July 28, 2022

Securing Data in a Trustless Network

Security is a critical component of any software, but solutions are often overlooked or underdeveloped before GTM.

Security is a critical component of any software, but solutions are often overlooked or underdeveloped before going to market. The advent of Web3 both introduces new security challenges and demands stronger security guarantees. As such, traditional security solutions must be reimagined for trustless networks. Space and Time is revolutionizing data warehousing with next-generation technology secured by decentralized authentication and authorization.


Proving the validity of a user’s identity is an essential first step in securing any application. Historically, authentication has most commonly relied on user credentials—a username and password pair. Though simple and elegant, this prototypical solution is predicated on trust and centralization, rendering it antithetical to the very core of Web3 and making space for malicious actors. When user secrets are stored on the network, a network participant can easily inspect, alter, or even deny access to legitimate credentials. 

Web2 is resolving some of the key deficiencies of the classic authentication solution, with password authentication becoming increasingly obsolete in favor of MFA, biometrics and other passwordless solutions. But these alternatives, while more secure, do not honor the decentralization and trustlessness necessary in Web3.

For a network to operate securely without trust or centralization, authentication can be implemented through digital signatures, mathematical schemes that verify the authenticity of a user’s identity. These signatures are based in public key cryptography—an asymmetric cryptographic solution that eliminates the need for the user and the network to share secret information. In this system, a user generates a pair of keys—one private and one public—where the private key is kept secret by the owner and the public key can freely be distributed without compromising security. 

Digital signature-based authentication requires that a network request provide two parameters: a body and a signature. The body of the request can be thought of as the “message” (e.g. “John requests the DB to return the top 10 rows of some table”), and the signature as the “proof” (e.g. “sent from John”). The sender generates a signature by encrypting the request body with their private key. The receiver validates the request by decrypting the signature with the sender’s public key. If the decrypted signature and request body match, the receiver can be sure that the message was created by a known sender and not altered in transit. This allows for information to be shared across the network without depending on a central authority to verify its integrity and authenticity. 


Once a user is authenticated, the network must verify that they are allowed to perform a requested operation. Most simply, authorization can be achieved using access control lists (ACLs): a set of parameters stored in a bit-string that specifies which users are granted access to a particular system resource. Though ACLs work seamlessly in a Web2 environment, they cannot be stored in a trustless network, and are therefore incompatible with the fundamental principles of a Web3 solution.

Authorization in a trustless environment can be supported by a capability-based token scheme, wherein a user presents a token that grants authority on a given resource. In the case of Space and Time, authorization depends on Biscuit, an authorization token similar to JWT. Some key features of a biscuit token include:

  • Decentralized verification - Biscuit tokens are based in public key cryptography
  • Offline attenuation - New, more restrictive tokens can be generated from existing tokens without involving a third party
  • Policy language - Authorization policies are written in Datalog (a logic language), enabling concise modeling of complex relationships
  • Easy revocation - Each token comes with a unique revocation identifier, which can be used to reject the token and all attenuated derivations in the event of compromise

As previously detailed, authentication via public key cryptography requires that each user generates a public and private key, distributing the public key and signing requests with the private key. Biscuit authorization relies on the same mechanism. Each resource is associated with a unique public key stored in the network and a unique private key stored by its creator. To access a given resource, the user must provide a biscuit token signed with its associated private key. The token signature is then validated against the associated public key.

Biscuit token authorization allows considerable flexibility to the end user. When a new resource is created, the private key can be used to generate a biscuit token with any criterion of capability (e.g. read-only access to a table, read-write access scoped to a single user, time-bounded access, etc.), Notably, the network must only store one public key for each resource to support a near-infinite level of authorization.

Security in Space and Time

By employing digital signatures for authentication and biscuit tokens for authorization, Space and Time guarantees a security solution that is fortified, trustless and scalable. As the global software ecosystem advances further into the world of Web3, dApp developers and large-scale enterprises alike are assured secure interaction with cutting-edge decentralized data warehouse technology.