I'm trying to combine the core strengths of the two Hyperledger projects, Indy / Aries and Fabric.
In the scenario we have an Indy network for SSI and a Fabric network managing a token. The Fabric token accounts should be tied to the Indy identities. Furthermore, an identity is only allowed to move tokens when it can proof to be an active member of the golf club.
This means, the Fabric endorsers need a way to see the identity's DID and to verify the golf club credential.
Question: Is there a best practice architecture to achieve that?
My current approach is to let the user send a <Proof Proposal>,<Receiver>,<Qty> message via her Aries agent to a server connected with the Fabric network. The server then sends a transaction including this data to all endorsers via the fabric-sdk. Now, the chaincode gets executed at each organisation. The chaincode tells its Aries agent to verify this Proof Proposal, which leads to a huge amount of connection invitations and proof requests against the users agent. Once the verification is successful, the chaincode continues execution and changes the state.
I see several (potential) problems:
The user must accept many connection invitations manually (if there's no hardcoded auto-accept whitelist)
Even you could avoid the connection attempts (maybe /w ephemeral challenges? Documentation for that?), there would still be massive parallel traffic, due to the presentation protocol, incoming from a decently large fabric network.
Here's a visualisation:
Am I missing something? Do you have any hints / experiences about how this can be accomplished?
Kind regards
Related
I have some questions regarding the deployment of a HLF use case. Suppose we build a platform in which users sell items. The users and their items are stored on the ledger via chaincode. The purpose is to also enforce access control on the items via the chaincode, so that another user for example cannot see a specific item. Then the 2 options regarding the whole identity management are:
The users do not have certificates in Fabric, and all transactions made by the users are forwarded to a single registered Client who interacts with the chaincode. Therefore, the transaction context will always have this client's ID. So from my point of view the username should be always passed to each transaction and implement access control using this username, though a registered Client has full authority over their data.
Every user is registered and enrolled and have their own identity. Every user makes a transaction directly on the blockchain via the chaincode, and access control can be implemented easily by using the stub.ID() and other attributes. That would mean that >100k users would be registered on a CA or multiple CAs.
The questions are:
Is HLF intended and suitable for the 2nd option, or is it made solely for the purpose of interaction between clients of organizations?
Is there a best way to handle this matter?
A ledger stores facts about the history of transactions that led to the current state of an object. The history also stores the users responsible for the current state of the object. If the state of an object is being changed, the admin/authorized user of an organization must be able to see who performed that change.
In the first approach, if you want to see the details of the user doing the "transaction", you'll have to store it somewhere different from the blockchain. While that can be a use-case of your project, it defeats the purpose of storing all facts about the history of a transaction of an object as every time the same user would be doing the transaction.
The second approach fulfills all the motives of incorporating blockchain in a project. Sure, you'll have to register and enroll every user who's creating/modifying an asset but then Access Control Management can be done in a better way. Please read about ACL to know about the granular access you can achieve in Hyperledger Fabric.
Also, you can also encode some information about a user in its x509 certificate with ASN.1
Second option is more preferred and Hyperledger Fabric ca could handled number of user registrations. There is Attribute access control also available which you can use at chaincode level to control use access.
https://www.youtube.com/watch?v=CAXRMJ-quhg
I am new to the area of DLTs or "blockchain" and I am trying to create an application on top of Hyperledger Fabric. Before I describe my use case, I need to mention that due to my use case's nature I need a private & permissioned "blockchain" which justifies the choice of Fabric (I am aware of other platforms e.g. Corda, private Ethereum, but Fabric seems to match my use case better).
Use Case
My use case consists of two different types of participants. A number of organizations (which upload and share information about individuals on the distributed ledger) and a client who can query information about an individual.
The client should not be able to see the transactions uploaded by the organizations and will not have write rights on the DL. He has read-only rights. Moreover, the organizations trust each other and there is also a level of trust between them and the client.
Design thoughts
Based on what I've read, I was thinking of creating a DL network that includes all of these parties and use channels which, based on the documentation, can be used to create a grouping among a number of participants (the organizations in my case) thus "hiding" the transactions from the parties which are not included in this group (the client in my case).
However, later I read about chaincode (a.k.a. smart contracts) which:
can be invoked by an application external to the blockchain when that
application needs to interact with the ledger
which confused me since if the "blockchain" can be queried from an external entity, that probably means that the client should not be included in the trusted network.
Am I headed in the wrong direction (design-wise)?
Based on your description, Hyperledger Fabric channels sound like a good solution. You should also familiarise yourself with private data collections, as this is another way of hiding some of the data from some peers. Which option is best for your scenario will depend on how your datasets are structured, and whether you also need to keep the data private from the orderer.
Clients are not part of the network. They query the blockchain by connecting to a peer and then requesting data from that peer. They can then only access the data visible to that peer (which is stored locally by that peer). So, it is not possible for a client to access more data than is available to the peer the client is connected to.
In your example, you would have a "client" organisation, with at least one peer. This peer would be part of the network, and your client application would then connect to it for access to data on the ledger (typically using the Hyperledger Fabric Node SDK).
There are two types of chaincode in Hyperledger Fabric.
User Chaincode (often just referred to as "chaincode") is used to update the ledger for a channel, and is only installed on those peers which require it (i.e. endorsing peers). Since your "client" peer would not be an endorsing peer, it would not have access to the user chaincode for the channel.
System Chaincode which all peers have access to, provides (among other things) an interface to allow queries to be run against the ledger.
A malicious actor/database administrator is able to manipulate data within CouchDB of all the peers within the network.
How can we guarantee the safety of the couch DB [other than below techniques] and how can this kind of scenario be prevented?
Provide appropriate permissions to couchDb
Provide appropriate endorsement policy
Also, CouchDB allows deleting the document. On querying the said peer, the peer returns null. How can this be prevented?
When a particular record is changed equally in all peers, Hyperledger fabric is unable to detect the attack. How can this be prevented?
Each peer has its own instance of couchDB to track the world state, and each one of those couchDB instances has their own credentials. In the peer's core.yaml configuration, specifically ledger.state.couchDBConfig, there are options for username and password. These set the admin credentials for peer <=> couchDB interactions. These usernames and passwords should be unique for each peer. That way, a malicious actor would need all of these credentials in order to corrupt the world state of all peers within the network.
Fabric offers protections within the framework of transaction flow for malicious peers via the configurable endorsement policies, as you note. They do not offer protection against someone gaining access to your server and retrieving/modifying credentials.
what is Application's own signature in this context, and how can someone using hyperledger fabric node SDK can set the application's signature?
the application that you are talking about is simply a client app which talks to the ledger. The issue here is not the client app, the issue here is that you need a proper endorsement policy which establishes how anything goes onto the ledger.
Imagine this scenario ...
you have 2 orgs, Org1 and Org2, both owning one peer, P1 belongs to Org1, P2 belongs to Org2 and both peers joined on a channel, let's call it defaultchannel.
you deploy and instantiate your chaincode and set a basic endorsement policy which is 1-Of.
Each org has a client application, running against their own peer. When Org1 submits a transaction to the ledger, its validity is endorsed by itself, but not by the second org, because your policy requires only one to accomplish this. Basically in any network where you have more than one org, you really want a proper endorsement policy. 2-Of would work in the case of our example as any transaction would need to be validated by both orgs and that gives the ledger much better integrity.
Bottom line, your fabric network needs to be properly built and protected, especially in a production environment and this allows it to be protected by any client apps which have rights to interact with it. Your network being protected means that it doesn't matter how a client app is built and what it tries to do, it won't be able to bypass mechanisms such as the endorsement mechanisms.
I am new to composer, and now practicing some of the tutorials and examples. But while doing this I can not understand some of the features, so here are the questions which I do not clearly understand:
Are queries restricted by .acl file (when, for example, we use them in rest server)?
Do the rules written in the .acl restrict some of the transactions which are allowed for certain participant to submit? (For example, for participantA it is not allowed to CREATE new participants, but what happens if participantA submits the transaction(which is allowed for him to submit)which creates another participant, will this transaction fail?
Could cards be created by rest api server?(I know that participants could be created using JS api, but is it possible to create and issue the identity for those participants through RestServerApi?)
What happens when PeerAdmin upgrade certain node to a new version? How do other nodes act in this case? Do they upgrade themself automaticly?(Also found that upgrade takes a lot of time(2-4 minutes) when deployed locally, whereas in browser for local connection it takes 3-4 seconds)
Does Hyperledger fabric allow some of the ledger data be stored in one private network, whereas other network connected to the private one would not store this part of ledger( or the data will be simply crypted)? The same question regarding the transactions: will the be executed on outer networks?
Yes Composer Queries (and therein, results) are subject to ACL restrictions or filters.
It will still fail due to ACL rule restriction. Once denied to create, always denied as that is the final operation (in this scenario). The actual transaction would fail.
Yes of course use POST /system/identities/issue REST endpoint (eg http://localhost:3001/api/system/identities/issue) - see an example here -> https://medium.com/#CazChurchUk/developing-multi-user-application-using-the-hyperledger-composer-rest-server-b3b88e857ccc
An administrator with PeerAdmin capability has responsibility to install new version on his peers (in his Org). The other Org peer Admins are responsible for theirs, that's how a blockchain consortium with different Orgs will work. They will agree the 'what' and when but will need to install the new version on own Org's peers, so the new version can be started on the same channel. Of course, there will be a difference between a Fabric infrastructure response time, and that of a web connection using local storage.
Channels in Fabric implement privacy. You can have one or more business networks on that channel (ledger), therefore transactions in that business network are private to that ledger. It is the client's responsibility to encrypt data or not. Hyperledger Composer can allow call one business network from another, on the same channel, or if permitted to do so, on different channels too - see https://hyperledger.github.io/composer/latest/tutorials/invoke-composer-network