Designing blockchain securely – cornerstones
With blockchain, new technology is currently developing for decentralized, tamper-proof, and consensual data storage in distributed networks, which is ascribed great potential in almost all economic areas as well as in the public sector.
Trust in the system is no longer (solely) established through the authority of a central body but the use of cryptographic mechanisms.
Many actors from the research, business, and administration fields are intensively working on the topic of blockchain. There are a large number of possible applications, but these are often still in the conception or pilot phase. Blockchain solutions that are already in use are mainly in the financial sector, such as cryptocurrencies.
For a comprehensive and long-term establishment of blockchain technology in a wide range of applications, many cybersecurity, regulatory, legal, and socio-technical questions still need to be clarified. There are already initial approaches to this, for example, with ISO standardization.
Thus, we in ESKA want to put the technical and design aspects of blockchain-related to IT security in the foreground.
The security of the Blockchain depends on the scope
Larger blockchains are generally considered to be more secure. They are based on multiple blocks, which makes it harder for hackers to attack all of them. For this reason, private and, therefore, smaller blockchains are more vulnerable. Those responsible for security in the company should be aware that blockchain technology can also be hacked. Nevertheless, the potential of the technology will continue to be attractive for many industries.
Even if the implementation of blockchain technology in these areas has so far been more discussed than implemented, the question of any security gaps arises.
Security is guaranteed by the decentralized storage and validation of the blockchain. In theory, the stored information can still be manipulated if more than half (51%) of the decentralized network can be hacked. In this way, a manipulated file could be recognized as the correct one, because it would then be represented most frequently. However, since such a state is very difficult to achieve, a blockchain is generally considered to be secure.
The greatest uncertainty currently arises from the constant further development of the technology. This leads to new blockchain systems and it can therefore be assumed that all currently existing systems will be replaced by improved alternatives in the future.
Blockchain alone does not solve IT security problems
At ESKA we know, that the target characteristics of blockchain such as immutability, traceability, and decentralization as well as the strong cryptographic foundation can have a fundamentally positive effect on the security properties of IT solutions, but at the same time the security of the hardware and software used and the underlying protocols must be guaranteed.
The security of external interfaces of the blockchain, in particular for the authentic insertion or reading of data, must also be observed. Even if blockchains are used in many applications, a trustworthy central point will not become completely superfluous.
Thus, choosing the right blockchain model is important and when we discuss the client’s demands we divide quite a lot of time to select the right blockchain model to make it as trustworthy as possible.
Depending on the application, we select a suitable consensus mechanism to reach an agreement on the correct state of the blockchain. In addition, both the access to the network (unpermmissioned – permissioned) and the access to the data (public-private) as well as a general role and rights management can be individually defined. The “unpermissioned public” blockchain with a “proof-of-work” consensus used by Bitcoin is unsuitable for many applications.
Understanding this, when designing apps based on blockchains, we consider the security aspects at an early stage.
Following the desired security goals, aspects such as confidentiality, integrity, and authenticity of the transaction data, the secure execution of smart contracts, and the identity management of the users must be appropriately modeled and implemented in the blockchain.
In particular, confidentiality is a demanding goal in blockchain applications. When selecting algorithms and protocols, one should follow the specifications of this article.
For example, the sensitive data with long-term protection needs must be specially protected in a blockchain.
Due to the long availability (with potentially high sensitivity) of data in the blockchain, achieving long-term security is a particular challenge. It must be ensured that the security mechanisms of the blockchain can be changed if necessary. In particular, requirements that result from the threat posed by potential quantum computers and technical advances in cryptanalysis must be observed, and uniform security levels for blockchains must be defined and enforced, as it is done by our blockchain developers.
The standardization of blockchains must continue to be driven forward, taking appropriate account of IT security aspects. Safety certification of selected components according to generally recognized criteria can also be useful for certain applications. ESKA will continue to monitor and professionally assess the development of blockchain apps for our clients, always following the recommendations and requirements for blockchain security mechanisms.