We make it simple to build applications with all the capabilities enabled by W3C-compliant and widely interoperable self-sovereign data management. These include:

  • Privacy-preserving auditing
  • Robust access control and authentication capabilities
  • Granular privacy and enterprise-grade security
  • Next generation verifiability of business transactions and legal identities

The name Spherity is a composite of "Sphere" and "Identity"

  1. The ability to bridge the digital, the physical and the biological spheres
  2. The ability to create secure and interoperable digital identities

Blockchain-based and other decentralized technologies offer reliable interoperability, trusted transactions, proof of authenticity, and full audit trailing. Even though blockchains and DLTs are state of the art in most of today's decentralization efforts in enterprise IT, Spherity relies on the principle of "Minimal Use of Blockchain," taking a cautious approach to privacy and immutable records. We are using blockchain more as an infrastructure component.

To be more concrete, Spherity's infrastructural usage of distributed ledger technology (DLT) such as Ethereum or Hyperlegder Indy / Sovrin consists primarily of the following features:

  • Storing Decentralized Identifiers (DID) documents containing key rotation information, signing keys, and service end-points for public identities (i.e., issuers of verifiable credentials)
  • Registries (e.g. Enterprise or Asset Register, Revocation Registry)
  • Timestamping
  • Semantic templates, schemes (can also be stored off-chain locally or publically via IPFS or schema.org)

Off Chain:

  • We tend to keep Electronic signatures or Verifiable Credentials (VCs) off-chain, all things being equal, although every use case is unique. In combination with DIDs and VCs, we establish cryptographically verifiable audit trails via identity subjects, processes or events, using whichever combination of on-chain data, off-chain storage, private DLTs, and security logging are appropriate to the use-case.
  • We mostly use W3C off-chain credentials to implement audit trails to comply with regulatory requirements.
  • In some use cases, it can make sense to have a VC on-chain, provided that smart contracts are to process them automatically. With today's production-grade decentralized ledger technology (DLT), this almost always leads to problems with privacy requirements.

[ Further Reading ]

Digital Twins

A digital twin represents the combination of a unique identifier of any real world entity with its assigned data: To create a reliable, real-time digital representation. A unique identifier (DID) is a code as unique as your fingerprint. The DID can be anchored with a physical uncloneable function (PUF) of the real world entity. The DID makes an object uniquely identifiable. An entity might be a machine, a product, a software or even a living organism like humans.

[ Further Reading ]

Think of a Digital Twin as a bridge between the physical, biological and digital spheres. Data associated with a physical entity (e.g. real-time status, working condition or GPS position) is linked to a unique identity and immutable stored in a decentralized system. The data can then be used in many ways; for example, for predictive maintenance, track and trace or to enable pay-per-use models.

[ Further Reading ]

Digital twins have endless advantages. We use digital twins mainly to

  • Bring end-to-end visibility across supply chains
  • Prevent counterfeiting of products
  • Enable peer-to-peer transactions
  • Create a unique channel to the end customer

[ Further Reading ]

Key Management

Spherity's Cloud Identity Wallet supports the following key management systems (KMS):

  1. Software (limited security)
  2. Secure Element / Trusted Enclave / Mini Hardware Security Module (HSM) / Key Chain
  3. Enterprise Trust Center / Hardware Security Module (HSM)
  4. Cloud HSM
  5. Multi-Party Computation (MPC) – With MPC, the "whole key" never exists, only multiple fragments which must be combined to be used.

[ Further Reading ]

With Secure Element / Trusted Enclave / Mini Hardware Security Module (HSM) / Key Chain, Enterprise Trust Center / Hardware Security Module (HSM) and Cloud HSM the key does not usually leave the hardware (although keys derived from a master key can leave the hardware depending on the requirements). A user or system must authenticate to the Key Managements System by Multi-Factor Authentication (MFA) or Privileged Access Management (PAM). Then, a signing or encryption transaction can be initiated in which the private key is used on the device.

When it comes to enterprise and system identity (e.g. domain controller), the Enterprise Trust Center system is state of the art. Some companies are already using cloud HSM solutions with suitable security architectures that can achieve comparable security without hosting hardware HSM in their own trust zone.

With suitable key event rotation logs (or DID documents), Key Managements System solutions at the edge and in the cloud / trust zone can be combined depending on the use case.

When it comes to human identity, Key Managements System solutions at the edge or Multi-Factor Authentication solutions can be used to authenticate and e.g. trigger an enterprise signing transaction according to an authorization. Alternatively, a natural person can use a signing key to sign on behalf of the company.

MPC is used to implement "threshold" or "M of N" signatures. Often used to refer to a whole family of cryptographic innovations, the term MPC can also be understood as the mature and production-ready core of modern multi-sig wallets. MPC is purely software, used to perform signing and encryption operations from fragments of a given key, shredded at rest and combined securely in compute. This allows "quorum" business logic for the segregation of duties. If a smart phone is used as an MPC client, it can be a very effective way to include individuals and their biometrically-secured end devices. We have integrated MPC for our Cloud Identity Wallet.

[ Further Reading ]

We use edge wallets backed by on-device biometrics to authenticate individuals as needed. The Cloud Identity Wallet can be accessed through a web interface, or through our lightweight mobile apps.

Where multiple authorizations or "signatures" are needed to produce credentials or authorize transactions via credentials, we utilize advanced MPC cryptography managed at the enterprise-wallet level.

The only thing stored on the device (Spherity Edge Wallet) is biometric information, which is stored in a "secure enclave" to insure the phone is being used by the enrolled/intended individual in each session. All key material and verifiable credentials are still stored custodially in the Cloud Identity Wallet.

If a phone is lost or damaged, the "enrolment" process binding a cloud identity to the on-device biometrics can simple be repeated; this binding and re-binding process traditionally requires the approval of an internal authority (i.e., an HR department), but this is configurable by the client, as can the degree of auditing of such processes.