↖ back to jolocom.io

Engineering safer & more secure solutions for digital identity and access management using Rust

Tech dive  •  
Aug 13, 2020

The merits of Rust for SSI and IAM software

Security is a top priority for network infrastructure, software solutions, and end-user applications that support interactions involving sensitive user data or personal information about real people and organizations.

Decentralized or not, any system which handles, transports, stores, or serves high value (digital) assets — especially solutions for Self-sovereign Identity (SSI) and Identity and Access Management (IAM) — warrants rigorous scrutiny toward any vulnerability or oversight that may infringe on a user’s rights as a data subject.

That’s where Rust really shines: the programming language is distinctive for its comprehensive focus on safety, security, correctness, and efficiency. All of these areas resonate extremely well with the dimensions and properties most important when developing digital identity solutions.

What’s more, the design of the language itself offers crucial advantages for security by effectively addressing a wide range of common, long-standing vulnerabilities affecting code written in other popular languages. To top it off, Rust provides markedly high performance, and opens up possibilities for embedded use cases.

It’s a promising sign, then, to see folks familiar with blockchain and other DLT technologies are showing embrace of Rust in their development work. Already at this early stage of adoption there is a sizeable array of tools and applications written in Rust that could well be implemented in IAM solutions based on SSI. This toolset nicely complements the core set of design-driven advantages for development previously mentioned.

Rust’s security guarantees are proving to be particularly desirable for the implementation of highly secure systems, like those used to manage user identities, access rights, and digital assets. Since SSI infrastructure must be capable of handling complex flows of value, the underlying technical infrastructure must be designed to sustain and secure that value. The distinctive features of Rust are particularly advantageous for these reasons.

Developing for SSI in Rust

As the SSI ecosystem is still maturing, only a limited number of production-ready solutions enjoy active deployment in real use cases, and even fewer are implemented in Rust.

That said, here are a couple ways we use Rust at Jolocom:

  • Certain core components of our open source library for SSI-based digital identity management are implemented in Rust (available on GitHub). In particular, we migrated all plaintext private-key operations (e.g. signing, decryption) into Rust code in order to minimize risk posed by malicious dependency attacks in JS runtimes, as well as to provide a safe, portable, consistent, and well-understood set of crypto tools with an easy-to-use API.
  • A Rust implementation of the “KERI” Core Library — KERIOX — is well underway. KERI (“Key Event Receipt Infrastructure”) is an event-based Distributed Key Management Infrastructure which provides the same security and verifiability properties for transactions as a blockchain or distributed ledger, without the overhead of requiring an absolute global ordering of transactions. The system is designed to provide a secure identifier-based “trust spanning layer” for any stack. The open source project is under active development in collaboration with DIF — the Decentralized Identity Foundation, where we’ve been a member-organization since early 2018.

With such tremendous potential in cross-industry collaboration, we want to help catalyze and coordinate any opportunities for mutual enrichment and growth by building up the common ground shared by Rust and SSI communities.

In fact, we are actively seeking an experienced software engineer with knowledge in Rust — here’s more on the open position in case you or someone you know may be interested in joining the Jolocom team!

As a 12-person, purpose-driven organization stewarding an open source project to create a common infrastructure for digital identity and rehash our society’s relationship to personal data — we at Jolocom definitely place an emphasis on community engagement as a core value. For that reason we are always looking for ways to contribute back to the people and communities which help make a positive impact on and off the Web.

That is why for this year’s RustConf, Jolocom is supporting the conference as an official sponsor!

We can’t wait to meet more of the community and explore the intersection of Rust and SSI alongside dedicated stakeholders, veterans, and enthusiasts.

Hope to see you on Thursday (Aug. 20) for the virtual conference.

Want to connect, but unable to attend next week? We’re always available to chat on Gitter.

Links & resources

Check out the links below for more info on #RustConf 2020, Rust, and KERI. And for more info about Jolocom and Self-sovereign Identity, please visit our website or reach out via hello(at)jolocom.io.

Keep reading about

communityprotocolrust