Trending Technology Machine Learning, Artificial Intelligent, Block Chain, IoT, DevOps, Data Science

Recent Post

Search

Thursday, 9 May 2019

Fabric – Membership and Identity Management in Block Chain

Organisations

Organisations define boundaries within a Fabric Blockchain Network

Each organisation defines :
  • Membership service provider (MSP) for identities
  • Administrator (s)
  • Users
  • Peers
  • Orderers (optional)
A network can include many organisations representing a consortium

Each organisation has an ID

Consortium Network

An example consortium network of 3 organisations
  • Orgs 1 and 3 run peers
  • Org 2 provides the ordering service only

Membership Service Provider (MSP) - Overview

A MSP manages a set of identities within a distributed Fabric network

Provides identity for :
  • Peers and Orderers
  • Client Application
  • Administrators
Identities can be issued by:
  • Fabric-CA
  • An external CA
Provides : Authentication, Validation, Signing and Issuance

Supports different crypto standards with a pluggable interface

A network can include multiple MSPs (typically 1 per org)

Includes TLS crypto material for encrypted communications

Transport Layer Security (TLS)
  • Cryptographic protocols that provide communications security over a computer network
  • Provides privacy and data integrity
  • Symmetric cryptography is used to encrypt the data transmitted (privacy)
  • Public-key cryptography is used to authenticate the identities of the communicating parties.
  • Include message integrity check to prevent loss or alteration of the data
  • All component communication in Fabric secured using TLS (client-peer, peer-peer, peer-orderer, orderer-orderer)

User Identities

Each client application has a local MSP to store user identities

Each local MSP includes :
- Keystore
  • Private key for signing transactions
- Signcert
  • Public x. 509 certificate
May also include TLS credentials
Can be backed by a Hardware Security Module (HSM)

 Admin Identities

Each Administrator has a local MSP to store their identity

Each local MSP includes :
- Keystore
  • Private key for signing transactions
- Signcert
  • Public x. 509 certificate
May also include Transport Layer Security (TLS) credentials
Can be backed by a Hardware Security Module (HSM)

Peer and Orderer Identities

Each peer and orderer has a local MSP

Each local MSP includes :
- Keystore
  • Private key for signing transactions
- Signcert
  • Public x. 509 certificate
In addition Peer/Orderer MSPs identity authorized administrators:
- admincerts
  • List of administrator certificate
- cacerts
  • The CA public cert for verification
- Crls
  • List of revoked certificate
Peers and Orderers also receive channel MSP info
Can be backed by Hardware Security Module (HSM)

Channel MSP Information

Channels include additional organisational MSP information
  • Determines which orderers or peers can join the channel
  • Determines client applications read or write access to the channel
  • Stored in configuration blocks in the ledger
  • Each channel MSP includes
- admincerts
  • Any public certificates for administrators
- cacerts
  • The CA public certificate for this MSP
- Crls
  • List of revoked certificate
Does not include any private keys for identity
 New User Registration and Enrollment

Registration and Enrollment
  • Admin registers new user with Enroll ID
  • User enrolls and receives credentials
  • Additional offline registration and enrollment options available

Transaction Signing

All transactions within a Hyperledger Fabric network are signed by permissioned actors, and those signatures are validated

Actors sign transactions with their enrolment private key
  • Stored in their local MSP
Component validate transactions and certificates
  • Root CA certificate and CRLs stored in local MSP
  • Root CA certificate and CRLs stored in Org MSP in channel

No comments:

Post a Comment