Interest in blockchain has skyrocketed, with many believing the technology to be as transformational as the Internet itself. Blockchain’s promise boils down to two related propositions: first, that it can enable vast decentralized populations to collaborate and transact business; second, that it can do so securely.
The internet already delivered on the first part of the promise to enable collaboration and transactions. But for lack of a built-in trust layer that everyone can use, Internet business models have concentrated value in centralized e-commerce systems where breaches abound. By building in strong security features from inception, blockchains promise to provide the missing Internet trust layer. But do they deliver?
Blockchain Security: The Promise
Blockchains are various forms of digital ledgers that record and distribute transactions with strong data integrity, availability, and cryptographically-protected immutable records. Blockchains can also be used to provide a source of truth, data provenance, transparency, or accountability for the users and business communities that rely on them. In a word: trust.
Different kinds of blockchains exist. Some public blockchains, like Bitcoin’s, are extremely decentralized. So-called enterprise blockchains, such as the R3 Corda, can restrict membership to a smaller set of nodes, such as those operated by banking consortia.
Blockchain Security: A Mixed Reality
The figure at the top of this post summarizes security concerns and un-concerns for blockchains. For the sake of this discussion, let’s assume that most blockchains – public, private, or hybrid – are if not completely decentralized at least highly distributed. Reliance on trusted intermediaries and centralized databases is eliminated, or significantly reduced. If blockchains work as designed, some security concerns are reduced or removed.
Blockchain Security Un-Concerns
The first thing security pros need to understand is that although decentralized blockchains can be analyzed within today’s security architecture frameworks, they still change the game. Although there may be nothing new under the security sun, that sun rises and sets over both day and night – which may be the scale of difference we’re seeing here.
- Vulnerable Centralized Systems: Conventional Internet commerce relies on centralized databases, authentication systems, and administration teams. This breach infographic chronicles an incredible series of breaches usually due to “weakest link” attacks. Although blockchain-based ecosystems such as Bitcoin’s aren’t completely decentralized – there are still exchanges, or other points where value concentrates – users are empowered to protect value in wallets they individually control. By design, the blockchain protocol protects itself.
- Transaction Integrity: Blockchains leverage strong cryptography to time stamp, sign transactions, and link blocks of transaction records together. Once inscribed, transactions can’t be altered, removed, or reordered. Neither can audit or provenance information affixed to records. These characteristics of blockchains create new opportunities for transparency and accountability.
- System Availability: Large public blockchains are almost as available as the Internet itself. They’re extremely resistant to DDOS attacks, or efforts by governments or criminals to shut them down.
Blockchain Security Concerns
If the security sun sets on centralized systems, and rises on a brave new decentralized blockchain-powered world, the light of dawn will uncover a new set of risks.
- Bleeding Edge Protocols: Public blockchains are typically powered by cryptocurrency used to incentivize decentralized system maintenance (such as block validation) and discourage spamming or other misbehavior. The integrity of the blockchain also relies on participating nodes coming to consensus on the validity of each block added. Computational proof of work and other consensus mechanisms, such as proof of stake or proof of holding, are complex. Some are vulnerable to 51% consensus attacks, or other exploits still undiscovered. Additionally, cryptography is everything to blockchains, and not all are quantum-safe. All bets are off if the protocols fail.
- High Error Rates: The industry faces a steep learning curve implementing hundreds of new protocols, smart contract mechanisms, gateways, exchanges, and myriad novelties yet to come. Fortunes have been lost due to a series of cryptocurrency exchange hacks and smart contract bugs. November 2017 saw a case where an Ethernet newbie “suicided” a Parity multi-sig wallet used in a library smart contract, deleting its code and freezing between $150 and $300 million in tokens. The private keys to an estimated 5 million bitcoins – representing about $57 billion in value today – are also reported to be irrecoverably lost. Regulations are coming in jurisdiction after jurisdiction and whether they get it right or wrong, regulations create business risks.
- Gaming the System: Blockchain and cryptocurrency users, businesses, and hackers are playing for high stakes. The industry has already seen Ponzi schemes, fraudulent Initial Contract Offerings (ICOs), and other scams. In 2016, approximately $50 million Ether were taken from accounts in a venture capital fund called The DAO by cleverly exploiting logic errors in the smart contract code. Crooks and unethical persons will find ways to use technology to cheat and steal from others, potentially by introducing malicious logic into blockchain-based smart contracts.
Insider Risks Change
The risk of business insiders with decision making powers and access to large account balances will never go away. However, decentralization reduces the havoc that system administrators can wreak on public blockchains. Insider risk will shift from system administrators to developers: Attackers could do interesting things with a Bitcoin or Ethereum core developer’s Github account. Open source communities must be vigilant.
Bottom Line
Organizations approaching blockchains must be sure to understand the changing nature of blockchain risk. Contact us if you are interested in conducting a workshop to bring your team up to speed, or to perform an assessment.
The post Blockchain Security Concerns and Un-Concerns appeared first on Security Architects Partners.