DNSSEC: Nameshield adopts ECDSA

DNSSEC is the protocol that guarantees the integrity of DNS resolution by establishing a chain of trust all the way back to the root. Data security is ensured by a mechanism of cryptographic keys that sign DNS zone records. Historically, DNS operators have used RSA keys (RSASHA256 algorithm), renowned for their robustness.

As an alternative to this asymmetric cryptographic algorithm, there are elliptic curve algorithms. In the case of DNSSEC, the “ECDSA Curve P-256 with SHA-256” algorithm (RFC 6605 and 8624) offers a higher level of security with smaller key sizes.

The ECDSA algorithm is increasingly being implemented by major players in the domain names industry, such as Verisign and AFNIC, and aims to become the standard.

This has several advantages over our current implementation:

  • Smaller signatures and smaller zone files (approx. -33%);
  • Faster zone transfer and reload;
  • Improved signing performance;
  • Potentially faster DNS requests (less reliance on IP fragmentation);
  • Reduced amplification factor of DDoS attacks based on DNS.

For all these reasons, Nameshield has chosen to use this algorithm by default to secure its own domain names and those of its customers.

Image credit : Nameshield with storyset.com

ION: decentralized identity on Bitcoin

ION: decentralized identity on Bitcoin

The digital identity of tomorrow

Identity is an integral part of the digital world in which we live. Any individual, organization or computer is represented virtually by one or more identifiers, closely or distantly linked to different data. The digital identity allows to make the link between a real entity and its virtual representation.

Whether it is to authenticate, communicate or use a service on the Web, we use unique identifiers, which are associated with several personal information (email addresses, pseudonyms, random ids, etc.). These identifiers are usually managed by organizations that have control over our data. This data can be analyzed, altered, sold or stolen without the users’ consent, which represents a threat to their privacy. We must not forget that the data business is worth billions of euros; users do not always realize that their data has a real value.

It is from this observation that the concept of decentralized identity, also called self-sovereign identity (SSI), was born.

Decentralized identity aims to give users back control over their data, being at the core of Web3. It is based on decentralized identifiers (DID), deployed on a distributed registry. Users are the only ones who can manage their DID and the data linked to them. They can associate only the information they wish to share.

Several actors are developing solutions to build decentralized identity systems. Today we are going to take a look at one of them: ION (Identity Overlay Network). It is a decentralized identity management network, based on Bitcoin.

ION: decentralized identity on Bitcoin
Source : https://identity.foundation/ion/

SideTree: an identifier management protocol

In 2017, members of the Decentralized Identity Foundation (DIF) began working on a solution to manage decentralized identifiers, particularly using Blockchains as registries. The idea being to register credentials on a block chain, so that they can be verified and self-monitored by their holders. Because of its decentralized registry properties, Blockchains are particularly well suited to this need. Several projects around decentralized identity have used this type of technology to manage DID.

One of the problems of blockchains is the difficulty to scale up: scalability. For example, on Ethereum the network is often saturated, which causes slowness in transactions processing and increasing costs. Other blockchains offer better performance, but make a compromise on security or on system decentralization. This is known as the blockchains trilemma.

For an identity system to work on a global scale, it must be scalable. For this, there are solutions called Layer 2. These are solutions built “on top” of an existing blockchain, in order to aggregate several operations into a single transaction. This allows to significantly increase the number of transactions per second that can be processed, and thus to decrease the costs. This mechanism is particularly used by the Lighning Network on Bitcoin, and by various applications on Ethereum.

The members of the DIF then developed a Layer 2 protocol to manage decentralized identities: SideTree. This protocol allows to create a network on which the different nodes are connected in peer-to-peer. The protocol can be adapted to different underlying blockchains, to offer some interoperability. It is also important to underline that it follows the recommendations of the W3C regarding DID and Verifiable Credentials.

SideTree is built with several software components:

REST API: an interface to allow users to interact with the system.

SideTree Core: this is the “logical” part of the system, which manages the various operations on the identifiers.

Content Addressable Storage: manages the storage of identifiers and their metadata. SideTree uses IPFS, a protocol allowing to store and distribute data in a decentralized way. A MongoDB database is also used for local storage.

Blockchain Adapter: allows to communicate with an underlying blockchain, in order to record “states”.

ION: SideTree protocol coupled with Bitcoin

Bitcoin as layer 1

ION (Identity Overlay Network) is an implementation of the SideTree protocol based on Bitcoin and developed by members of the DIF. Thus it is a public, decentralized identity management system that is not controlled by any organization. It is able to handle several thousand transactions per second.

SideTree also has other implementations, including Element, which is based on the Ethereum blockchain.

ION has chosen Bitcoin for:

Its decentralization:

  • The network is open to all
  • The nodes are numerous and decentralized
  • Transactions are transparent, checkable and unchangeable

Its security:

  • Bitcoin has proven its resistance for over 10 years
  • Participants are encouraged to maintain and operate the network
  • The cost of a 50% attack is extremely high, and considered impossible

DID and documents

Concretely, an identifier on ION looks like a unique and complex sequence of characters: did:ion:EiD3DIbDgBCajj2zCkE48x74FKTV9_Dcu1u_imzZddDKfg

This DID is linked to a JSON document that contains several properties.

The user can also add all the properties he wants. It is possible to obtain the document from the identifier, by performing a resolution. This can be done using the REST API of an ION node, or by using a dedicated explorer. The idea is to be able to retrieve the information associated with a DID, in the same way as when retrieving IP addresses associated with domain names (DNS).

How does it work?

To generate a DID, a user must either use their own node or use one available on the network. The node operator must have a wallet with Bitcoin, as the operation requires a transaction. Managing identifiers is a multi-step process, on the command line and through a REST API; it is not trivial.

Each identifier is linked to 3 pairs of cryptographic keys:

  • Update keys
  • Recovery keys
  • Signature keys

The operations carried out during creation are recorded in a file. This instruction file is distributed on IPFS, and its unique identifier is recorded in a Bitcoin transaction. Simultaneous operations on multiple identifiers are grouped together, in order to have a single executed Bitcoin transaction. SideTree uses Merkel trees to structure the states of the different identifiers, and to allow the management of a large number of operations per transaction.

All other nodes in the ION network observe Bitcoin transactions and extract those that match the ION protocol. They retrieve the instruction file from IPFS, thanks to the unique identifier contained in the transaction. Then they execute the instructions in order to update themselves and contain the latest created identifiers. Thus, the new identifier is distributed throughout the network. The synchronization time may vary; we have not found any measurements of this time.

By definition, DID are not transferable; the user at the origin of an operation on a DID is thus necessarily the “owner” and the only one to have control over it with his private key. This property allows, in particular, to do without a consensus mechanism during operations on DID, because there are no possible double expenses.

Which future?

Several use cases

The ION project is developed by members of the DIF, and actively supported by Microsoft. The American company wants to exploit this protocol to offer new services based on decentralized identity.

Several use cases are possible:

  • Users can create their DID and use the OpenID authentication system. Thus, it would be possible to authenticate on various applications, sites and web services with a unique and decentralized identifier. Passwordless authentication is possible.
  • Users could choose the data they want to associate with their DID and revoke their access at any time. Business models could be developed to pay users directly for their data.
  • Users can manage different identities with multiple DID, through their digital wallets.
  • Companies, schools or organizations can generate verifiable digital certificates associated with DID. (Verifiable Credentials).
  • DID can be associated with domain names, in order to use readable names rather than complex addresses.

Services to be developed

ION’s ambition is to become a standard for tomorrow’s decentralized identity. The ingenuity of the protocol is interesting, and could stand out from other competitive solutions in particular thanks to the use of the Bitcoin protocol. Layer 2 solutions are promising for many use cases, and can significantly increase the scalability of decentralized registries.

However, today the protocol remains complex to use; tools and applications to facilitate its use will have to be developed. Microsoft will certainly offer services using ION, but it is to be hoped that other players will follow this path, especially with non-proprietary “end solutions”.

Furthermore, the recommended technical specifications for deploying a node are quite demanding; this can represent a significant cost in terms of hosting. The cost of registering a DID is also the responsibility of the node operator, who will submit the transaction on the network. Thus, there is no economic incentive to deploy a node, other than to create a business model by selling DID registration to other users. At first glance, these elements may be barriers to decentralization and adoption of ION, but it is still too early to tell.

Many competitors

Competition is tough in the world of digital identity. On the one hand, there are the identity solutions proposed by the big players (Google, Facebook, Thales, etc.), which today dominate the market, and on the other hand, there are the sovereign identity solutions pushed by governments (France Connect, Essif, etc.). Alongside these more or less centralized systems, there are also many self-sovereign identity protocols. Apart from ION, there is also Ethereum Name Service based on Ethereum, Evernym, Sovrin and countless projects under development.

The realization of concrete applications and the adoption by the general public are essential points in the success of a project; time will show us which ones will make the difference and become indispensable to tomorrow’s Web.

Are you interested in blockchains and crypto-assets? Do not hesitate to visit the website of our expert Steve Despres: https://cryptoms.fr/

Image source : TheDigitalArtist via Pixabay

To understand all about Metaverse and alternative domain names

Metaverse and alternative domain names

The word “Metaverse” refers to everything related to virtual worlds (3D, augmented reality, virtual reality), and designates a “future” vision of the Internet, with fictive spaces such as stores, rooms or even games. It’s a bit of a buzzword of the moment, which was put forward by Facebook in October 2021, when it announced the creation of a metaverse (Meta). There is of course a trend effect, however several major brands seem to be working on the subject.

Many projects have used the term “Metaverse” around their services and products. There are projects related to digital assets, such as cryptocurrencies and NFTs, which allow the representation and exchange of value on the Internet. But also alternative domain names, like .eth, .crypto, .metaverse, etc. It’s also related to the concept of “web3”, which is a vision of a more decentralized web.

Regarding the alternative domain names, you have to know that they are extensions that are not regulated by ICANN, so they are not official. This explains why it is not possible to have WHOIS information. Furthermore, most alternative domain names systems do not work with the DNS protocol, but are built on a Blockchain infrastructure.

Here are some examples:

ENS (Ethereum Name Service): .ETH

ENS is one of the most used alternative domain name systems with .ETH. It is built on the Ethereum blockchain, through smart contracts, and allows to register domain names in order to link addresses of crypto wallets, websites or any other type of registration. A domain name can be registered for several years, and there are no domain name recovery procedures for trademark holders, as it is a decentralized project: the holder of an .ETH domain name is the only one who can control it.

The registration procedure is done through the use of an Ethereum wallet, and the payment with the ether cryptocurrency ($ETH).

ENS also allows traditional domain names holders to register their domain names on their system.

Unstoppable Domains: .CRYPTO, .ZIL, .COIN, .WALLET, .BITCOIN, .X, .888, .NFT, .DAO, .BLOCKCHAIN

This is also a domain names system developed on the Ethereum blockchain. It allows, like ENS, to register domain names with different extensions. Unstoppable Domains do not expire and do not need to be renewed. There is, however, a procedure for trademark holders.

Namebase

This is a project that allows the creation of all kinds of top-level extensions. It is built on the HNS blockchain.

Namecoin: .BIT

One of the first alternative domain names project on Blockchain.

Touchcast: .METAVERSE

This is a recent project that offers .METAVERSE domain names for sale. There is not much technical information about their system, and their community seems to be quite limited compared to their number of followers on social networks.

Other alternative domain names projects have also emerged. It is important to know that anyone can create an extension not regulated by ICANN.

For users, it is necessary to use another means than a classic DNS resolver to use these extensions (browser extensions, dedicated applications, etc.).

As expected, there is a lot of speculation and cybersquatting related to this type of domain names.

Image source : xresch via Pixabay

DNS on Blockchain: the next evolution of domain names?

DNS on Blockchain - Nameshield
Image source: TheDigitalArtist via Pixabay

Summary

The DNS, the Domain Name System, is a service at the heart of how the Internet operates. It is fundamental to the functioning of many services such as websites, mail servers, VoIP telephony and many others.

For more than 30 years, many extensions and functionalities have been added to the DNS, which technically translates into an increase in the complexity of the infrastructure.

The Blockchain technology could be a considerable evolution for DNS, bringing several advantages and new functionalities.

The DNS, a fundamental service

The DNS, the Domain Name System, is a service at the heart of how the Internet operates. It functions as a public directory that associates domain names with resources on the Internet, such as IP addresses. When a user enters an address in his browser, a DNS server translates this humanly understandable address into an IP address that is understandable by computers and networks. This is DNS resolution.

DNS - DNS on Blockchain - Nameshield

This system, created in 1983, is fundamental to the functioning of many services such as websites, mail servers, VoIP telephony and many others. It is constantly evolving to meet ever-increasing needs in terms of functionality and security. Indeed, the DNS must guarantee:

  • Availability: an unavailability of the DNS service would result in a service disruption.
  • Integrity: the data present on the DNS (associated with a domain name) must not be corrupted.
  • Confidentiality: to protect the privacy of users, the DNS implements various solutions that increase the confidentiality of DNS requests. If the requests are not confidential, it is possible to analyze users’ browsing information.

The domain name system is based on a centralized model of trust. It is distributed throughout the world and managed by different actors in a hierarchical manner, in several levels; a root level, a first level where extensions are managed by registries, then a second level managed by registrars. The whole thing is orchestrated by ICANN, the Internet’s regulatory authority.

Domain names - DNS on Blockchain - Nameshield

For more than 30 years, many extensions and functionalities have been added to the DNS, which technically translates into an increase in the complexity of the infrastructure.

Blockchain technology could be a considerable evolution for DNS, bringing several advantages and new functionalities.

Blockchain and decentralized registry

A Blockchain is a data structure accessible to all and distributed over a decentralized network; the data is replicated on each node of the network, there is no central authority. Everyone has the possibility to read its contents, add data and even join the network. The concept was first implemented in 2009 with Bitcoin, but today there are many different Blockchain technologies, each with their own properties.

The data is entered on a Blockchain via transactions. The transactions are grouped into blocks, each block is then validated by the network and then brought together. Thus, a Blockchain contains the history of all the transactions carried out since its creation.

The validation rules are written in the Blockchain protocol, which each member of the network respects. To ensure compliance with its rules, the Blockchain protocols are based on consensus algorithms, the best known being the Proof of Work. These algorithms guarantee the integrity, immutability and security of the data on the Blockchain.

Blockchain - DNS on Blockchain - Nameshield

The Blockchain technology meets several DNS needs:

  • Availability: a decentralized, peer-to-peer network cannot be stopped. It could replace or complement Anycast infrastructures. 
  • Integrity: the consensus protocol of a Blockchain guarantees, by nature, the integrity of the data. Furthermore, the data cannot be modified. These properties would eliminate the need for DNSSEC and its famous key renewal ceremony.
  • Confidentiality: Requests made to read the Blockchain data can be encapsulated in an HTTPS channel in the same way as the DNS over HTTPS (DoH) protocol. There are few DoH resolvers today, so traffic is centralized around a limited number of actors. The use of a Blockchain would offer the possibility of querying any node on the network, thus limiting centralization and SPF (single point of failure).

The data included in the DNS zone files, i.e. the domain name configurations, could therefore be distributed on a Blockchain. Each player (registries, registrars) could directly interact with this Blockchain to manage the domain names. This is the idea of the DNS on Blockchain.

New needs

In recent years, with the emergence of Blockchain technologies, new means of values exchange have developed, particularly with tokenization, crypto-assets and decentralized applications (dapps); we talk about Web 3.0, or the Internet of Value.

Values exchange - DNS on Blockchain - Nameshield

Digital wallets and decentralized applications work with identifiers that are difficult to read, e.g. 0x483add28edbd9f83fb5db0289c7ed48c83f55982 for a wallet address.

Being able to associate this type of address with domain names, within a universal naming system, could be of real interest for tomorrow’s Web applications. It would be possible to have a wallet of crypto-assets or a decentralized application configured directly behind a domain name. This could also be useful for the digital identity of companies and their brands.

DNS on Blockchain, today

Many naming system projects on Blockchain are currently under development, each with an implementation of its own.

Some applications propose new domain names extensions (TLDs), such as .bit, .zil, .crypto, .eth, etc. This is particularly the case for Namecoin and UnstoppableDomains. These systems are completely independent of the traditional DNS and ICANN. Registration is managed directly by users, and names resolution is generally done through a browser extension. The Opera browser has recently natively integrated the resolution of these domain names.

These applications are functional and the names registration is not controlled. There are therefore many cases of cybersquatting. Users register names in the hope of reselling them and making a profit. This obviously poses a problem for trademark owners, and will certainly prevent the adoption of these solutions by companies.

DNS on Blockchain - Nameshield

Other projects propose complementary solutions to DNS. In particular, Ethereum Name Service (ENS) offers a names system on Blockchain that integrates with the traditional DNS. If you are the holder of a domain name and can prove it with a DNSSEC registration, you can then register this same name on the Blockchain service. This allows you to combine the advantages of traditional DNS and DNS on Blockchain.

The .kred, .xyz and .luxe extensions already support this integration on Blockchain, and ENS plans to propose it for all DNSSEC-compatible extensions. This project is quite promising, Ethereum Name Service has recently joined the DNS-OARC (DNS Operations, Analysis, and Research Center).

The Handshake project proposes a naming protocol to manage the root level of the DNS, and provide an alternative to certification authorities. It challenges the trust and governance model of the DNS to experiment with a more decentralized, secure and resilient system based on validation of DNS zones by participants in the network.

Conclusion

The DNS on Blockchain could be a considerable evolution of the DNS; it would bring several advantages and new functionalities thanks to the Blockchain technology, which would benefit the development of the decentralized web.

Today, however, there are still no technologies and applications on which there is unanimous agreement, even though many projects and PoC are under development. They are not yet mature enough to be used on a large scale. Improvements in terms of scalability, security and usability need to be made.

The collaboration of the Internet players (ICANN, DNS-OARC, registries) seems essential for a technology to reach consensus and be adopted, in particular to set common rules. This is a subject to be followed closely over the next few years.

Are you interested in blockchain and crypto-assets topics? Don’t hesitate to consult the website of our collaborator Steve Despres: https://cryptoms.fr/