According to PwC investment in Blockchain start-ups was about $1.4 billion in the last nine months of 2016. Distributed ledger technology – commonly referred to as Blockchain – has emerged as a candidate for financial institutions to reform their business and investment has started to flow.
New cryptocurrencies are popping up almost every day now- for instance only in the last month (June 2017) there were three new alternative coins (based on only) being created. This brought the number of these digital assets up to 667 in total. These cryptocurrencies are starting to be used to crowd-fund business ventures and start-ups.
Cryptocurrencies are using Blockchain technology, but is this technology secure by itself? ENISA, the EU cybersecurity Agency has seen this as a subject that needs to be addressed.
Blockchain is a system that has appealing features in theory, like security and data integrity. Nevertheless, the details about how this system is implemented, constitute the key variables that should be considered. Security is one of these variables that is sensitive to the way the technology is deployed and subsequently relied upon.
What is Blockchain?
Blockchain is a distributed system, where everyone can have a copy of the database. The transactions in the database are accepted after consensus agreement by the participants. The consensus protocol is the mechanism by which all users within a distributed ledger agree on the validity of the information in the database.
It is from the birth of this system that there is security built into it. The system can provide encryption and privacy using public and private keys. Privacy is guaranteed by the fact that in the system only the public keys are visible, and they are not connected to the holder’s identity, by default.
The integrity of the data in the system is provided by the consensus, which guarantees that once a given transaction is accepted, the system would not allow for changes. This trust in the validity of data is one of the key advantages of the system that are appealing for many organizations.
The permissioned Blockchain could potentially allow for a closed (private) system. This would mean that not every entity could become part of that Blockchain system. Also, the transactions within this system might not be visible to non-members.
Another key feature of Blockchain technology is the possibility to use smart contracts. These are lines of code that can be executed after certain conditions on the system are met. This would allow for automation of a certain operations.
Despite the potential opportunities and benefits, it remains important to assess what the security implications of Blockchain implementations might be. This is where ENISA has produced a short paper to highlight some key challenges of the system.
Common Challenges in the Blockchain System
Using some security features like public and private keys brings a known risk associated with the key management. These keys are the only way to prove who an owner of a given asset is. If these keys are lost, access to these assets is lost. Following this, managing keys becomes very important. Examples of issues related to key management include:
- how keys are generated – key sizes and encryption algorithms,
- where are they stored – physically and/or electronically, Cloud or not, hybrid (part stored in the cloud) or otherwise
- how they are used – how the wallet software operates with the keys. It is possible to simply copy the keys, and the legitimate owner will not notice until it is too late.
When talking about encryption algorithms, it is also advisable to take into consideration future developments – notably the possibility of using quantum computing. Quantum computing might be capable of ‘breaking’ some encryption algorithms, which in the long run might require changes in some Blockchain systems.
New Challenges with the Blockchain Systems
Because of its nature the Blockchain system also brings some new challenges. The type of consensus being chosen for the system plays a big role. One such challenge is consensus compromise. Essentially, this means that the consensus protocol might be corrupted in a way that the accepted transactions could be fraudulent. In the case of the proof of work consensus protocol, if a single entity on the network has more than 51 % of the network’s computing power, that entity could potentially accept fraudulent transactions, i.e. double spending any given amount. Changing the consensus protocol might be difficult, depending on the type of Blockchain, especially if it requires approval of all participants on the network.
In the case where a single authority is approving transactions, compromise could be even easier. If that single authority is compromised, then the whole system is compromised.
There are also several points to consider with smart contract application. Since these contracts are lines of code written by someone, simple human error can inflict considerable damage. Code has the potential to be harmful or it could fail to do what it is supposed to do. This makes it possible for malicious actors to upload malware onto a Blockchain system. Code review of smart contracts is something to be considered in this case.
These are just some of the issues ENISA has identified in its report on Blockchain. Blockchain is an important technology for the financial sector and ENISA has covered it as part of its involvement with protection of critical information infrastructure. ENISA is helping EU Member States identify critical information infrastructure as the first step in the process to secure and protect the availability of critical assets.
For more information please go to https://www.enisa.europa.eu/publications/blockchain-security
Photo credit © Shutterstock