Modernizing Authentication — What It Takes to Transform Secure Access
When Bitcoin first appeared on the scene in 2009, it was seen as nothing more than a technical curiosity: a digital currency that had no central administrator, no central regulator, and no central transaction clearing system. Instead, it was a peer-to-peer system that allowed Bitcoin users to carry out transactions between themselves directly and anonymously.
A currency that can be used anonymously is bound to attract publicity and attention because of its potential to be used by criminals, but from a wider perspective what was most interesting about Bitcoin technology was something else entirely. It appeared to offer a completely new way to carry out digital transactions of almost any kind in a very secure fashion, using an innovative technology called a blockchain.
What is Blockchain?
Simply put, a blockchain is a ledger of transactions. When a new Bitcoin transaction is initiated, for example, the ledger is checked to see how many Bitcoins (if any) each party has before the transaction, and then the ledger is amended to reflect the state of affairs after the transaction is complete. So if A has 10 Bitcoins and B has 5 before a transaction to transfer 1 Bitcoin from A to B, then afterwards it will show that A has 9 and B has 6. Simple, really.
In fact, that's similar to the way that a conventional banking system works, with one critical difference. In the conventional banking system, each bank is responsible for maintaining a record of the balances of all the accounts it runs. It is effectively a single point of failure: if a hacker could gain access to a bank's computer systems, it could in theory alter the balances, and a software or hardware problem could stop the bank from carrying out any transactions for its accountholders at all. A denial of service attack against one bank's systems could also make it impossible for its customers to carry out any transactions as long as the attack continued.https://l1.cdn.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
That's where blockchain technology is different. The blockchain ledger is not held centrally; instead, multiple copies of it are stored on a large number of nodes – computer systems running blockchain software – around the world. Put simply, when a transaction is carried out, a node updates the ledger and then sends the updates to all the other nodes so that they are all have the same updated ledger.
These updates are lumped together into blocks, and blocks are appended to the ledger to form a chain of blocks, hence the name blockchain. What's clever is that each block is linked cryptographically to the previous blocks using a hashing algorithm, the effect of which is that once a block has been written, it can't be modified without the modification of all subsequent blocks because of the hashing algorithm. And because of the distributed nature of the blockchain, this can't be done in practice without the collusion of the majority of the other nodes in the system.
Blockchain security applications
In practice, what this means is that blockchain transaction records can't be altered by a malicious hacker, and the system isn't susceptible to DDoS attacks or technical breakdowns because there is no single point of failure. And because the ledger is public and open, anyone can inspect it to ensure that it works as it is supposed to.
An important point to note about blockchain technology is that it doesn't have to be used to run digital currency transactions. Since it was designed to be highly secure, that would seem to make it a good fit for IT security applications.
What sort of applications? One that has been suggested is the use of a blockchain ledger to replace Certificate Authorities (CAs) in PKI infrastructure. For PKI to work, users have to be able to trust that a public key that they use is in fact the public key of the party that it purports to be. A CA is a trusted centralized entity that signs a public key and certifies that it is genuine. But if a CA can be compromised (or is not trustworthy), then it could certify keys as belonging to one party when they in fact belong to another.
A blockchain-based system could publish public keys in a way that can't be hacked or changed (for the reasons mentioned previously) and which has no single point of failure. The blockchain can also be used to publish lists of revoked keys if necessary. An MIT project called CertCoin suggests how this might be achieved.
Blockchain could also be used for the related purpose of providing an alternative to private key signing to ensure that a document or other data has not been changed or tampered with. To do this, an application would take a cryptographic hash of a document or file, and store the hash on the blockchain. To verify a document or file it would only be necessary to compare a hash of the file with the hash stored on the blockchain. The blockchain-stored hash can't be altered because there are multiple copies of it around the world, and because it is impossible in practice to alter one block in the chain without altering all subsequent ones.
Another security application which has been mooted is the use of blockchain technology for the storage and distribution of DNS records. Authoritative DNS records are stored on a very small number of servers, making them susceptible to DDoS attacks or modification by hackers. And cached DNS records can be poisoned for more local and temporary attacks. By distributing DNS records on a blockchain they would, in theory, become resistant to modification and immune to DDoS attacks.
So far there has been much talk of the use of blockchain technology for IT security, and large companies have been developing blockchain offerings. For example, Microsoft has been offering blockchain as a service on Azure since 2015, and IBM offers an IBM Blockchain, which has been used to develop an identity solution with Canadian authentication provider SecureKey, and to create an exchange for trading carbon credits with a Chinese energy company. More recently Oracle launched its Blockchain Cloud Service designed to allow companies to run tamper-resistant transactions on a trusted business network.
Blockchain security vulnerabilities
But there has not been as much blockchain activity in the security sphere as one might have imagined, and many experts are not yet convinced that the technology will live up to the hype. "I am skeptical: there are potentially interesting use cases, but you need to think them through," said Martha Bennett, a principal analyst at Forrester Research. "Like all stuff that's new, it is appropriate to start talking. We should start with what problems we need to solve, and how blockchain might solve it."
She stresses that when it comes to blockchain technology, it is important to read the small print and consider how things work in practice. For example, blockchain promises records that are immutable. Or does it?
In fact, as was mentioned earlier, it is hard to alter a blockchain because each block is cryptographically linked to the preceding one, so to alter one it would be necessary to alter all subsequent ones, and to do that one would need to control the majority of the entire system's compute power.
When it comes to Bitcoin, more than 50% of all the compute power is in the hands of a handful of Chinese Bitcoin mining operations, so they could, in theory, alter the blockchain. They choose not to, though, and that's because doing so would undermine the currency and make it worthless, defeating the whole purpose of running such large operations.
But with a blockchain used to store data (or its hashes)? That's a whole different matter, said Bennett. "Immutability does not exist. If you had 51% of the compute power you could change the course of history going forward, and an enterprise blockchain would be easy to take over."
The good news is that it would be easy to notice that an enterprise blockchain had been taken over, but that's not much consolation.
Bennett's conclusion then is that although there are interesting potential security use cases for blockchain technology, and despite the fact that some companies are testing it out or even using it in a modest, non security-critical capacity, it is too early to put it into production use.
"Key storage, DNS – those sorts of applications need to be thought through better," Bennett said. "More attention needs to be given to the security risks of blockchain because it is still new, it is not proven, and people have found some very scary bugs."