"Make money move like email" is our source of inspiration. All the technological and technical decisions were made around these words. We placed the best of our expertise in privacy, Internet security and blockchain technology to enrich the PayID protocol with strong privacy and security features.
What it does
PayID replaces all hard to remember cryptocurrency addresses and IBAN with a human-readable identifier for all payments. Therefore, a user could share his/her payment information using his/her PayID identifier. So, anyone can get the payment information of that user if he/she manages to retrieve or guess the corresponding PayID. Even worse, malicious actors may conduct a brute-force attack to extract all the payment information of the registered PayIDs. In simpler words, we see privacy issues on the current implementation of the PayID protocol.
How I built it
In the context of the Hackathon, we managed to integrate the Access Control List (ACL) feature. But when we talk about ACL, we need a trusted user identity system. But what if we can use the PayID to identify the user? SOUNDS GOOD! However, to reach this goal, PayID needs some support to perform cryptographic operations. The Decentralized Identity (DiD) that makes it possible to create a bond between a PayID and DID in the form of digital credentials. So each time a user accesses the PayID server, he/she needs to present his/her PayID in the request, for example, I am alice$example.net and I need the payment information of bob$exmaple.net. The server will first look for the stored proof of credentials to see if Alice has a proof presented before. If so, the server will call the ACL to see if Bob has already authorized Alice to get his payment information. In the last step, the server gets Bob's payment information from his database, extracts the DID form Alice's proof and encrypts Bob's data with Alice's DID. On Alice's side, she will be able to decrypt the message to reach Bob's payment data.
Challenges I ran into
In the last two weeks the team worked as a Beehive. We have studied carefully the PayID server implementation to be able to make the integration with very minimum modification to the base code, and WE DID IT! Also, we put a lot of energy and resources to digest the DID technology and find the ideal solution to integrate it with the PayID, keeping the source of inspiration valid. Above all, we learned a lot of bug tracking, dockorization and how to be and work as a team.
Accomplishments that I'm proud of
We are proud that we managed to integrate the ACL and DID in the PayID server successfully in two weeks, starting with zero knowledge about the implementation of PayID protocol and DID technology. We ended up with a huge experience that we will use in our next projects.
What I learned
How to start from zero knowledge and keep ourselves motivated. In these two weeks, we proved to ourselves that we can learn the "know-how" of any technology with patience and hard work.
What's next for PayIDSecure: Privacy Preserving PayID Server
As researchers, we plan to write academic papers about our findings and our contribution. Also, we need to optimize our integration to open the source of code to the community.
Our Github it private, we have added the "email@example.com" as collaborator. All testing instructions have been given in the root README File