Everywhere you turn in the security world, an interesting word keeps popping up: “Blockchain”. Just like the word “cloud”, this concept has taken hold of the security industry and has become one of the hottest emerging technologies. But what exactly is it?
It is, in essence, a system that can provide authentication and immutable copies of data, thereby securing all types of data transactions. But, before blockchain, what did we do?
For decades, digital signatures have been the method by which systems have provided integrity, non-repudiation, and authentication to access the contents of a data set electronically across networks.
Digital signatures are commonly used in emails and other systems, and are generated by a mathematical algorithm that generates a hash ("signature") using information from both the message's contents and the key.
Evolution of Digital Signatures
Over the years, digital signatures have become more and more secure by adding information to the key, using different types of cryptography, and implementing advanced signature systems. Advanced electronic signatures have created an added layer of security by being compliant with eIDAS requirements, such as controlling the private key and the signature being able to detect when data has been tampered with. While e-signatures are not invincible, they are largely accepted as the golden standard for authentication and non-repudiation as they are widely understood and have had few security incidents.
What is Blockchain?
As with all systems in cyber, when one system is shown to be less than perfect, there is always an effort to create an improved, stone-secure system that is able to block all attacks. Blockchain truly became a hit when Bitcoin first implemented the use of a Blockchain application. It was the most advanced cryptocurrency system to date, and many organizations including NASDAQ and financial services clearing corporations have begun looking into the system as an innovative way to implement additional security measures into their transactions.
Blockchain, while seemingly complicated, is very simple in nature: the block chain is a series of timestamped data records that link together, forming the “chain”. To create transactions, a hash of the previous transaction is recorded and the public key of the recipient is used by the signer, along with the private key of the signer. All transactions require the signer to have their private key; without this, you’re out of luck – no transaction.
The goal of blockchain is to replace an external, trusted third party (including the need for certificate authorities), as well as to prevent anyone from going backwards and covering their tracks if they corrupted an entry. The technology is based on the following characteristics:
- Log replication – To create resiliency, log-based replication is increasingly used for distributed systems to replicate logs to all peers in the network.
- Provable Value Chain – The values stored in the blockchain can be digital currency (such as the widely known Bitcoin), data, documents, and other assets. Hash chains are kept for each block providing a history of changes, which helps protect data integrity of the block asset.
- Public-key Cryptography – Blockchain uses different types of cryptography including ECDSA and elliptic curve to authenticate transactions.
- Decentralized transaction ledger – The ledger is blockchain and is maintained without a central authority, and acts as a decentralized reconciliation system.
How digital signatures and blockchain can work together
Digital signatures have become a critical control in many organisations' security strategies, relying on certificates and complex mathematical algorithms to ensure data authenticity and protection against forgery.
Blockchain enters the picture by introducing the concept of a business ledger, allowing for multiple signatures, the creation of fingerprints and/or timestamps, and the distribution of information across multiple systems in a network rather than a centralised server.
Blockchain is the most valuable addition to the "proof-of-work" concept because transactions cannot be edited or removed, which greatly secures transactions and signature technologies.
Where blockchain can benefit greatly is by the use of secure, private keys in place of the public keys currently used.
While transactions are extremely secure and virtually tamper-proof, they are also extremely public. While transparency can be an auditor's dream in many cases (for example, in financial organisations), a lack of privacy can prevent organisations from fully adopting blockchain in situations where strict privacy requirements must be met.
Data transactions can be maintained by only approved parties by using private keys between the signer and the recipient, making it a very viable option for any type of data transaction imaginable.
Questions about Blockchain
Blockchain has been revolutionizing the world of cybersecurity, however there are still many hurdles that are causing concern for companies considering the jump. Aside from the US, most countries have stringent policies regulating legal signatures and authentication technologies. While the US allows many forms of Blockchain due to the lack of regulatory barriers, other places such as countries within the EU will hit roadblocks if the technologies do not comply with eIDAS regulations.
Earlier this summer, we saw a prime example of how no technology – not even blockchain – can be completely resilient against cyber attacks. In early August, Bitfinex, a Hong Kong-based exchange was hacked and lost 120,000 bitcoin (the equivalent of $68 million dollars).
While the causes of the hack are still somewhat murky, it has become clear that compliance with KYC (know your customer) regulations – including the use of advanced digital signatures – can better protect your assets and systems when working with open systems such as blockchain.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Ulrik Kjærsgaard, and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Ulrik Kjærsgaard, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority
Cryptomathic would like to thank the people at RBR London for the great cooperation on this publication. Twitter: @rbrlondon
Image: "Bitcoin ATM Blockchain.info DSC_1271", courtesy of BTC Keychain, Flickr (CC BY 2.0)