Sometimes you could be forgiven for thinking that the incessant overuse of the word ‘disruptive’ these days could do with some, well, disrupting of its own. So much is written, presented and marketed around apparently ‘disruptive’ use of technologies like AI, IoT and of course blockchain, when much of it could perhaps be better described as foundation innovation technology. As in the ability to create foundations for significant change over the long game rather than the rapid disruption and displacement of existing business models. Semantics aside, there is certainly no shortage of zealous blockchain claims and predictions out there, not least from venture capitalist William Mougayar who states in his book The Business Blockchain: Promise, Practice, and Application of the Next Internet Technology:
“At its core, the blockchain is a technology that permanently records transactions in a way that cannot be later erased but can only be sequentially updated, in essence keeping a never-ending historical trail. This seemingly simple functional description has gargantuan implications. It is making us rethink the old ways of creating transactions, storing data, and moving assets, and that’s only the beginning. The blockchain cannot be described just as a revolution. It is a tsunami-like phenomenon, slowly advancing and gradually enveloping everything along its way by the force of its progression.”
It’s compelling, heady stuff, and yet 2016—when it was written—was also perceived by some as year of the ‘me too’ pointless blockchain project. More significantly, confidence within the financial services sector was shaken by some significant attacks against solutions built upon blockchain technologies. Others may say these are specific examples within the much bigger picture of the technologies evolution, which should not detract from the major implications and potential it holds. Mougayar even goes on to powerfully enthuse about it becoming:
“the second significant overlay on top of the Internet, just as the Web was that first layer back in 1990. That new layer is mostly about trust, so we could call it the trust layer.”
Or as it has been more bluntly described “a way for people who don’t really trust each other, to trust each other.” An aspiration that should none the less resonate with anyone looking for more effective and innovative ways to improve existing online security, and why not? After all, miscreants have already managed to yield benefits from that most eminent real world application of blockchain, BitCoin.
Despite its many legitimate uses, BitCoin has undoubtedly contributed to the seismic rise and efficiency in recent years of ransomware, which itself was not a new model at all. However inadvertently, BitCoin has improved payment processes for online extortionists by providing a mechanism that is both accessible to the victim (albeit via some helpful ‘how to’ guides) yet at the same time granting a generally acceptable degree of pseudonymous identity obfuscation to the criminal. All founded upon the crypto magic of the blockchain.
Hopefully, security can follow suit and start to employ more widespread practical applications of blockchain for making a few improvements of our own. This is most obvious with defending against ‘Integrity’-directed attacks that are becoming more prevalent and potentially damaging whilst remaining insidious and often difficult to detect.
Highly publicised data breaches and legislative drivers, such as GDPR, still understandably focus much security attention, resource and investment toward protecting ‘Confidentiality.’ Whilst similarly high profile DDoS attacks and contractual service uptime arrangements mean that many organisations will go to great lengths to provide resilience against loss of ‘Availability.’ Yet ‘Integrity’ has often been the more neglected family member of the C-I-A triad for Information Security. Single points of failure (SPOF) for many aspects of it remaining someway accepted or at least trusted to centralised authorities.
But as more trusted authorities prove to be ultimately fallible despite all of their assurances and protection investments, the notion of immutable decentralised records for critical digital events starts to make ever more sense. Take, for example, the ubiquitously used Public Key Infrastructure (PKI) solutions we depend on every day, which themselves rely upon a centralised Certificate Authority (CA) to issue, revoke, and manage certificates. Any compromise of the CA as a single point of failure (SPOF), or perhaps more accurately central point of failure, in this case, undermines the whole security premise.
PKI models are now being forged, however, which rather than placing trust in a central CA use a distributed blockchain ledger of domains and their public keys instead, thereby removing any central point of compromise. For secure validation of data, Blockchain-focused security company Guardtime move away from asymmetric PKI type solutions altogether with a Keyless Signature Infrastructure (KSI).
Securing sensitive records using only hash-function cryptography stored in a blockchain, the user interacts with the system by submitting a hash-value of the data to be signed. The KSI solution in return delivers a time-stamped signature providing proof of integrity of the data as well as attribution of origin. As we have seen with every security technology before it, great security concepts ‘on paper’ are only as secure in the real world as the way in which they are actually implemented and applied of course.
In the recent case of ZCoin, their $585,000 breach was apparently attributed to a typo in a single line of code rather than any cryptographic flaw with the blockchain. That example is ‘small beer’ perhaps compared to the $61.8 million Bitfinex heist and the ‘spectacular’ DAO smart contract breach that resulted in Etheruem eventually having to hard fork and split its own blockchain. The fatal flaw coming not from Etheruem itself but bugs within the DAO application built upon it. In the haste to present everything blockchain as radical and disruptive, it would also be an oversight not to explore opportunities for using it to simply complement rather than outright ‘rip and replace’ existing approaches if it were affordable to do so.
At least until development rigour matures and we have some recognised standards of reference. Returning to the PKI example, alternative proposals may include using blockchains to store hashes of issued and revoked certificates to more robustly and transparently verify the validity of a central authority rather than wholesale replacing it. It’s all a fascinating space that security professionals should be keeping a keen eye on whilst being able to discern that not everything being presented as blockchain-built security is quite the same animal. Variations of an albeit similar approach may alter the integrity element in particular considerably. Debates will continue over the various benefits and risks for different requirement scenarios of ‘permissionless,’ ‘permissioned,’ or private blockchains.
Whereas certain broader Distributed Ledger technologies or commercial offerings being explored as single provider hosted services start to take us back to the whole central point of failure/trust dilemma. Finally here, there is the notion of ‘editable blockchains’ a concept which despite many claimed safeguards to evidence and control such changes, starts to shift us away somewhat from the immutable part of the conversation. Likely presenting back to us many of today’s security challenges around access controls, monitoring, key management, background vetting, segregation of duties et al for those able to perform the edits.
After all, in addition to the years of clever cryptography that have led us to the blockchain, it is also at its heart the decentralisation and immutability concepts that offer so much promise for integrity assurance. Long may that particular chain of events continue.
About the Author:
Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
