Q&A: Does blockchain alleviate security concerns or create new challenges?

By October 17, 2017 Blog

According to some, blockchain is one of the hottest and most intriguing technologies currently in the market. Similar to the rising of the internet, blockchain could potentially disrupt multiple industries, including financial services. This Thursday, October 19 at Sibos in Toronto, Hyperledger’s Security Maven Dave Huseby will be moderating a panel “Does Blockchain technology alleviate security concerns or create new challenges?” During this session, experts will explore whether the shared nature of blockchain helps or hinders security.

We developed a Q&A with Dave to go over some security questions related to blockchain in advance of the panel. Let’s get to it!

What are the cyber-security concerns that you are noticing today?

Integrating with existing systems, cryptographic key material management,  and providing the required network quality of service connecting blockchain members are the greatest cyber-security concerns I am noticing today.  Any organization applying blockchain technology to an existing process almost certainly has existing systems that chaincode/smart contracts will have to interact with.  Building proper oracles to ensure execution of smart contracts is crucial.  Also making sure that all cryptographic key material is properly stored and handled is of great concern.  The entire blockchain security rests on the assumption that cryptographic keys will be secured properly.  And lastly, since most consensus algorithms are latency sensitive, it is also very important to have the most stable and lowest latency network connections possible. If network interference increases latency, the maximum transaction throughput drops.  One potential denial of service is to prevent consensus from occurring by disrupting the lines of communication. With blockchains, extra care of network connections is needed.

How do you think blockchain could disrupt multiple industries and which industries?

Workload management services (e.g. batch processing, batch reconciliation, etc) is one industry that will likely change.  Traditionally, a batch process would be run at the end of each day to process the incoming data and update the stored data in a system.  With blockchains we gain real-time transaction processing, as they are created. With proper business process modeling, batch processing can be eliminated.

I also think we will see blockchains creating an unprecedented level of cooperation on market-wide management between market or consortia members.  Markets where aggregate numbers are used to manage quotas are a good example.  Commercial harvesting of natural resources, humanitarian aid distribution, and a whole host of other systems could all benefit from using a blockchain to track market-wide numbers for management purposes.

Do you think the nature of blockchain will help or hinder security?

It eliminates a lot of security related failure modes (i.e. database sync, siloing of data, etc) but also creates a whole new set of challenges around cryptographic key material management as well as getting integrating blockchains with external systems and other organizations on the blockchain.  Good blockchain security requires the enthusiastic cooperation of multiple IT departments to get things secured correctly.  So overall, I would say that blockchains are a net improvement in security but there are certainly some new challenges that will be new to most organizations.

You have said before you believe security is a people issue, not a technology issue.  Can you elaborate on that and how, if at all, blockchain would change that?

There is an old adage in computer science that goes: even if we design and build the perfect computer system, if you put garbage into it, you will get garbage out. Blockchains don’t change that at all. People and computer-human interfaces are still the dominant factor in the overall security of a blockchain network. It all boils down to the fact that blockchains are distributed systems made up of computers that need to be secured by humans.  With permissioned blockchains, humans are responsible for managing the membership of users and their capabilities.  They are also responsible for deploying the chaincode/smart contracts and also manage the cryptographic key material.  The cryptography and algorithmic design of blockchains is sound and if something goes wrong it is most likely because somebody made a mistake.

If there’s one thing people should understand about security and blockchain at this point in the maturation of the technology, what is it?

A lot of the security techniques and best practices we developed around running web services and distributed business services still apply.  Most of what we already know applies directly to securing the different pieces of distributed ledgers.  The techniques developed from decades of experience security N-tier online services apply to blockchains as well.  

Transactions get proposed by users through a networked API; think of that as analogous to the front-end server in a three-tier web site architecture.  The blockchain API performs the initial validation of the transaction and verifies that the proper credentials have been presented by the transaction proposer.  The transaction then gets forwarded to a peer for validation and endorsement.  To continue the analogy, think of the blockchain peer as being like the web application server, because it also handles executing smart contracts.  Once the transaction is endorsed and the smart contract executed, the transaction moves on to being ordered and recorded in the next block in the blockchain.  That is very similar to how web application state is recorded in a back-end database cluster.

The point of this analogy is to show that blockchains don’t have drastically different security requirements.  The one area that does require some extra attention is around the protection of the cryptographic key materials.  Special care must also be taken to ensure that the consensus part of the distributed ledger operates on network connections with the lowest latency and highest quality of service as possible.  This is because many of the consensus algorithms are latency sensitive and the upper bound on their transaction rate is tied to the overall system latency.

Do you have other questions about security and blockchain? Get in touch with us at info@hyperledger.org or you can join our efforts on Hyperledger projects, via githubRocket.Chat, the wiki or the mailing lists. You can also follow Hyperledger on Twitter.