Blockchain

As explained by Wikipedia, “Blockchain was invented by Satoshi Nakamoto”—the pseudonym of an unknown person or persons—“in 2008 to serve as the public transaction ledger of the cryptocurrency bitcoin… [which] made it the first digital currency to solve the double-spending problem without the need of a trusted authority or central server.”

While blockchain is still largely confined to use in recording and storing transactions for cryptocurrencies such as Bitcoin, proponents of blockchain technology are developing and testing other uses for blockchain, including these:

• Blockchain for payment processing and money transfers. Transactions processed over a blockchain could be settled within a matter of seconds and reduce (or eliminate) banking transfer fees.
• Blockchain for monitoring of supply chains. Using blockchain, businesses could pinpoint inefficiencies within their supply chains quickly, as well as locate items in real time and see how products perform from a quality-control perspective as they travel from manufacturers to retailers.
• Blockchain for digital IDs. Microsoft is experimenting with blockchain technology to help people control their digital identities, while also giving users control over who accesses that data.
• Blockchain for data sharing. Blockchain could act as an intermediary to securely store and move enterprise data among industries.
• Blockchain for copyright and royalties protection. Blockchain could be used to create a decentralized database that ensures artists maintain their music rights and provides transparent and real-time royalty distributions to musicians. Blockchain could also do the same for open source developers.
• Blockchain for Internet of Things network management. Blockchain could become a regulator of IoT networks to “identify devices connected to a wireless network, monitor the activity of those devices, and determine how trustworthy those devices are” and to “automatically assess the trustworthiness of new devices being added to the network, such as cars and smartphones.”
• Blockchain for healthcare. Blockchain could also play an important role in healthcare: “Healthcare payers and providers are using blockchain to manage clinical trials data and electronic medical records while maintaining regulatory compliance.”

The primary benefit of blockchain is as a database for recording transactions, but its benefits extend far beyond those of a traditional database. Most notably, it removes the possibility of tampering by a malicious actor, as well as providing these business benefits:

• Time savings. Blockchain slashes transaction times from days to minutes. Transaction settlement is faster because it doesn’t require verification by a central authority.
• Cost savings. Transactions need less oversight. Participants can exchange items of value directly. Blockchain eliminates duplication of effort because participants have access to a shared ledger.
• Tighter security. Blockchain’s security features protect against tampering, fraud, and cybercrime.

As described in Blockchain for Dummies, “Blockchain owes its name to the way it stores transaction data—in blocks linked together to form a chain. As the number of transactions grows, so does the blockchain. Blocks record and confirm the time and sequence of transactions, which are then logged into the blockchain, within a discrete network governed by rules agreed to by the network participants.

“Each block contains a hash (a digital fingerprint or unique identifier), timestamped batches of recent valid transactions, and the hash of the previous block. The previous block hash links the blocks together and prevents any block from being altered or a block being inserted between two existing blocks.” In theory, the method renders the blockchain tamperproof.

The four key concepts behind blockchain are:

• Shared ledger. A shared ledger is an “append-only” distributed system of record shared across a business network. “With a shared ledger, transactions are recorded only once, eliminating the duplication of effort that’s typical of traditional business networks.”
• Permissions. Permissions ensure that transactions are secure, authenticated, and verifiable. “With the ability to constrain network participation, organizations can more easily comply with data protection regulations, such as those stipulated in the Health Insurance Portability and Accountability Act (HIPAA)” and the EU General Data Protection Regulation (GDPR).
• Smart contracts. A smart contract is “an agreement or set of rules that govern a business transaction; it’s stored on the blockchain and is executed automatically as part of a transaction.”
• Consensus. Through consensus, all parties agree to the network-verified transaction. Blockchains have various consensus mechanisms, including proof of stake, multisignature, and PBFT (practical Byzantine fault tolerance).

Each blockchain network has various participants who play these roles, among others:

• Blockchain users. Participants (typically business users) with permissions to join the blockchain network and conduct transactions with other network participants.
• Regulators. Blockchain users with special permissions to oversee the transactions happening within the network.
• Blockchain network operators. Individuals who have special permissions and authority to define, create, manage, and monitor the blockchain network.
• Certificate authorities. Individuals who issue and manage the different types of certificates required to run a permissioned blockchain.

Hyperledger is “an umbrella project of open source blockchains and related tools, started in December 2015 by the Linux Foundation and supported by industry players like IBM, Intel and SAP to support the collaborative development of blockchain-based distributed ledgers.”

Hyperledger participants believe that “only an Open Source, collaborative software development approach can ensure the transparency, longevity, interoperability and support required to bring blockchain technologies forward to mainstream commercial adoption.”

The objective of the Hyperledger project “is to advance cross-industry collaboration by developing blockchains and distributed ledgers, with a particular focus on improving the performance and reliability of these systems (as compared to comparable cryptocurrency designs) so that they are capable of supporting global business transactions by major technological, financial and supply chain companies.”

Blockchain is frequently claimed to be an “unhackable” technology. But 51% attacks allow threat actors to “gain control over more than half of a blockchain’s compute power and corrupt the integrity of the shared ledger. … While this particular attack is expensive and difficult, the fact that it was effective means that security professionals should treat blockchain as a useful technology—not a magical answer to all problems.”

The 51% attack takes advantage of what is known as the 51% problem: “If a single party possesses 51% of a mining pool, it is possible to falsify an entry into the blockchain, allowing for double spending, and even to fork a new chain to the advantage of the mining pool.”

The two main types of blockchain, public and private, offer different levels of security. Public blockchains “use computers connected to the public internet to validate transactions and bundle them into blocks to add to the ledger. …  Private blockchains, on the other hand, typically only permit known organizations to join.” Because any organization can join public blockchains, they might not be right for enterprises concerned about the confidentiality of the information moving through the network.

Another difference between public and private blockchains regards participant identity. Public blockchains “are typically designed around the principle of anonymity. … A private blockchain consists of a permissioned network in which consensus can be achieved through a process called ‘selective endorsement,’ where known users verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can maintain the transaction ledger. There are still a few issues with this method, including threats from insiders, but many of them can be solved with a highly secure infrastructure.”

Blockchain technologies are growing at an unprecedented rate and powering new concepts for everything from shared storage to social networks. From a security perspective, we are breaking new ground. As developers create blockchain applications, they should give precedent to securing their blockchain applications and services. Activities such as performing risk assessments, creating threat models, and doing code analysis, such as static code analysis, interactive application security testing, and software composition analysis, should all be on a developer’s blockchain application roadmap. Building security in from the start is critical to ensuring a successful and secure blockchain application.