INSIGHTS

Card image cap

Despite the Hype,

Blockchain Security Vulnerabilities Persist

Card image cap

DEBRA BAKER

Principal Security Engineer at Cygnacom

Blockchain is one of the hottest topics today and some even claim it will save the world — changing the way we do everything from financial markets to health records to supply chain management and so much more over the next 10 years. Indeed, blockchain is an exciting technology that has its place in our evolving, technology-centric world. But it’s not the panacea that’s touted almost daily by media and technology evangelists alike.

Blockchain won’t replace all existing technology. We’ll still have computers, databases and public key infrastructure (PKI) even as more blockchain technologies emerge. And all of devices, software and supporting applications for blockchain require rock-solid security to prevent data hacking and inadvertent data sharing — which is a persistent problem for blockchain that hasn’t been fully addressed.

Blockchain Explained Simply

What is blockchain? At its core, it’s a peer-to-peer distributed ledger that is cryptographically secure, append-only, difficult to change, and updateable only via consensus or agreement among peers.1 Bitcoin is a high-profile cryptocurrency that anyone can use for making electronic currency payment between peers without a third party intermediary. Bitcoin was the first major application of the blockchain technology that emerged in 2008. Bitcoin is based on decades of cryptography and electronic currency research.

In 1982, Ecash emerged as a the first cryptographic electronic cash system. In 1997, a computational puzzle system called hashcash was introduced. Then, there came Bitgold with a Proof-of-Work mechanism and e-cash with Merkle trees in 1999, which provides secure verification in large data sets. Each one of these technologies builds on the other, and Bitcoin uses all of them.

The difference with Bitcoin — which made it inventive and unique to its predecessors — is that it’s a completely decentralized network with no centralized bank or administrator. All the previous electronic currency technologies were run on a centralized server with a centralized database.

Bitcoin Blockchain Shares Data

With Bitcoin, the next computer that runs the bitcoin open-source software will be the next one in the “chain.” Think of it as if the computers are all in a line, but spread out anywhere in the world. Each previous machine has the previous block data in its hash value (fingerprint) and that data is sent to the next machine. Therefore, each machine has a replicated copy of the database.

Each hash value of previous user data has a digital signature and if anything is changed in the block, then the hash value changes. To the naked eye, the hash value appears to be a random sequence of numbers and letters that is encrypted with a private key. However, while it looks like random data, it’s really not encrypted — and therefore not private or truly anonymous.

Immutable Blockchain? Not Exactly

The definition of blockchain generally includes ‘immutable’ which means that it is unchangeable, but that is not exactly true. The reason is because it is based on Proof of Work (PoW), which means it is open to anyone that has the computer hardware to solve the computationally difficult puzzle. The disadvantage is that if someone is able to obtain 51% of the computational power, then they could take over the blockchain.2 For example, a nation state could secretly be mining bitcoin for a year and then suddenly join the Bitcoin blockchain with the longest chain. In blockchain, the longest chain takes precedent or more simply wins. The nation state could take over the Bitcoin blockchain and many would lose all of their Bitcoin.

This is exactly what happened when Ethereum was first introduced. A hacker discovered a way to mine Ether faster than anyone else. It led to them being able to take over the blockchain by creating the longest chain and then $50 million in Ether was transferred to his account. In order to fix what happened, a hard fork — which is not backwards compatible — was introduced that stopped the unauthorized mining. This led to two Ethereum blockchains. One is the old, unpatched Ethereum blockchain called Ethereum Classic and the new fork called Ethereum.

Without Entropy, There Isn’t Data Integrity 

The big myth being perpetuated is that blockchain data has integrity because it can’t be changed. Integrity is based on strong hashing and encryption (digital signatures) algorithms and key sizes. In order to have good encryption, there must be strong encryption keys. In order to have strong encryption keys, there must be good entropy or randomness. Without good entropy, there will be weak keys and encryption can be broken. If randomness is poor when using the Elliptic Curve Digital Signature Algorithm (ECSDA), then your private key will likely be leaked in generating a key pair or even signing. Cryptographic key reuse has made the news when the same key was generated across devices. This can happen at the manufacturing stage or while the device is deployed in production. The manufacturer didn’t ensure good entropy by using special hardware random number generator processors during manufacturing or a modified version of Linux /dev/[u]random. Therefore, the random data fed into the deterministic random bit generator (DRBG) is not sufficiently random. Good entropy is essential to generating strong cryptographic keys. One major problem with public blockchains are that anyone can join and many are using their personal PCs and laptops, which may not have sufficient entropy to generate strong cryptographic keys. This would make their Bitcoin wallets hackable.

Public Blockchain Security Risks

Five years ago, anyone could have a server and mine Bitcoin to make money. Now, the machines you need to mine it and securely run through all of the transactions is so processor intensive, it’s not viable for most people to do. Unless you have a high-end server at your house, the keys are likely generated on your device using standard /dev/[u]random and stored on your workstation. These keys typically aren’t very strong. Sure, your Bitcoin wallet is also secured with a password. But if you use a weak password, it can be easily broken into. This is where stronger two-factor authentication needs to be implemented. This brings up another point that blockchain is not General Data Protection Regulation (GDPR) compliant. GDPR mandates the right to be forgotten and with blockchain, if there is a PII leak, then there is no way to remove the information from the blockchain.

More and more, people are reporting that their Bitcoin has been stolen. One of the ways to help prevent this is to store all data offline. Some people store it with an exchange, but almost every day one of these exchanges is getting hacked.

The bottom line is public blockchain — like Bitcoin — that allows anyone, anywhere in the world to jump on in a permissionless environment is fraught with security risks. And not just the risk of having digital currency stolen, but risks to your reputation and freedom. With current public blockchain platforms, a bad actor could put illegal content on the blockchain, which in turn, could be on your computer without your knowledge—putting you at risk. Another problem is that an attacker could leak personally identifiable information (PII) onto the blockchain, with no way to delete the information.

The More Secure Way — Private Blockchains

While public blockchain is inherently risky for all the reasons discussed, private blockchains — that are permissioned — are far more secure because anyone participating in the blockchain must be approved by some authority before publishing blocks. With private blockchains, there’s a backend database tied to the blockchain distributed ledger, and I don’t see that changing despite some claims that databases will eventually be eliminated. In addition, each transaction or user is issued a certificate from a trusted Certification Authority. Blockchain will not be replacing PKI, but will be utilizing it for enhanced security and identification. In addition, full nodes that hold a copy of all transactions on the blockchain can be located in a physically secured data center and running on servers with hardened Linux installed and high end processors that include hardware random number generators for good entropy. Even machines used for signing, need to ensure the entropy sources used are providing good entropy. This is how I see corporations using blockchain.

For instance, you could have several banks on a private blockchain to conduct specific financial transactions. JP Morgan created its own blockchain using Ethereum to settle inter- and intra-bank transactions. This is an intriguing application for blockchain, as they use it as a distributed ledger to process payments in real-time without having to rely on a trusted third party to hold the true “golden copy” of the audit trail.3

Because everything on the blockchain isn’t encrypted, security can be built into the database to secure and encrypt sensitive data. It would make sense for information that is already public, like real estate records, food safety and stock market transactions to be on the blockchain. Even though the private blockchain is permissioned users only, you still only want information that can be public to traverse the blockchain. The reason is the data is replicated throughout the blockchain and traverses all nodes.

Is Blockchain for You?

Blockchain isn’t for every use case. Many claims are being made for and about blockchain that simply are not true. A few things to consider if you are thinking about blockchain for your business:

  1. Does your company need to share transaction information in real time with multiple companies?
  2. Are the transactions across borders and international in scope?
  3. If you can’t answer yes to number 1 above and/or 2, then blockchain most likely is not for you. There are other products and/or solutions that would meet your needs.

What’s Ahead for Blockchain Security?

There have been many new twists and technologies introduced for information security in these last two decades that I’ve been working in the IT security field. Right now, Blockchain is a headline grabber and in many respects, rightly so. But it’s still very much the Wild West, with no regulations in place to resolve ongoing blockchain security vulnerabilities. Going forward, good entropy and strong encryption keys should be the primary focus as we see more visionaries shape the future of blockchain.

If you’re thinking about developing blockchain technologies, contact me at Cygnacom to learn how we can help you build the right cryptography into your applications and secure your entries.
DBaker@cygnacom.com

—Debra Baker, CISSP CCSP, Principal Security Engineer at Cygnacom, Co-founder of the League of Women in Cybersecurity and the founder of the Johns Hopkins University Cryptographic Knowledge Base —CryptoDoneRight.

  1. Mastering Blockchain: Deeper insights into decentralization, cryptography, Bitcoin, and popular Blockchain frameworks, Imran Bashir, 2017
  2. NISTIR 8202 “Blockchain Technology Overview”, p. 25
  3. https://cointelegraph.com/news/jp-morgan-cio-blockchain-will-replace-existing-technology.

Consult with our cybersecurity experts.

Cygnacom Insights

Real-world insights from the front lines of Information Security