In principle, blockchain technology is used to create a blockchain in which counterfeit-proof redundant data structures are logged in chronological order which makes them traceable, immutable and mapped without a central instance. The cyber security properties and the necessary cyber security mechanisms play an important role in the effectiveness and robustness of the blockchain infrastructure and prevent it from cyber threats.
Cyber security security property: availability of the data
With the help of the peer-to-peer network of the blockchain infrastructure, the data in the blockchain is distributed to the nodes, stored redundantly, thereby achieving high data availability. The peer-to-peer network must be robust in order to be able to reliably provide data availability and trust services. Even DDoS attacks on a blockchain should not have any lasting impact on the functionality of the blockchain technology.
Aspects that play a role in robustness are:
- Number and location of nodes (not all nodes at a cloud provider like AWS – Amazon Web Services)
- Bandwidth between nodes
- Storage space and computing capacity (CPU, RAM) on the node (a Bitcoin blockchain is larger than 390 GB, for example)
- Distribution of new transactions and blocks must be robust so that all elements are always fully distributed to all nodes
Cyber Security Property: Integrity and authenticity of the data in the transactions
The integrity and authenticity of the data in the transactions is an important cyber security property in order to be able to implement the cyber security attributes in a forgery-proof and unchangeable manner. The crypto agility of blockchain technology plays a special role in this.
Blockchain infrastructure cryptographic agility
A blockchain technology uses a public key procedure for signing and verifying transactions in order to be able to check the authenticity, origin and integrity of the data.
Hash functions are used for blockchain address generation, the necessary concatenation of blocks (HashPrev) and the calculation of the Merkle hash value to check the integrity of all transactions in a block.
For a secure and trustworthy use of a blockchain technology, the public key method used and the hash functions must be state-of-the-art. In addition, the appropriate key lengths must be used. The state of the art can be found in the technical guideline of the BSI: “Cryptographic methods: recommendations and key lengths”.
The BSI Technical Guideline “Cryptographic Methods: Recommendations and Key Lengths” describes which cryptographic methods and key lengths should be used so that they are considered secure for the next ten years: Hash functions must have a minimum hash value length of 256 bits, the RSA a key length of at least 3000 bits and for elliptic curves a minimum key length of 256 bits applies.
In addition, post-quantum crypto methods must be considered and used in the long term.
Therefore, the lifespan of a blockchain technology must be taken into account from the start so that the values in a blockchain can also be protected in the long term (e.g. if the lifespan is longer than ten years).
However, key and random number generation also plays a security-related role in the cryptographic process. When generating the key, there is a risk that the user chooses a key that is too simple. For example, if your first name is used as a key, even inexperienced attackers can easily guess it. For this reason, the keys should always be calculated using real random number generators and the full key space should be used. Aspects such as scatter, periodicity and uniform distribution must also be taken into account.
If it becomes necessary to implement an update with new cryptographic methods, a hard fork becomes necessary. The blockchain participants then have to generate new blockchain addresses and transfer their “values” to them.
Cyber Security Properties: Integrity of the blockchain
The cyber security property integrity of the blockchain is important in order to be able to trace the course of transactions in chronological order. Clever use of hash functions (transactions, block chaining) is also used for this cyber security feature.
The hash value “HashPrev” in the block header ensures blockchaining of the blockchain. “HashPrev” is the result of the hash function (H), which takes the last block header as input.
Block chaining is an important aspect of verifying the order of blocks, but it makes it impossible to erase the data on the blockchain. This, in turn, can lead to privacy issues or problems with unwanted content.
Cyber security properties: “without central authority”
Blockchain technology provides “programmed trust” using various cyber security and trust mechanisms. All cyber security and trust features are inherently built into the blockchain technology as “security by design”.
Blockchain infrastructure trust mechanisms
A suitable consensus finding process must be selected and used for the blockchain application, also depending on the selected authorization architecture, in order to be able to work securely and trustworthy.
A validation algorithm checks the hash values and signatures of the transactions and also new blocks created and distributed by the selected node. In addition, the syntax and semantics of the elements are also checked: Is the blockchain address correct? Are there enough coins? etc.
One risk is the use of elements by third parties, as has been identified with Bitcoin.
Cryptocurrencies such as Bitcoins, Ether or Monero are still the exception for online payments. Accordingly, there are only a few online portals and shops that accept cryptocurrencies as a payment method. And even offline , shops, restaurants or museums have rarely offered cryptocurrencies as an alternative means of payment. The payment process is usually processed via QR codes using a digital purse (a wallet that is available on the smartphone ). To minimize security risks, the following measures are useful:
- Create several backup copies of your wallet in case your PC or smartphone is stolen or has a technical defect. These backups should be kept safe and provided with cryptographic access protection
- As with cash, you should not keep large sums of money in your wallet on PC or smartphone; only small amounts for daily use make sense. For large sum, avail a crypto custodian.
- The encryption of the wallet and the backup copies created is particularly important
It has been scientifically shown that blockchain technologies such as Bitcoin can also include data in a transaction that has nothing to do with the Bitcoin blockchain. This third-party use is not new and has been known since 2013. This can be 80 bytes in an incorrect output data string (OP_RETURN), for example. URLs that refer to content from other servers can be stored in such a field. Images cannot be saved in this field. With this third-party use, the actual transaction remains valid and is implemented correctly.
But it could also be the field for the recipient’s bitcoin address or a hash value, for example. Then the order of magnitude is up to 92 Kbytes. If other data is stored in these fields, the specified bitcoins are lost in the input.
Images can be accommodated in 92 KBytes. These are not high-resolution, but the content is easily recognizable.
External use of the transaction data was identified at 0.0007%. It’s like steganography: data is hidden in the mass of information. A normal blockchain participant will not see this data because they are not accessing transactions that they have nothing to do with. Finding this data means that appropriate tools must be programmed to find the content for third-party use.
For this reason, the validation of the syntax and semantics should be implemented as precisely as possible to protect against third-party use. A better option is to delete a targeted transaction, which must only be done by consensus.
Security and reliability of the software
Since blockchain technology offers a trust service, the security and reliability of the software plays a crucial role. It must be ensured that the peer-to-peer mechanisms, the trust mechanisms, the cryptography used, the smart contract implementation, etc. do not contain any vulnerabilities and only do what is expected.
Blockchain application security
The blockchain application can consist of a blockchain app that signs and perpetuates data from the application in transactions from the blockchain participant with its wallet.
In addition, transactions are verified in the blockchain app and the data is “processed” by the application. The blockchain app uses the wallet of the blockchain participant, which is implemented as a hardware security module (USB, NFC token, …) and in which the keys are stored. The actual application uses blockchain technology.
Confidentiality of the common key of the public key procedure
The security of the blockchain technology also depends on the secrecy of the secret keys of the public key procedures in the wallet. The secret key must always remain secret. Anyone who possesses the secret key of a wallet is able to dispose of all transactions in the wallet. Losing the secret key means that all transactions stored in the blockchain address are “lost” forever.
Dangers of insufficient protection of the secret key are, for example:
- The private IT system of the blockchain participant is spied on using malware.
- With an IoT device, e.g. car (light node), the secret key is read out.
- The website of the online wallet (Service Node) is hacked.
- An insufficiently secured smartphone is stolen (light node) and used.
- The protection of the secret key in the wallet should be implemented using hardware security modules (smart cards, sec tokens, high-level security modules). In addition, unauthorized use must be actively prevented.
Attacker creates real transactions without authorization
The attacker is able to create valid transactions for the corresponding participant A and thereby manipulate the blockchain and the blockchain application. It is therefore particularly relevant to security that the wallet cannot be stolen or used without authorization.
Blockchain application protection
If the blockchain technology on the node itself offers high security, the attackers will attack via the actual application that uses the blockchain. Therefore, the blockchain application must also be tamper-proof so that no successful attacks can be implemented.
Trusted runtime environment
In order to prevent malware attacks on blockchain applications, they must be operated in a trustworthy runtime environment.
Trustworthy runtime environments can be implemented in the technology fields such as ” Trusted Computing “, “Trusted Execution Environment” and “Sandboxing”.
The post How Can Blockchain Security and Trustworthiness be Evaluated? appeared first on Datafloq.
