Everywhere you turn in the security world, an interesting word keeps popping up: “Blockchain”. Just like the word “cloud”, this concept has taken hold of the security industry and has become one of the hottest emerging technologies. But what exactly is it?
In basic terms, it is a system which can provide authentication and immutable copies of data, thus securing all types of data transactions. But what did we do before blockchain?
For decades, digital signatures have been the method by which systems have provided integrity, non-repudiation, and authentication to access the contents of a data set electronically across networks.
Digital signatures are commonly used in emails and other systems, and are created using a mathematical algorithm that creates a hash (“signature”) using information from both the contents of the message, and information stored in the key.
Evolution of Digital Signatures
Over the years, digital signatures have become more and more secure by adding information to the key, using different types of cryptography, and implementing advanced signature systems. Advanced electronic signatures have created an added layer of security by being compliant with eIDAS requirements, such as controlling the private key and the signature being able to detect when data has been tampered with. While e-signatures are not invincible, they are largely accepted as the golden standard for authentication and non-repudiation as they are widely understood and have had few security incidents.
What is Blockchain?
As with all systems in cyber, when one system is shown to be less than perfect, there is always an effort to create an improved, stone-secure system that is able to block all attacks. Blockchain truly became a hit when Bitcoin first implemented the use of a Blockchain application. It was the most advanced cryptocurrency system to date, and many organizations including NASDAQ and financial services clearing corporations have begun looking into the system as an innovative way to implement additional security measures into their transactions.
Blockchain, while seemingly complicated, is very simple in nature: the block chain is a series of timestamped data records that link together, forming the “chain”. To create transactions, a hash of the previous transaction is recorded and the public key of the recipient is used by the signer, along with the private key of the signer. All transactions require the signer to have their private key; without this, you’re out of luck – no transaction.
Blockchain’s intent is to replace an external, trusted third party (including the need for certificate authorities), and also prevent anyone from being able to go backwards and cover their tracks if they corrupted an entry. The technology works on the following properties:
- Log replication – To create resiliency, log-based replication is increasingly used for distributed systems to replicate logs to all peers in the network.
- Provable Value Chain – The values stored in the blockchain can be digital currency (such as the widely known Bitcoin), data, documents, and other assets. Hash chains are kept for each block providing a history of changes, which helps protect data integrity of the block asset.
- Public-key Cryptography – Blockchain uses different types of cryptography including ECDSA and elliptic curve to authenticate transactions.
- Decentralized transaction ledger – The ledger is blockchain and is maintained without a central authority, and acts as a decentralized reconciliation system.
How digital signatures and blockchain can work together
Digital signatures have become a key control in many organizations security strategy, relying on the use of certificates and complex mathematical algorithms to provide authenticity of the data and protection against forgery.
Blockchain enters the mix by adding on the business ledger aspect, allowing for multiple signatures, the creation of fingerprints and/or timestamps, and distributing information across multiple systems in a network verses the centralized server.
Blockchain adds the greatest value in the “proof-of-work” concept – transactions cannot be edited or removed, which greatly secures transactions and signature technologies.
Where blockchain can benefit greatly is by the use of secure, private keys in place of the public keys currently used.
While transactions are very secure and essentially tamper-proof, they are also very public. While the transparency can be an auditor’s dream in many cases (such as in financial organizations), the lack of privacy can prevent organizations from fully adopting blockchain where strict privacy requirements must be met.
By using private keys between the signer and the recipient, data transactions can be maintained by only approved parties – thus making it a very viable option for any sort of data transaction imaginable.
Questions about Blockchain
Blockchain has been revolutionizing the world of cybersecurity, however there are still many hurdles that are causing concern for companies considering the jump. Aside from the US, most countries have stringent policies regulating legal signatures and authentication technologies. While the US allows many forms of Blockchain due to the lack of regulatory barriers, other places such as countries within the EU will hit roadblocks if the technologies do not comply with eIDAS regulations.
Earlier this summer, we saw a prime example of how no technology – not even blockchain – can be completely resilient against cyber attacks. In early August, Bitfinex, a Hong Kong-based exchange was hacked and lost 120,000 bitcoin (the equivalent of $68 million dollars).
While the causes of the hack are still somewhat murky, it has become clear that compliance with KYC (know your customer) regulations – including the use of advanced digital signatures – can better protect your assets and systems when working with open systems such as blockchain.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Ulrik Kjærsgaard, and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Ulrik Kjærsgaard, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority