2018 15th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology

A Practical National Digital ID Framework on

Blockchain (NIDBC)
Nutthakorn Chalaemwongwan Werasak Kurutach
Information Science and Technology Information Science and Technology
Mahanakorn University of Technology Mahanakorn University of Technology
Bangkok, Thailand Bangkok, Thailand
nutthakorn.c@gmail.com werasak@mut.ac.th

Abstract—currently, government identification systems personality, devices, and entities. NIDBC identities are self-
are still underdeveloped. The government has adopted computer service, Implication for users are entirely operated and
technology to serve the policy of Thailand 4.0. Thai national ID managed by themselves, and do not depend on centralized
still segmented and distributed between government agencies and third parties for set permission or proof. A core function of
has no centralization, and it brings bad experience to the users NIDBC is that it can digitally sign and verify a claim, action,
because each service must be registered and the users have to
or transaction, which covers a wide range of application case
remember the username and password for every service. We
demonstrated Thailand national Digital ID Framework based on studies [8]. A digital ID stays cryptographically linked to off
Blockchain (NIDBC) to help improve digital identity government chain data. Every identity is able to store the hash of an
service to simple single sign-on and kept preserving privacy by attributed data, which secure the data corresponding with
providing personal information to service only when users grant identity. The digital ID can update the file by themselves [9],
permission for each service. In addition, the system is secure for example, adding more information, and grant permission
because the data is distributed to each node, making the to read, write, and update specific files because the user can
attackers hard to attack or edit information. The security access the blockchain, NIDBC can control digital resources
properties of the proposed protocol have been verified using like cryptocurrencies or the other token.
Scyther tool and are presented here with results.
II. THE PROPOSED FRAMEWORK AND PROTOCOLS
Keywords—Blockchain; Digital ID; National Digital ID; e-ID In this section, we propose a new framework for National
Digital ID based on the BC. Our framework is composed of
I. INTRODUCTION five phases, including Identity and Services Provider
Registration Phase, User Privacy Creation Phase, User
Government identification systems are an important issue in Registration Phase, User Authentication Phase and More
the digital world [1]. The government has adopted technology Information Request Phase as the following:
to serve the policy of Thailand 4.0. The national identity still
segmented and distributed between government agencies, not
holistically, which bring inconvenience to the users because
each service must be registered and the users have to
remember the username and password for every service [2, 3].
Thus results in bad practice of security when users use the
same password.
Blockchain digital identity is now especially outstanding.
The technologies still lacks the development of personal
identification [4] however access to traditional services like as
a legal & political right, finance services, education, health
services, social benefit or participant in the digital world like a
web services, professional network [5], e-commerce,
marketplace, social communities both need the identification
Fig. 1. The NIDBC Framework
function when they need to access services.
We develop NIDBC, which is a secure and simple service
that has the functionality of identification. The NIDBC
framework consists of three part, which are smart contracts,
libraries, and an application [6]. The application keeps private
keys. Smart contracts are the core of the identity services and
incorporate logic [7]. Libraries are integrated with third-party
services. NIDBC identities have many variations for instance

978-1-5386-3555-1/18/$31.00 ©2018 IEEE 497

2018 15th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology
TABLE I. NOTATIONS
Symbol Description
U A User
SPi Trusted service provider of entity i
IP Identity provider
CA Certificate authority
VIDu The virtual ID of the user
N Random number
T Timestamp
H(.) The one-way hashing function
(Pubi, Prii) The set of the public/private key of entity i
{.}Prii The asymmetric computation with private
key Pri-i of entity i
{.}Pubi The asymmetric computation with public
key Pub-i of entity i
BC Blockchain
ii Identity information
Table I shows notations of the proposed framework. Form
fig 1. Initial process of the system needs the IP and SP do the
registration with BC then, IP and SP create the private key and
the public key along with sending the hash of public key of IP
and hash public key of SP to BC. (1) SP registers with IP in
order to use IP services to request necessary information of U.
(2) Before U registers with SP, U must registers with BC so
that, U creates the public key and the private key and then
send the hash value of the public key to BC. Next, U create
VIDu from the hash of public key itself and (3a) sends to IP.
IP sends U’s VIDu to BC so that SP verifies transactions of U.
(4) U requests service from SP to use service. (5) If, SP needs
more information, it can request to BC. Note that all parties
communicate via a secure channel.
A. Identity and Services Provider Registration Phase
In this phase, Both SP and IP need register in the system.
All parties provide, exchange information, i.e., Service
Information, IP address, and Permission to request certificates
from CA. SP requests for membership to acquire identity
information for U access services. In the same way, IP updates
available information to SP whenever SP leaves the system. IP
collects all the list of updated content to create catalog identity
information. SP registers with IP by creating a message that
includes their information along with signing their private
keys and public keys. Then they send the message to IP, when
IP receives the message, IP uses attached public key to decrypt
the message, then IP validates SP and creates a new message
stating whether it accepts or rejects. Then it sends it back
through an SSL (Secure Socket Layer) communications
channel to SP. After that, SP receives the message; SP uses
their private keys to decrypt the message. SP sends their
identity information message to IP along with the encrypted
public key of SP and hashes content along with the signed
private key of SP for message integrity and mutual trust
sender. Whenever IP receives the message, IP will decrypt the
message by using its private key to get the identity
information and validates the sender by checking the owner of
the private key and validates the hash value for message
integrity.
498
B. User Privacy Creation Phase
In this phase, U creates an asymmetric key of the private
and the public key. U creates VIDu instead of using public
identity to protect their privacy. Next, U keeps private key
safely. Finally, U creates VIDu by utilizing the hash of public
key so that the mechanism for generating the VIDu can be
similar to the Bitcoin address.
C. User Registration Phase
In this phase, U registers to the IP but is not registered with
the SP. U needs to use a service offered by the SP, but U does
not want the creation of a new ID and provides personal
information to the SP for the service. U sends their
information including the public key of U and VIDu to IP.
After IP receives, IP creates their own digital signature. IP
sends public key of U and VIDu that has been signed with
SP’s private key to BC. Then IP sends SP’s public key to U.
D. User Authentication Phase
In this phase, SP reads the user’s VIDu and user’s public
key information from the BC, when the user requests to access
the service to the VIDu. SP can confirm whether the claimed
VIDu from the user is the one registered with the BC by
accessing the BC. If the confirmation is correct, the partner
begins the mutual authentication procedure for the user with
the user’s VIDu and user’s public key obtained from the BC.
M1= VIDu, n1, T1, {H(VIDu, n1, T1)}Priu, {VIDu, n1,
T1}Pubsp
M2 = accept/reject, n2, {H(accept/reject, VIDu, n1, n2,
T1)}Prisp, {accept/reject, VIDu, n1, n2, T1}Pubu
Step1: U->SP: M1
Step2: SP->U: M2
Step1: When U needs to use service from SP, U must
authenticate with SP, U sends the message M1 to SP. The
message M1 includes user VIDu, n1 T1, the message
{H(VIDu, n1, T1)}Priu encrypts with the private key of U in
order to authenticate the sender and verify the integrity of the
message. The message {VIDu, n1, T1}Pubsp is encrypted
with the public key of SP in order to authenticate the receiver
and verify that this message provides the confidentiality of
message. Then U sends all message to SP.
Step2: When SP received the message, SP decrypts the
message by using its private key and verifies the message
integrity and sender identity. After that SP lookup VIDu in BC
and get the user public key to check if it matches with M1.
Then SP sends the message M2 to U. The message M2
includes accept/reject statement, n2, the message
{H(accept/reject, VIDu, n1, n2, T1)}Prisp is encrypted with
the private key of SP in order to authenticate the sender, and
this message provides the integrity of message, and the
message {accept/reject, VIDu, n1, n2, T1}Pubu is encrypted
with the public key of U in order to authenticate the receiver
and verify that this message provides the confidentiality of
message. Then SP sends all message to U.
2018 15th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology

E. More Information Request Phase

SP wants more information of U, SP requests to IP for
providing its service to U. For instance, if SP is National
Health Security Office (NHSO), thus it requires at least the U
medical treatment records to deliver claim. SP requests
information from U.
III. DISCUSSION
National Digital ID Framework on Blockchain (NIDBC)
brings substantial benefits for both the government and
enterprise. This improves user experience on a device, and
easy login promotes citizens to access government services
more regularly. To help the protection of citizens accounts,
personal information and compliant with regulatory
requirements on authentication, this system complies with the
international security standards that are flexible. Moreover,
open privacy-focused preserved the citizen trust and aligned
with government policy. This results in new digital services by
improving citizen daily life user-friendly digital identity that is
a crucial enabler for building a more connected society, Fig. 3. The output of security analysts our protocol.
enhance digital inclusion, and work with digital service
providers to create a trustworthy ecosystem.
V. SECURITY ANALYSIS
IV. FORMAL ANALYSIS USING SCYTHER TOOL In this part, we analyze security properties like
In this section, we provide the formal analysis of our Authentication, Non-Repudiation, Integrity, Confidentiality,
protocol using Scyther [10]. Fig 2, shows script of SPDL Replay Attack and Brute force Attack. The result of analysis
(Security Protocol Description Language). We analyze the protocol ensures security properties.
proposed protocol with Scyther security protocol verification
tool and found no attack within bounds in Fig 3. A. Authentication
Our protocol is the act of confirming the truth of an
attribute of a single piece of data claimed true by an entity.
The authentication involves verifying the validity of at least
one form of identity parties.
B. Non-Repudiation
Non-repudiation is one of security property to prevent the
denial that originator creates the message because each steps
of message is encrypted with private key of a sender.
C. Integrity
Protocol has the property of being honest and having
strong moral principles and uprightness by using the one-way
hashing function in the message.
D. Confidentiality
We have confidentiality, which is used to make sure that
Fig. 2. The script of SPDL.
nobody in between parties is able to read what information is
sent to parties. Moreover, the encryption message with public
key of a sender has confidentiality property of a message.
E. Replay Attack
The attacker trying to send old message to obtain
important information. The proposed protocol can prevent
replay attack because our protocol uses timestamp and nonce,
which does not reuse.

499
2018 15th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology
F. Brute force Attack
Our protocol design uses timestamp and random number in
the message to protect a brute-force attack that attacker is
trying many passwords or passphrases with the hope of
eventually guessing correctly.
VI. CONCLUSIONS
This paper has presented a Nation Digital ID on
Blockchain (NIDBC), which is a new type of NIDBC of
identity and authentication management. Each procedure of
the proposal has been described in details. In addition, one
practical example showing how the proposed NIDBC works
as an identity and authentication management infrastructure
for national health insurance service of the National Health
Security Office (NHSO) has been presented.
As discussed, the proposed NIDBC has a room for
improvement. The first thing to consider is to develop a
scheme to detect or prevent misuse of the provided user
information at the service provider. It can be implemented as a
cloud platform that service provider can only access to
services that are permitted. We have successfully analyzed the
protocol correctness using the Scyther tool.
500
REFERENCES
[1] Yli-Huumo, J., Ko, D., Choi, S., Park, S., & Smolander, K. “Where is
current research on blockchain technology? A systematic review”. In:
PLoS One, 11(10), e0163477. 2016
[2] Ølnes, S. “Beyond Bitcoin enabling smart government using blockchain
technology.” In H. J. Scholl, (Vol. Ed.), Proceedings of the International
Conference on Electronic Government, EGOV2016. Vol. 9820.
Proceedings of the International Conference on Electronic Government,
EGOV2016 (pp. 253–264). Springer LNCS.
[3] Nakamoto, Satoshi. “Bitcoin: A peer-to-peer electronic cash system.”
2008
[4] Crosby, Michael et al. “Blockchain technology: Beyond bitcoin.”
Applied Innovation 2, pp. 6–10. 2016
[5] Tapscott, Don and Tapscott, Alex. “Blockchain Revolution: How the
Technology Behind Bitcoin Is Changing Money, Business, and the
World.” Penguin, 2016.
[6] B. Lee and J.-H. Lee, “Blockchain-based secure firmware update for
embedded devices in an Internet of Things environment,” Journal of
Supercomputing, vol. 73, no. 3, pp. 1152–1167, March 2017.
[7] Yu-Pin Lin et al. “Blockchain: The Evolutionary Next Step for
ICT E-Agriculture” Environments 2017, 4, 50;
doi:10.3390/environments4030050,
www.mdpi.com/journal/environments
[8] O’Donnell, Michael "Identifcation Protocols in Cryptography," Te ITB
Journal: Vol. 3: Iss. 1, Article 3.
doi:10.21427/D7WW54, 2002
[9] Thomas Hardjono, Ned Smith, Alex (Sandy) Pentland “Anonymous
Identities for Permissioned Blockchains,” MIT Internet Trust
Consortium Massachusetts Institute of Technology, DRAFT v05 –
1/20/2016
[10] C.J. Cremers, "The scyther tool: Verification, falsification, and analysis
of security protocols," In International Conference on Computer Aided
Verification, Springer, Berlin, Heidelberg, pp. 414-418, 2008.