built upon to make the system more usable and convenient.

However, user-centric identity management systems and uPort have some disadvantages. The private key storage is essential, if this private key is compromised then the user’s identity will be compromised. This can be arguably more dangerous than central identification. If a user has their keys leaked, they could have their most essential identification stolen and have all aspects of their identity copied. Contrasted with central identity storage, a user might not store their most sensitive identification on one companies’ server. The uPort recovery service is an attack vector that could be used to gain personal information from contacts or compromise a user’s identity. This is not an obvious problem, but wide scale implementation will scale this vulnerability. A new type of scam could develop on the basis of identity recovery. This could happen when utilizing uPort’s physical recovery process. This process relies on physical relationships with a user’s friends and family. These documented recovery sources could be targeted in common ways like phishing and scamming for their own data. Unfortunately, the uPort system specifically is not scalable to a huge user base. Overall, wide scale implementation is still not feasible for this system, but uPort is still theoretically operable and well formulated. The logistics of implementing this is the next step of development for systems like uPort. However, at the rate that technology and the internet is advancing, one can hope that this type of technology will be given precedence soon.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s