Blockchain Security

Blockchain Security


hey guys hope you guys are doing great
today’s topic is going to be about blockchain security. I’ll be sharing
with you my thoughts on the blockchain X.0 , different phases
cars gonna go through so moving right Tthe topics of today’s discussion
are gonna be, blockchain background, the use-cases, blockchain x.0, smart contracts,
the weakest link, security considerations Blockchain deployments have been discussed for
a while now and in my eyes there are pretty much three deployment types of
blockchains, the public, private, and hybrid and most of the deployments have
been on the public side and they are pretty much the Bitcoin, ethereum,
litecoin etc discussed for for a while now and in my
eyes there are pretty much three deployment types of block chains the
public private and hybrid and all the use cases of the public blockchain have
been in the area of cryptocurrencies besides the cryptocurrencies there has
been and no major uptake of the private deployment of the blockchain by the
enterprises anywhere I go these days the the discussion ology evolves around and
a lot of people are talking about blockchain as a godsend it is a cure for
all problems is gonna solve all issues and you know it’s gonna solve for world
hunger and you know world’s gonna be a pretty place once everybody starts using
blockchain so so the truth is blockchain technology was introduced in 2009 and
since then there has been no other massive use of it them , besides the
cryptocurrencies as I said in the in the previous slide it is it’s only use case
has been cryptocurrencies anywhere else everybody just trying to see what it is
but a snake oil salesmen are pretty much trying to sell it for anything and
everything so it is key that before you embrace the
blockchain technology and you look at what use what requirement is it
addressing is there a requirement for you to go to blockchain at all so don’t
just go into it just for the sake of it there are enterprises who are conducting
proof of concepts on blockchain and which is okay
they they can do what they want but right now the industry is looking at
pretty much blockchain is like a hammer and everything looks like a nail
so anything and everything you know blockchain is gonna solve blockchain xro
in this slide I talk about the evolution of the blockchain technology since its
inception so if you look at the table in the slide number five blockchain one
auto I call these Bitcoin litecoin those coins so these were the first
incarnations of blockchain and the main use case of block chain or the
cryptocurrencies hence the Bitcoin icon and dogecoin the
next phase i would call it as a blockchain 1.5 which improved on the
blockchain 1.0 technologies by introducing privacy into the into the
mix because in doctrine one dot o everything was transparent although
people said they transactions on on the cryptocurrencies were anonymous they
were not really anonymous they were synonymous where if somebody knew the
public address of someone then they could pretty much track where they were
sending money when they were pretty receive money from but even in in that
blocked in minato era if you were not using the same address
all the time then you could pretty much obfuscate that activity but the key was
that you had to make sure that you used new address for every transaction the
introduction of the blockchain 1.5 technologies such as malaria of Z cash Z
coin they introduced the ability to anonymize the transactions at the
blockchain l also a lot of formation was available then came blockchain 2.0 and ethereum is is in improvement on all it’s pretty much an improvement on
the blockchain one dot o technologies where it said instead of creating a new
cryptocurrency every time you had to fork an existing blockchain and
introduce some additional code into it what aetherium meant to do was they said
they will introduce a platform which would allow creation of cryptocurrencies
programmatically and to do this they introduced a concept of smart contracts
which would be the code that you could write to implement your cryptocurrency
without worrying about the the nodes the mining and all that complicated stuff
but if you look at it going from 1.5 to 2.0 still does not have any
implementation of privacy in it the new version of ethereum is going to have
have that implemented in it and I think ethereum is going for the ZK snarks but
that is yet to be found out when they do implement it the next phase of
blockchain as I call 3.0 would be as you can see in the list
EOS neo Hyper ledger so these are an improvement
over ethereum where they theorem introduced its own programming language
called solidity which has its own issues but eos and neo said okay we will allow
a whole bunch of existing smart contract languages to be used such as c-sharp
Java JavaScript or whatever you want to use oho so Yas has has a bunch of
language supports out of the box there’s some that that have being worked on
same thing with neo and same thing with the hyper ledger the next evolution in
my eyes is the blockchain 4.0 where we have technologies like polkadot
dfinity, Tezos which are pretty much introducing more concepts on on the
platforms that blockchain 3.0 has already introduced so in trouble our
cheney operability consensus mechanisms where if you wanted to change certain
aspects of the blockchain and you would have to go through a consensus mechanism
and only through through that you could have those changes implemented into the
blockchain one of the key and and when I talk about this I’m talking about tezo’s
which is planning on introducing that hopefully sometime in summer they should
go live smart contracts were introduced by ethereumin 2015 this was again as I
said in the previous slide the mechanisms for automating and making a
platform that allowed people to create their own cryptocurrencies with the
whole bunch of logic in it but it is not to be construed as a legal contract the
word the usage of the word smart contract came about when Vitalik
Buterin was doing some work on on another fork of a blockchain for
and they had to write some code for that and they said we call it a smart
contract because it was pretty much automating some activity and hence the
name smart contract was coined and it struct that way but what what’s
confusing is that people seem to be thinking of a smart contract equivalent
to a legal contract no both of these are not equal if you went to a lawyer
lawyers don’t speak smart contract language they speak their legalese and
they will only talk about their stuff and they would not sign off on any smart
contracts so just be aware of that and and they and coming along to the theme
of this show today is security the fact that you can write a bunch of code to do
certain activities for you introduces inherent risks because
because it is code it is written by human beings and there have to be sooner
or later there are going to be some bugs in it and when something has bugs in it
those bugs can be exploited by people and bad things will happen such as the DAO hack that happened in 2016 where a a
smart contract was had some code issues in it and somebody found that that hole
and they exploited it and they ran away with about 150 million dollars worth of
ether the weakest link in this whole equation so far has been in the smart
contract which is not really the blockchain yourself blockchain
inherently is very secure no one has been able to hack it or change it or
crack it so so it is it is a secure technology but what happens is people
who are using the blockchain they have their mechanisms to use the blockchain
and this mechanism at this point of time because cryptocurrencies are prevalent
right now is the wallet and when you are writing stuff to the blockchain
blockchain says you have to make sure that there’s a private key and a public
key exchange and you as what owner should have the private key and public
you can give to anybody else but if the wallet owner as such does not protect
the private key or the secret to the private key then they might be
susceptible to phishing attacks so all the all the hacks all the losses that
have been incurred so far have been due to the fact that the wallet mechanisms
are pretty complicated and people forget their keys people lose their keys and
and people don’t protect the keys intelligently and that’s what makes them
lose their their cryptocurrencies but in a real use case what one has to look for
in a blockchain from security perspective are some of the things that
that any security practitioner would be looking at in any kind of a deployment
so as the black blockchain platform get more complex the threat vectors also
increase exponentially so we need to focus on on these areas as I’ve listed
below cryptography cryptography is the key the consensus algorithms
the identity authentication authorization code
development practices data integrity encryption mechanisms in certain
response so coming to key management as I said before your wallet when you are
using your wallet your keys are very important so you have to protect your
private keys the other piece is when you are creating the blockchain yourself
there’s a key sermon you required for that to generate keys for the blocked in
yourself and if that mechanism is weak then you’re gonna have issues what kind of encryption are using in in
in the in the in the blockchain that is key as well
what kind of hashing functions you are using in it and all this is tied up
together a nice package via the consensus algorithm so if the consensus
algorithm has flaws in it then everything else is gonna get messed up
as well so so you have to make sure the consensus algorithm that you you you
select you do your due diligence in selecting the consensus algorithm and an
implementation so again consider consensus algorithm in its own right is
a piece of code which needs secure development practices such as you know
code review code testing black box testing white box testing all kinds of
stuff that that goes up with any code so you have to make sure that you have that
full approved the next piece is identity as the blockchain platforms advance and
they become more complicated and this is not really an issue at this point of
time in any aetherium but eoz and and then the new platforms are introducing
it and the the idea about authentication so the machines or the
users need to need to have authentication implemented and again you
have to make sure the authentication is a strong authentication you don’t lose
credentials easily the authorization piece to what level of access are you
providing once somebody’s authenticated into the into this blockchain
environment then what is this actor able to do is it hard to be able to modify
things or aren’t able to read stuff so authorization is important as well so
you need to have keep an eye on the authorization mechanisms I already spoke
about code development practices data integrity is if you are writing pieces
of code into the blockchain you have to make sure that data that is being
written to the blockchain and being read out of it it’s entering integrity is
maintained currently in blockchains you can’t write a whole lot of data you can
only write very small piece of data to it but it is it is a repository where
you can make references to to data in other repositories so so that’s that’s
one area that you need to look at I encryption mechanisms as I’ve said
before that is that is key you have to make sure you’re not using weak
encryption at all and finally the incident response
so whatever infrastructure you deploy for your blockchain that is if you do
use blockchain for your organization you have to make sure that you take you have
documented processes for incident response and monitoring for incidents so
the whole infrastructure that this block team is going to be sitting on make sure
you have the proper monitoring in place you have documented procedures for
responding to incidents you will have intrusion detection
intrusion prevention mechanisms so as you can see the blockchain is not
different from deploying any software in your or any platform in your environment
as long as your requirements are clear you understand what what your needs are
what you’re going to be implementing it for then use those same delivery
methodologies the fact that you are deploying blockchain shouldn’t really
change anything for you if you have strong security practices being
practiced in your organization then looking at blockchain deploying a
blockchain technology should not be rocket science it should be just
following the regular for the delivery methodology taking care of the regular
security requirements hey everybody hope you found the information I shared
with you today to be useful please like subscribe and share the content in your
social circles if you want to contact me my contact details are on my website
secunoid.com, the address is also at the bottom left-hand corner of this the
slide deck and finally the information I have shared should not be abused as
financial advice so play the cryptocurrency investment game at your
own risk and lastly thank you for your time and talk to you soon bye bye

You May Also Like

About the Author: Maximilian Kuhn

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *