Classically, commerce involving the transfer of goods or services among people required bi-lateral agreements. Consent to such agreements needed to be recorded and preserved typically with pen and ink signatures. With the advent of electronic commerce, a more robust electronic scheme became available, but suffers from the ease of impersonating one or more of the parties. In analogous fashion, voting in political elections has traditionally been done by pen and ink marking of ballots. Electronic voting in elections promises more participation of the electorate, but also suffers from the ease of impersonating one or more of the voters. As used in this disclosure, “voting” refers to any type of endorsement: whether it entails the casting of votes in an election, the giving of consent to a transaction or contract, or otherwise. The party voting is referred to as a “peer,” the communications between peers takes place in a “channel,” and the process is mediated and facilitated by a “repository.”
Nations have always relied upon the existence of a central trusted organization, such as banks, clearing houses, exchanges, and election boards which were designed to be a trusted third party accepting legal, financial and regulatory liabilities, to facilitate the collection of votes and confirm the exchanges of assets or election of political candidates.
As the transaction systems moved from face-to-face personal physical transactions among known reliable parties to the use of private networks and then to the Internet for network-based electronic communications, there was always the possibility for someone to corrupt the systems intentionally, accidentally, or through reckless disregard, causing catastrophic consequences.
Public Key Infrastructure (PKI), hashing algorithms, and symmetric key cryptography solutions are the fundamental cryptographic technologies that provide the essential security backbone for use by blockchain systems. Well known to cryptographic practitioners in the art, PKI trusted third party certificate authorities issue digital identity public key certificates as credentials to devices or humans, after vetting the certificate recipient to verify authenticity against a set of policies and criteria agreed to by the recipient's organization through a Certificate Practice Statement or similar binding vehicle. Human or device peers, through programmatic processes, create unique public key pairs and symmetric encryption keys that are used in the authentication and encryption processes in conjunction with the digital certificates created by the certificate authority.
These technologies are widely used by enterprises today to provide strong authentication and data encryption credentials for private and shared environments and therefore fulfill the needs of blockchain environments. With the reliance on the private keys used in digital signatures to ensure integrity of data and trust in the identity of the peer senders, and for sharing encrypted data to authorized authenticated parties, it is critical that key management functions such as symmetric and public key pair generation and related cryptographic parameters be protected to enforce an absolute reliable trust model for data access and confidentiality whether stored within the blockchain or in data repository or archive storage.
The most general underlying scheme is that of the distributed autonomous organization or industry consortium application model that can be implemented as a software dapp with supporting backend smart contracts. This common dapp is accessible to all peers of the channel. Repositories may contain secure storage in a centralized architecture, or storage can be maintained by a decentralized collection of storage media, or a secure interface to an encrypted cloud storage. Secure storage media receive and distribute only encrypted data assets and do not store, and therefore cannot distribute, the data encryption keys. Currently available systems, including IP rights management systems such as the Azure Rights Management System (“RMS”) can be interfaced to provide this service. Collectively, these distributed storage locations may be referred to as part of “the repository.”
Externally, there is the collection of peer users or automated devices that belong to the channel and potentially have access to the encrypted assets that include create, modify and delete access modes. As will be described, these peers (or an enabled subset of them) function as the decision makers that dynamically determine the access control capabilities extended to other requesting peers. Within that outermost ring there is the collection of network client computers, and in a preferred embodiment, each is connected to a designated live drive such as a SPYRUS® Windows To Go drive containing an integrated hardware security module (HSM). In that embodiment the drive supports a bootable image of an operating system and the HSM supports the cryptographic functions, and the enabling applications reside on the bootable images of each node's HSM, as does the blockchain and virtual machine of the DLT. In alternative embodiments, the functions of the HSM and the live drive can be implemented in software, but as presented earlier, at great compromises to the security and integrity of the entire blockchain and in the trust of the identity of the peers.
For blockchain data confidentiality and integrity, transaction files and related data records that reside on physical sectors on a repository storage media require encryption to protect their contents from unauthorized disclosure, and processing with digital signatures to ensure integrity. Whether a system of such objects is distributed over a network or centrally shared among multiple authorized users distributed across a network, the issue of secure access mediation through cryptographic key sharing is an essential safeguard for the contents of the data objects under protection.
The security of data at rest and in motion have equal importance to the immutability of blockchain files in preserving the secure state of the system by ensuring that data is created, accessed and modified by authenticated authorized users only under tightly controlled keys that are available to those same authorized users only. While centralized data repository stores are discussed in the illustrated embodiment, it is possible to adapt the described solution to a decentralized autonomous organization (DAO) and related distributed systems based on blockchain technology.
The added protection of auditability is essential as a proof of secure state in the blockchain system. The Distributed Ledger Technology provided by blockchain main network providers enables a user or organization to ensure that a data object has not been created, accessed, modified or destroyed unless by an authenticated authorized peer known to the system. Actions on sensitive data must be permitted by an auditable consensual or voting process using modes of access approved by policy and verified by a minimum number of known and qualified agents. The linking of public DLT and secure data object storage is natural, but private blockchains derived from main networks are also appropriate for the requirements under discussion. The invention's voting mechanism is DLT-agnostic in that it is designed to work with public or private blockchain implementations that can be either consensus-based or not.
Systems which moderate such processes using blockchain software technology alone have the disadvantage that cryptographic keys and related cryptographic parameters are inadequately protected and the identity of qualified approving agents may be spoofed by hostile agents. Disclosure of blockchain cryptographic encryption or signing keys to attackers, or vulnerabilities from cybercriminal or competitive organization attackers can result in disablement or impairment of the auditability of the blockchain records that protect the system. Destruction of credentials also represents a threat to the system, resulting in impaired or a complete loss of availability of protected information assets.
Software and network interfaces attempt to protect the data objects and cryptographic keys and authentication data by conventional storage in standard software-based systems. But expert opinion still holds that hardware protection and storage of critical security parameters (CSPs) in hardware security modules such as the Rosetta® HSM produced by SPYRUS, Inc. of San Jose, represents the most secure protection for the data assets of the system. Rosetta® HSMs ensure absolute trust by securing cryptographic keys and identities in a hardware root of trust with FIPS 140-2 Level 3 certification which precludes their export or access by unauthorized devices, services or people and is recognized as an international standard of quality for protection.
The security and trust of the whole blockchain system depends on the security of the cryptographic parameters and key management. Cryptographic keys, initialization vectors (if applicable), authentication data such as passwords, passphrases and PINs require the most secure form of storage to ensure that the secure state of the system and its data contents are absolutely protected. Protection of the CSPs as well as the peer replication copy of the blockchain itself in mobile or portable environments can be provided by bootable live drives such as the Windows To Go′ drives produced by SPYRUS, Inc. These FIPS 140-2 Level 3 drives include encrypted compartments for the blockchain, the operating system, blockchain applications and chaincode, other user or device/enterprise data, and include an integrated Rosetta® PKI smart card chip to support the symmetric and public key management functions required for blockchain security with a hardware root of trust. The hardware security module is the proven and globally accepted robust solution for the protection of security critical data.
An important characteristic of DLT systems is whether the system is permissioned or public (i.e., permissionless). Open-ended systems such as Bitcoin and Ethereum are permissionless. They are publicly available for use. A public DLT permits any peer or non-peer to read the blockchain, make changes to the blockchain that are permitted by policy and add correctly formed transactions or blocks to the blockchain. Any node can conduct transactions as well as take part in the consensus process to advance the blockchain.
If any of the foregoing operations are not universally permitted, the DLT is said to be permissioned to the extent of the controls imposed. Permissioned platforms such as Hyperledger Fabric and Multichain are aimed at consortiums or groups of member organizations where participation is close-ended. Advancing the blockchain is restricted to a fixed and approved set of peering nodes that are run by consortium members. Required permissions or privileges for peers to read, transact, add applications, change blockchain chaincode or contract components are defining attributes that characterize the DLT as permissioned. This is why it is critical that participating peers be trusted and authenticated, generally through digital identity public key certificates, and authorized with roles and permissions typically described in an attribute field of certificates or access control tables within a blockchain. Hence, because of these restrictions and controls regarding identification and privileges of peers, commercial systems which require auditability and strong authentication of peers are built around permissioned blockchain systems.
Another attribute of Distributed Ledger Technology that is important to achieve is consensus that all nodes in the network agree upon a consistent global state of the blockchain. Replication of state ensures that the blockchain is not lost if one or more nodes crash. A consensus mechanism is the process whereby a chosen or random group of network validators achieve agreement on the state of a ledger. Updating the replicated shared state happens according to pre-defined state transition rules defined by the state machine, the computing device upon which a blockchain executes, that is executed on all the replicas.
The state machine rules ensure that all nodes executing them with identical inputs, will eventually produce the same outputs. This results in eventual agreement on the change of any blockchain via the consensus protocol. The blockchain replicas also communicate with each other to build consensus and agree upon the finality of the state after a blockchain change is executed. In many public, and some private DLTs, a group of miners or validators mediate transactions from peers by forming a block that will be added to the blockchain.
For a consensus-based blockchain network, achieving consensus ensures that all nodes in the network agree upon a consistent global state of the blockchain. The invention described will work with both consensus-based and non consensus-based blockchains because it provides a new highly secure environment in which chosen voters or validators can come to agreement on the common updated state of all blockchain replicas. While in use, consensus-based mechanisms ensure that the nodes in the network collectively agree on a set of updates to the state of the blockchain, while allowing peer participation in the consensus process. For an encryption-protected decentralized and replicated blockchain file storage system maintained and managed by a channel of peers, an additional level of trust is needed for control and audit as the use of Distributed Ledger Technology blockchains becomes embedded within global commercial transaction applications ranging from finance to health care to trade. It is necessary to impose a permissioned mode of operation for file creation, modification and deletion. To this list may be added restoration of a deleted file, or movement of a file copy outside the system or publication of a file. This is particularly true for systems where ownership rests with the channel and not the individual peer. The advantages of a homogeneous K-of-N voting system is the secure and fair permissioned access that it affords the collective peer group without necessarily centralizing the repository storage.
Third party centralized services still dominate the digital economy and demand highly automated processes that may or may not be distributed over the Internet in the form of specialized servers, cloud storage sites and high-speed network components. With increasing velocity of the expanding global economies, the most centralized businesses, such as banks, transportation and shipping firms, and government services such as voting boards or customs and tax agencies, seek ways to reduce manual and hard-to-automate processes, and thereby eliminate bottlenecks. At the same time, however, it is important to provide a secure audit trail of all transactions, so that in the haste to eliminate bottlenecks there is no opportunity for fraud or deception.
Further, it is often necessary or desirable to enforce a specific order of voting. For example, in a commercial transaction between A and B, B may not want to vote and show consent until A does so first. In an election it may be desirable to limit casting of votes to situation where certain predicates are present.
What is needed then is a method for voting that authenticates the peer and provides a robust audit trail. It would be desirable that the method optionally allow for enforcement of voting order.