Data Privacy Gets a Makeover With ‘Zero-Knowledge’ Scheme
A cloud tool for application developers is designed to provide strong data encryption by eliminating the requirement for app users to share personal data. The tool also aims to reduce the burden on companies who must protect personal data residing in their apps.
IBM said its Identity Mixer cloud tool is generally available. It uses a cryptographic algorithm to encrypt personal data like a user’s age, address or credit card number. IBM said its framework differs from other data security approaches by eliminated the need to share personal data rather than merely adding more layers of data protection.
The company is targeting Identity Mixer at the growing digital wallet market in which the user’s credentials are certified by a trusted third party. In the case of a government-issued identity card, IBM said, the issuer of the credentials would have no knowledge of how or when personal data was being used.
The Identity Mixer tool is available on IBM’s Bluemix application development platform. The company said the cloud-based tool is based on an approach called “zero-knowledge proof” in which developers build apps that can authenticate a user’s identity without gathering personal data.
Since no personal information is exchanged when authenticating a user who, for example, claims to have a subscription, companies are relieved of the burden of protecting and securing personal data while user data is no longer exposed to hackers during web transactions.
Under the scheme developed by IBM researchers in Zurich, Switzerland, the tool works by asking users to provide a public key used to authenticate their identity. Each user has a secret key, and each consumer transaction uses a different public key. That approach leaves no privacy “breadcrumbs,” IBM asserted.
IBM initially made the crypto tool available earlier this year as an “experimental service” on its Bluemix platform-as-a-service for building and managing applications. Since then, it has demonstrated the cloud version of Identity Mixer in pilot projects with European and Australian academic and industry partners.
IBM said the data encryption technology incorporates more than a decade of research aimed bringing the “concept of minimal disclosure of identity-related data to reality, and now it is ready to use for both computers and mobile device transactions” in the cloud.
An ecosystem appears to be emerging around the “zero-knowledge proof” approach to data and transaction security. A startup called Zerocoin Electric Coin Co. surfaced recently. Referring to the layer of privacy on encrypted web pages, it bills itself as the “HTTPS” of digital money.
Another startup, Bear Bonds, also said it is leveraging zero-knowledge proof protocols as a way to “reinvent the blockchain,” a reference to the distributed database used by digital money pioneers like Bitcoin to maintain encrypted ledgers of digital transactions.