How ArcBlock leverages AWS QLDB to Build a Decentralized Identity Solution
Written by: Robert Mao, Founder / ArcBlock
Illustration by: Moon Cao, UX Designer / ArcBlock
Identity technology is evolving from the centralized identity solutions to the decentralized identity solutions. Decentralised identity is an emerging technology that gives back control of identity to the users, so they can decide what information is shared to 3rd parties.
Founded in 2017, ArcBlock is building a new kind of decentralized application platform that simplifies the development of dApps, DID and Blockchain applications. We implemented the DID:ABT protocol which follows the recommendation from W3C Credentials Community Group and DIF, it plays a critical role in our architecture, and is the foundation for the platform. ArcBlock became a member of AWS Partner Network (APN) in 2019 and leveraged several AWS services, such as EC2, QLDB, OpenSearch etc., to build the underlying infrastructure including the Decentralized Identity technology we discussed in this article.
(Diagram: A typical DID and its information architecture)
As a development platform, ArcBlock allows anyone to easily implement and deploy their applications with DID capability. We also create a full set of ready to use tools and frameworks, such as DID:Wallet (a mobile and web wallet application to help users manage their digital identities, credentials, NFT and other digital assets), DID:Connect (a extensible protocol/framework and SDK to facilitate authentication, verifiable credential presentation, verification, crypto payment, digital assets exchange and more.) and beyond, developers get everything they need to build their application that take the full advantage of the decentralized identity technology.
A decentralized identifier (DID) is a self-sovereign digital identifier for a person, organization , IoT device, etc. As we increasingly use and give our personal information to all kinds of online services, we’re often subject to data breaches and privacy loss. A standards-based decentralized identity system can provide a greater privacy and control over the personal information and private data.
DID is secured by a private key with cryptographic signatures, so only the private key owner can prove that they own and control it. One person can (and is also recommended to) have as many DIDs as they need, making it harder to be tracked across multiple activities in different services. For example, a person could have one DID associated with a finance account, and another, entirely separate DID associated with their social network.
Each DID is often associated with a series of Verifiable Credentials (VC) issued by other DIDs, that attest to specific claims of that DID (e.g., location, age, diplomas, immunization certificate, etc. ). These credentials are cryptographically signed by their issuers, which allows them to be verified independently of and privately from the signer, they are designed to be interpretable outside of their original context, and contain mechanisms for reconstructing and interpreting that context independently as well. DID owners store these credentials themselves instead of relying on a certain provider.
(Diagram: How DID and VC works in high level)
A Verifiable Data Registry (VDR) is a general term for ways data can be verifiably registered. In principle, the VDR does not necessarily have to take the form of blockchains, clouds, networks, or anything else, but the most common VDRs are implemented with blockchains or ledgers. In ArcBlock’s solution, we leverage QLDB to implement a high performance blockchain protocol based VDR for our DID architecture.
DID technology brings benefits for both individual users and organizations. DID lets the end user own and control their identity and protect privacy with a highly secure manner. For the business organizations, regulations such as the EU GDPR(General Data Protection Regulation) strengthen identity standards that require modern identity solutions in place, DID enabled organizations with electronic data verification, and improved transparency and auditability.
Many people today use the term verifiable credentials (VCs) to refer to digital credentials that come with such cryptographic proofs. A lot of those “enterprise blockchain” use cases, can be considered as typical use cases for verifiable credentials, in W3C document “Verifiable Credentials Use Cases”, it listed more than 30 typical use cases across 7 different domains, such as education, retail, finance, healthcare, legal identities, IoT devices, etc. Due to the recent widespread COVID-19 pandemic, there have been demands for “immunity certificates” and technical requirements, DID and VC appear to be one of the promising technical solutions.
“ Decentralized digital identity (DDID) is not just a technology buzzword: It promises a complete restructuring of the currently centralized physical and digital identity ecosystem into a decentralized and democratized architecture."
-- Prepare For Decentralized Digital Identity: Security SWOT, January 21, 2020, Forrester Research
ArcBlock builds a high performance blockchain protocol that is optimized for dApps with built-in support for token economy, NFT (Non-fungible Token), DID (Decentralized Identities) and beyond. Amazon QLDB provides a transparent, immutable, and cryptographically verifiable ledger backend for a blockchain layer 2 scaling solution and is a very cost-effective managed service which meets our needs.
The below high level diagram shows a layered architecture of ArcBlock platform. We take advantage of the W3C’s recommendation and best practice of DID and VC and design it as the foundation -- we use DID as a kind “native identifier” - every object in the system, e.g. user, blockchain account, smart contract, ... , has a DID.
(Diagram: High Level Overview of ArcBlock Platform)
Even though Amazon QLDB itself comes with built-in crypto verification capabilities, Decentralized Identity and Verifiable Credentials technology need to be portable and platform independent and interoperable among different vendors, so we implemented DID and VC level verifications independently on top of QLDB. ArcBlock’s Open Chain Access Protocol (OCAP) layer is a middle-tier protocol to encapsulate the underlying ledgers and storage and provides a general purpose and high-level blockchain protocol and tools (e.g. transactions, smart contract, block explorers, wallet etc.).
In ArcBlock platform’s architecture outlined in the below diagram, we take advantage of Amazon QLDB and use it as a “State Storage” for raw transactions, all transactions from the applications, including the end users transactions originated from “wallet” get stored in Amazon QLDB first, and after the transactions are executed the “states” of the blockchain are also updated and stored in Amazon QLDB, meanwhile, the system use Amazon QLDB streams to stream the transactions to Amazon Kinesis to get additionally index and data stored in Amazon’s Elastic Search for the fast and complicated search and query. Amazon Lambda provides the flexibility for processing the event data during the process. We build those transaction protocols with gRPC, a high performance Remote Procedure Call (RPC) framework, and support GraphQL as the standard query language.
(Diagram: System Architecture)
DID is the foundation of the architecture, naturally all blockchain transactions are tied with DIDs. We also defined highlevel digital assets in the blockchain system, such as FT (Fungible Tokens) and NFT (Non-fungible Tokens), all with DID as identifiers, and leverage the VC(verifiable credentials) as variable data format. With DID as the unique identifier across the system, it’s easier to make different components integrate with each other even though they might be developed by different vendors.
ABT Node is the container and run-time environment for “Blocklets”, a highly reusable software components framework. All ArcBlock’s applications, components, including the blockchain protocol implementation itself are Blocklets, they are managed within ABT Node which runs inside Amazon EC2 instance. In a production setup, Amazon Elastic Load Balancing can be used to load balancing multiple ABT Node instances. We also use Amazon SNS to send push notifications for certain events users subscribed to, e.g. a crypto payment is settled, or a critical personal data is about to be shared, so the users can be notified and get real time experiences.
It is worth noting that we build the cryptographic verifications independently from Amazon QLDB itself while leveraging Amazon QLDB’s verifiable capability for the internal data, this makes our DID and VC interoperable with other systems and the customers does not necessarily need to understand how Amazon QLDB verification works. The transaction and state data in the state storage has its extra verifiability thanks to Amazon QLDB’s built-in verification capabilities.
The ArcBlock platform powered by Amazon QLDB can unleash the full potential of blockchain technology and bring the most value-added features, such as smart-contracts, tokens, NFT and DAO, etc. to our SAAS cloud customers.
The full workable solution is in production and ready to use as of today. Visit ArcBlock’s website to learn more about the demo, samples, developer documents etc. And it is worth noting that all ArcBlock’s website and services are already using the DID technology described above and run as dApps, AWS customers can easily download the required components locally or launch the instance from the AWS Marketplace and start building with DID today.
- Decentralized Identifiers (DIDs) 1.0 https://www.w3.org/TR/did-core/
- DID Specification Registries https://www.w3.org/TR/did-spec-registries/
- ArcBlock Developer Documentation https://www.arcblock.io/en/developer-portal
- NIST: A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems https://csrc.nist.gov/publications/detail/white-paper/2020/01/14/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/final