Tide Foundation Creating Marketplace Where PII Can be Safely Sold
The Australian Tide Foundation has announced details of a distributed ledger technology (DLT) password protection system using ‘splintering’ to deliver password security that is massively greater than the traditional central hashed database. This is a component of a wider project to develop a new marketplace for a new personal data economy.
The Tide Foundation proposals, known as the Tide Protocol, are based on the attempt to rationalize three empirical but competing realities: users’ need to own their personal data (PII); data collecting vendors’ need to sell user PII; the advertising and research industries’ need to buy and use PII. This reality is currently not working well: users do not own their own data; vendors have that data stolen through breaches and controlled by legislation; and the advertising industry suffers from false PII and fraudulent purchases.
The political solution is to concentrate on giving and ensuring user ownership of PII. The theory is that if the user then gives or ‘sells’ that data, the recipient is free to use it within the limits agreed by the user. This approach helps the user, but not the data collecting vendor, nor the data buying advertiser. The Tide approach is to focus on the vendor by providing a secure and legally compliant storage for PII that simultaneously creates an open marketplace trusted by both the user and the advertiser for that data.
The Tide Protocol will use distributed ledger (blockchain and encryption) technology to create a secure but open marketplace where PII can be safe, but sold. The infrastructure creates a secure vault for personal data where only the user has a key to his/her own data. This ensures that only the user can agree to the sale of that data.
In its own words, Tide is creating “an open-source framework that operates on a decentralized blockchain-based architecture. The Tide cryptocurrency (Tide Settlement Tokens) will power the economy, managing both access permissions and remuneration across the ecosystem.” The Tide Protocol runs on an EOS-based DLT, using EOS’ asynchronous Byzantine Fault Tolerance Delegated Proof of Stake (aBFT-DPoS). This has already achieved more than 4,000 transactions per second (TPS) where the Bitcoin network handles 7 TPS, and Ethereum handles 15 TPS.
As the first stage of launching its full vision of a new personal data economy, Tide has announced its ‘splintering’ encryption technology for the secure storage of passwords. Rather than the traditional method of storing user passwords as hashed and salted entries in a single centralized database, splintering breaks the password into tiny sections, hashes and salts each of them individually, and then stores them in the vaults of a distributed ledger.
“This technique,” says Tide, “makes it tremendously more difficult to reconstruct one complete password, let alone all the passwords, using either reverse engineering or common brute force attack methods.” It mentions that breaches “like those suffered by Capital One, Equifax and Marriott cost companies in many ways, including large fines, legal problems and PR crises, not to mention loss of customer trust.”
The splintering technology was tested against the 60 million passwords stolen and leaked from LinkedIn. Tide’s engineers found that splintering reduced the odds of a successful dictionary attack from 100% to 0.00072%; that is, a 14 million percent improvement.
“Even though the database of exposed LinkedIn usernames/passwords that Tide used in the study of splintering had been hashed and salted, all 60 million passwords were cracked when they hit the black market,” said Professor Willy Susilo, director at the Institute of Cybersecurity and Cryptology in Sydney, Australia. “In contrast, Tide’s algorithm is very powerful and is significantly less vulnerable. We expect it to improve personal data security by orders of magnitude.”
There is little doubt that such an approach to password storage is more secure than current commonly used methods. Whether it will be accepted by the market is a different matter. “Personally, I find blockchain is a solution looking for a problem,” comments Chris Morales, head of security analytics at Vectra.
“This is not a valid method at securing passwords as the very nature of blockchain is best used for non-repudiation or transaction integrity,” adds Joseph Carson, chief security scientist at Thycotic.
There is also “a bit of misunderstanding on how passwords are compromised,” says Morales. “The Capital One breach, for instance, was a compromise of the ability to generate temporary API tokens to allow execution of administrative commands and not a password or account compromise. The system allowed the generation of these tokens. Password strength had nothing to do with that compromise.”
He continues, “I don’t think encryption of passwords was necessarily the problem either in the Equifax or Marriott breach. Attackers compromised desktops and web apps by using exploits that bypass authentication and then elevate privileges from password harvesting to access servers with already exposed passwords. They aren’t necessarily trying to crack encrypted passwords.”
It would be wrong, however, to judge Tide’s vision purely upon its password technology, since password splintering is merely a component of the overall concept of a new personal data marketplace.
Tide is not the first to consider blockchain for a new marketplace: PolySwarm has a similar vision for a new type of malware recognition market involving enterprise users on one side and security researchers on the other. In both cases, the new market envisages remuneration for those involved using a proprietary cryptocurrency.
The big question for Tide is whether it can get a critical mass of personal data buyers and sellers involved in the new marketplace. That will prove a major task. Without that critical mass of players, it is questionable whether the blockchain password system will be widely adopted for itself.
“Trying to extend [blockchain technology] to passwords would be a waste of an organization’s time as there are much better and proven ways to do this already,” suggests Carson. “This includes password managers and privileged access management solutions that don’t require or depend on blockchain to achieve the same value.”