SunSpec Blockchain is a distributed database containing cryptographic private key security information. Most people don’t understand what that means, so in this post we’re going to compare it to something almost everyone recognizes: Real ID.
What is Real ID?
“The REAL ID Act establishes minimum security standards for license issuance and production and prohibits Federal agencies from accepting for certain purposes driver’s licenses and identification cards from states not meeting the Act’s minimum standards.”
– United States Department of Homeland Security
Real ID is a new kind of driver’s license. This October 2021 you’ll need one to get through the security check at airports. The federal government deemed that normal licenses aren’t secure enough so they created a new type of license that has higher security verification requirements (e.g.- more and better documented proof of your identity).
What is an SSL certificate?
An SSL certificate is like a digital driver’s license for websites. This is how you create one for your website-
- Use a program like OpenSSL to create a digital key pair on your server consisting of a private key and a public key.
- Keep the private key protected and use it to generate a certificate signing request (CSR) file which contains the public key, your website address, the private key signature, and other information.
- Send the CSR to a certificate issuing authority (CA) like Comodo that is trusted by all the web browsers. The CA makes sure you own the website address and conducts a few more verification checks. The CA converts the CSR into an SSL certificate file that you put on your web server.
When a browser hits your website, the browser gets the SSL certificate and runs some verification checks, such as making sure your website has the private key used to create the SSL certificate. If the verification checks pass, your browser trusts your website and let’s the user continue.
What’s wrong with SSL certificates?
SSL certificates have secured the world wide web for decades, but they do have issues. They are highly dependent on trusting CAs to do their job well, which hasn’t always been the case (just Google DigiNotar). Even if CAs do their job well there is another issue with SSL certificates. They give no visibility into how the private key was created and how it is protected.
Why does this matter? Let’s say your website’s private key is not protected well and a hacker is able to access and copy your website’s private key. Now the hacker can use your SSL certificate (which everyone has access to) on a fake website that intercepts traffic to your website. Since they have your private key a browser will think the fake website is the real website. For example, hackers could set up a fake bankofamerica.com website and if they have the bankofamerica.com private key and SSL certificate a browser will not be able to know it’s accessing the fake website. When you enter your username and password on the fake site the hackers copy it and use it at the real bankofamerica.com website to steal your money.
Now let’s say you generated your website private key on a hardware security module (HSM) that makes it virtually impossible for hackers to steal it. As far as the CA is concerned, there is no difference. The CA doesn’t care how you created your private key- the SSL certificate is the same regardless of how well you protected your private key. This means your browser doesn’t know the difference either. This is a blind spot in SSL certificates. It’s like the old driver’s licenses that don’t require all the right verifications.
Real ID for SSL certificates
If you’re using your bank’s (or broker’s, or crypto exchange’s) website, wouldn’t it be more secure if your browser could validate how well the bank protects its private key? Of course! This is exactly what SunSpec Blockchain provides. Banks value their security enough to get regular audits on their information systems. If a bank creates and protects its website private key using a process that has been reviewed by independent auditors, that information can be put on SunSpec Blockchain. The CA that creates the SSL certificate for the bank site can look at that information on the blockchain and include additional private key information in the SSL certificate. A web browser that receives the SSL certificate from the banking website can analyze the private key information in the certificate. The browser can also access SunSpec Blockchain on its own to get the latest information. With this information, the browser can decide if the website can be trusted.
SunSpec Blockchain adds extra layers of verification to SSL certificates. It will eventually be required by certain high-value applications. In other words, SunSpec Blockchain is Real ID for SSL certificates- something everyone that drives can understand.
