Blog | LF Decentralized Trust

Full decentralization of Hyperledger Fabric through embedded IoT solutions – Hyperledger Foundation

Written by Hyperledger | Feb 17, 2021 9:00:00 AM

Almost a year ago, Telefónica brought TrustID to Hyperledger Labs as an open source project.  Telefónica initiated development of TrustID to ease the management of identities across several blockchain networks. The initial idea of TrustID was to decouple the issuance of identities from their consumption and allow users to operate in some networks with credentials issued in others. In this manner, users shouldn’t need to hold a different set of credentials for each network or decentralized application they interact with.

Furthermore, TrustID provides the opportunity to decentralize identity in Hyperledger Fabric. When you deploy a blockchain network using TrustID, identities are organization locking and, therefore, they are centralized on the Certificate Authorities (CAs) that have issued them. Inside the network, several CAs can co-exist, but easy onboarding of new organizations is an unsolved problem that makes it very hard for the network to grow organically as new partners join. Initially, TrustID, as a first approach, solves this restriction of the identity management in Hyperledger Fabric. Furthermore it brings to this technology the chance to really enable a custom decentralized identity management.

As you scale up a deployment, adding many different organizations from different origins, many without trust relationships between them, this identity issue becomes much more serious and limiting between them. However, shifting to decentralized identity management ensures that a network is not dependent on the companies that are part of the solution, making it more resilient in the face of change and growth.

A clear example where we can appreciate these characteristics is the case of the IoT world. Use cases often include companies providing monitoring services with IoT devices, operators offering the communication network, and owners of the devices looking to apply the benefits of this technology to their blockchain-based traceability projects.

The identity management in IoT is a complex scenario that involves the provisioning of certificates in the device and the need to have a public key infrastructure. This process must be accomplished in a secure way, verifying the software in the factory. Once provisioned, the device is able to use its certificate to sign communications with the aim of demonstrating its identity.

However, it’s also known that sometimes the devices are limited in performance or storage. For example, they could be designed to write once in their memory in all their useful life so, if we need to change an identity because the blockchain network has changed, the device could be useless for a blockchain use case.

On the opposite, when the devices can write in their memory many times, the process of updating the firmware or any information stored on it securely is also a hard process. So, at the end, it’s a requirement to have a flexible management of the keys stored at first instance, which, thanks to TrustID, is possible.

Recently, aitos.io and Telefónica have collaborated on a PoC to integrate IoT technology with Telefónica’s TrustOS product. The goal was to use  blockchain technology to perform interactions from the device to the ledger, provisioning the identity and the keys associated directly on the device.

aitos.io developed its blockchain application framework, named BoAT (Blockchain of AI Things), which is an IoT-device-oriented C-language client library for blockchain services, to enable IoT devices to access blockchain. In this PoC, BoAT running in a Fibocom FG150, a 5G blockchain module, helps a FG150-based IoT device access TrustOS services directly. So, as a result, it has been possible to create signed transactions on the device in order to be stored in the TrustOS platform, which is based on Hyperledger Fabric, without any intermediary.

The device manufacturer could register every device onto the TrustID service of TrustOS and write the unique DID allocated by TrustID into the device. When the device is powered on and connected to the network for the first time, BoAT, in the device, imports the device into TrustOS by signing its DID in a JSON Web Signature (JWS) message. In this way, the device, and not the application, is the custodian of the private keys that would be used to sign transactions.

BoAT also provisions the IoT device asset, as a digital twin, on the TrustOS Track service that offers all the traceability functionalities in order to give full transparency of the physical device. Then, the device comprising the BoAT-enabled 5G blockchain module can send periodic updates on its status  (e.g., vehicle speed, heading, etc.) to TrustOS by composing additional JWS messages. All of this generates the possibility of offering, in a transparent way, the traceability of the data generated by the device.

TrustOS and BoAT interaction diagram

In deployments with integrated BoAT technology, all the data the IoT device captures could be directly sent to TrustOS with a cryptographically verifiable DID identifying their origin. That is, not only the data integrity is assured by the Hyperledger Fabric blockchain under TrustOS but also the data provenance can be identified by TrustID. Tampered-resistant IoT data with identifiable origin builds a great value for the industry.

From the point of view of TrustOS, thanks to the implementation of the machine-to-machine interaction and how TrustID manages the authentication and access to the system, it’s possible to avoid unauthorized tampering or unexpected updates. As a result, it adds extra trustworthiness-proof beyond the standard KPI.

Cover image by Pete Linforth from Pixabay.