Utilizing IBM’s BCDB technology in C4IIoT

Utilizing IBM's BCDB in C4IIoT

As part of C4IIoT’s task T3.4 – “trustworthiness of data flows” – a decentralized solution allowing to control the access to data by various entities, to enable auditability of various events and policies, and to verify the integrity of data items is developed by IBM. Distributed ledger technologies (Blockchain) and attribute-based encryption (ABE) are two key elements of this decentralized access control (DAC) solution.

In addition, IBM delivers an innovative centralized Blockchain-based technology, the Blockchain Database (BCDB), that when combined with concepts introduced in DAC forms a partially decentralized access control (PDAC) solution.

One core element of the DAC is applying encryption in order to restrict and control access to data. We will apply ciphertext-policy attribute-based encryption (CP-ABE) to data that’s considered secret or sensitive. CP-ABE is a type of public-key encryption where data consumers are each granted with a personal secret key. The secret key is associated with a set of attributes characterizing its holder (for example organization, role, purpose of consuming the data etc.). Users or entities generating or owning the data encrypt it with a public key and specify an access policy to the encrypted data as part of the process, describing who shall be allowed to decrypt it. These access policies are described with attributes and logical {AND, OR} operators, for example:

(role:analyzer AND purpose:security_anomaly_detection) OR (purpose:data_visualization AND domain:sensor_readings) OR ((role:admin OR role:supervisor) AND org:IBM)

This mechanism has built-in elements of decentralization. It gives the power in the hands of the data owners to decide on access policies while encrypting the data. Once a data item is encrypted, no central authority is required to evaluate the access policy and grant access to the data, as the encryption mechanism provides an automatic enforcement. In addition, it is a “one to many” encryption in which data owners do not need to explicitly specify or even be aware of the specific users or entities consuming the data.

The solution will also rely on Hyperledger Fabric (HLF), which is a permissioned blockchain with support for executing smart contracts. HLF will enable auditability of events and access policies as well as assure the integrity of data in C4IIoT. When data item is created and shared, or when being stored on a storage service, a corresponding record will be logged in the HLF channel. These tamper-proof records will include a pointer to the place where the data item is stored, a hash of the data taken in the time when it was created or stored, the CP-ABE access policy used to encrypt it, and any other relevant information. This solution will allow all the entities involved in C4IIoT to monitor the lifecycle of data items and to verify the integrity of the data.

As the innovative BCDB technology has now gained a higher level of maturity, IBM will utilize it in the final version of C4IIoT alongside the HLF. The Smart Factory use case will utilize the HLF, while the Inbound Logistics use case will utilize the BCDB, in a similar manner and for the same purposes. We will thus provide a demonstration of two Blockchain-based alternatives in C4IIoT, each with its own advantages. Our solution for the Inbound Logistics use case is named PDAC (Partially Decentralized Access Control), as the BCDB technology is centralized while the also-used ABE technology is decentralized in its nature.

BCDB is a key-value/document replicated database that provides distributed ledger properties such as:

  • Tamper Evident – Data cannot be tampered with, without it going unnoticed.
  • Non-Repudiation – A user who submitted a transaction to make changes to data cannot deny submitting the transaction later.
  • Provenance Queries – All historical changes to the data are maintained separately in a persisted graph data structure so that a user can execute query on those historical changes to understand the lineage of each data item.

In addition, BCDB provides Database Management Systems (DBMS) features such as:

  • Serialization Isolation Level – It ensures a safe and consistent transaction execution.
  • Crypto-based Authentication – A user that submitted a query or transaction is always authenticated using digital signature.
  • Confidentiality and Access Control – Each data item can have an access control list (ACL). Users need to authenticate themselves by providing their digital signature to read or write to data.
  • High Availability using replication – Each transactions block replicated to all BCDB instance replicas and applied there, thus keeping all replicas in sync.

BCDB is opensource and can be found on GitHub: https://github.com/hyperledger-labs/orion-server

BCDB High Level Architecture