We use the ethereum blockchain to solve the man-in-the-middle problem.
If data is encrypted using the public key, then ONLY the private key can be used to decrypt it.
If data is encrypted (signed) using the private key, then anyone with the public key can decrypt (verify) it. (Note that since everybody has the public key, this isn’t used to keep secrets, but rather to prove that the entity with the private key is actually the one who sent you this data.)
So sending your credit card information can be safe if you encrypt that information using the public key of the online store.
But wait ! How do you get the public key of the online store in the first place?
And this is where the man-in-the-middle attack comes into play. Here’s how it would work:
If data is encrypted (signed) using the private key, then anyone with the public key can decrypt (verify) it. (Note that since everybody has the public key, this isn’t used to keep secrets, but rather to prove that the entity with the private key is actually the one who sent you this data.)
So sending your credit card information can be safe if you encrypt that information using the public key of the online store.
But wait ! How do you get the public key of the online store in the first place?
And this is where the man-in-the-middle attack comes into play. Here’s how it would work:
The Man-in-the-Middle Attack
Public Key Infrastructure
Of course, there’s a solution for this. And it’s already on your computer.
Public key infrastructure has been around for decades now, and works to keep your credit card information safe on the Internet. Here’s a brief overview of how it protects you everyday.
Problem solved ! With a caveat…
The caveat is that companies have to pay the CA to host their public keys. And this can be expensive. Hundreds or thousands of dollars. Which is OK for large online companies, but not OK for regular people.
Public key infrastructure has been around for decades now, and works to keep your credit card information safe on the Internet. Here’s a brief overview of how it protects you everyday.
- Your computer came pre-installed with the public keys for various Certificate Authorities (CA).
- You can ask a CA for the public key of OnlineStore.com.
- They will send it to you, and sign it using their private key.
- Since you already have the public key for the CA, you can verify that the CA sent it to you, and not an evil MITM.
Problem solved ! With a caveat…
The caveat is that companies have to pay the CA to host their public keys. And this can be expensive. Hundreds or thousands of dollars. Which is OK for large online companies, but not OK for regular people.
Blockchain to the Rescue
Bitcoin invented blockchain technology in 2009. And ever since then it has become a rapidly growing field in computer science. More recently Ethereum applied the idea of blockchains to computer code.
Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.
In other words, it's now possible to write a small computer program, and deploy that code to a network of thousands of computers. All the computers on the network have agreed to a protocol which states that the code cannot be modified in any way. If any computer attempts to modify the code, or execute the program in a way that differs from the code, those changes will be rejected by the network.
This is a paradigm shift in computing. In the past, trusted third parties were required to solve many tricky issues. Today, many of those tasks can be replaced by a distributed blockchain.
This is a paradigm shift in computing. In the past, trusted third parties were required to solve many tricky issues. Today, many of those tasks can be replaced by a distributed blockchain.
Our Smart Contract Helps Protect You
When you create your Storm4 account, the application (running on your machine) automatically creates a public/private key pair. The public key is automatically uploaded to our server. And we make it easy for other users to search for you (using the social identities you’ve added to your account), and easy for them to download your public key.
But now we’re back to the Man-in-the-Middle problem again.
If Alice is trying to download Bob’s public key, how can she be sure that it’s actually Bob’s public key ? For example, how can she be sure a hacker didn’t get into our servers, and replace Bob’s public key with a FAKE key ?
To solve this problem we wrote and deployed a smart contract (read: small program on ethereum network) that can be used to independently verify the public key of a user. Here's how it works:
But now we’re back to the Man-in-the-Middle problem again.
If Alice is trying to download Bob’s public key, how can she be sure that it’s actually Bob’s public key ? For example, how can she be sure a hacker didn’t get into our servers, and replace Bob’s public key with a FAKE key ?
To solve this problem we wrote and deployed a smart contract (read: small program on ethereum network) that can be used to independently verify the public key of a user. Here's how it works:
This means the public keys of users in our system are immutable, verifiable, auditable & tamper-proof.
Our smart contract is open source, and can be audited by anyone. Blockchain tech is just another way that Storm4 works to protect your privacy and your intellectual property.
Our smart contract is open source, and can be audited by anyone. Blockchain tech is just another way that Storm4 works to protect your privacy and your intellectual property.