Post on 22-May-2020
NullCon – Goa, India – March 3rd-4th, 2017
Renaud Lifchitz (renaud.lifchitz@digitalsecurity.fr)Blockchain and security: bank and insurance applications
Outline
Introduction to blockchain
Blockchain advantages
General use cases
Use cases in banks
Use cases in insurances
Security concerns
How to choose blockchain technology
How to choose programming language
Security best practices
P. 2 Blockchain and security: bank and insurance applications - Digital Security
Speaker's bio
French senior security engineer
Main activities: Penetration testing & security audits
Security research
Security trainings
Significant security studies about:contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation
https://speakerdeck.com/rlifchitz
Blockchain and security: bank and insurance applications - Digital SecurityP. 3
About Digital Security
Company founded in 2015 by a groupof experts with the support of Econocom Group
Provides advanced services in security audit, consulting and support
Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects
Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service)
Has a laboratory for studying new technologies, protocols and specific operating systems
Blockchain and security: bank and insurance applications - Digital SecurityP. 4
Blockchain introduction
Blockchain
Global and distributed registry(no single point of failure)
Secure and reliable transmission of authenticated information
Lots of use cases and advantages
Fully customizable depending on business cases
P. 6 Blockchain and security: bank and insurance applications - Digital Security
Introduction
Blockchain -Advantages
Scalability: it's easy to deploy nodes
Resilience: tolerant to attacks(network, applicative, DoS, …)
Data integrity & authenticity:authenticated and immutable data
Decentralization: no SPoF (Single Point of Failure), no trusted third party
Transaction speed compared to interbank networks (e.g.: SWIFT)
P. 7 Blockchain and security: bank and insurance applications - Digital Security
Introduction
Trusted network
Smart contracts
Automated, decentralized, conditional and safe execution of defined commitments (contracts)
Read-only contracts as soon as they are deployed
Tamper-proof execution
Wide range of possible contracts
Multi-party contracts
dApp: decentralized web application connected to one or several contracts on a blockchain
P. 8 Blockchain and security: bank and insurance applications - Digital Security
Introduction
Smart contracts
« State of the dApps », a public directory of Ethereum dApps:http://dapps.ethercasts.com/
P. 9 Blockchain and security: bank and insurance applications - Digital Security
Introduction
Oracles
Program acting as a gateway between a blockchain and the real world, or more generally the Web
Execution prerequisites of a contract: current weather, stock market price, news, account balance...
An oracle is a callable function from a smart contract
P. 10 Blockchain and security: bank and insurance applications - Digital Security
Introduction
A promising blockchain: Ethereum
First version: July 2015
~ 15 seconds per block
Powerful (« Turing-complete ») smart contracts, unlike Bitcoin
Mature oracle system: http://www.oraclize.itwith provably honest security
Excellent community support
Rich documentation
Most useful smart contracts currently
Smart contract programming language: Solidity(strongly typed Javascript variant)
P. 11 Blockchain and security: bank and insurance applications - Digital Security
Introduction
Blockchain use cases
Why a blockchain?Or why you shouldn't use it everywhere...
Cons: Limited size and number of transactions per second
(Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)
Energy cost
Key factors of choice: Lack of confidence between users
Concurrent writing by independent users
Benefits for users
Disintermediation
Blockchain use cases
P. 13 Blockchain and security: bank and insurance applications - Digital Security
General use cases
Banking
Insurance
Notary
Electronic voting
Crowdfunding
Conditional execution of transactions(smart contracts)
Blockchain use cases
P. 14 Blockchain and security: bank and insurance applications - Digital Security
General use casesInterests of FINTECH in blockchain
Blockchain use cases
P. 15 Blockchain and security: bank and insurance applications - Digital Security
General use cases
Notary / Data anchoring / Proof of existence with timestamping:
https://woleet.io
Blockchain use cases
P. 16 Blockchain and security: bank and insurance applications - Digital Security
Banks
Blockchain use cases
P. 17 Blockchain and security: bank and insurance applications - Digital Security
Use cases
Banks
Blockchain use cases
P. 18 Blockchain and security: bank and insurance applications - Digital Security
They already started to work with blockchain...
Banks
Blockchain use cases
P. 19 Blockchain and security: bank and insurance applications - Digital Security
Use cases & examples
Banks
Blockchain use cases
P. 20 Blockchain and security: bank and insurance applications - Digital Security
Blocked deposit with legal interest rates
Banks
Token: Custom unit of value for which you want to control issuance, use and conversion
ERP20 standard on Ethereum:https://github.com/ethereum/EIPs/issues/20
Use cases: Electronic currency
Loyalty points (in retail)
Purchase vouchers & coupons
Proofs
Blockchain use cases
P. 21 Blockchain and security: bank and insurance applications - Digital Security
A standard for token management?
Insurances
Use cases:
• Automatic payment of premiums
• Automatic computation of risks by oracles and smart contracts
• Unique loss declaration
• Claim management
• Easy payment of compensations
Blockchain use cases
P. 22 Blockchain and security: bank and insurance applications - Digital Security
Insurances
Blockchain use cases
P. 23 Blockchain and security: bank and insurance applications - Digital Security
Use cases
InsurancesExamples
Flight delays:« Flight Delays Suck! »: https://fdd.etherisc.com/
Drought & flood:« Jamii Crop Insurance »: https://crop.etherisc.com/
Social insurance (in test):« Etherisc Social Insurance » https://govhack.etherisc.com/
Natural disasters swap risks and bonds(Allianz Risk Transfer AG & Nephila Capital Limited)
Sidechains developments(Axa Strategic Ventures & Blockstream)
Blockchain use cases
P. 24 Blockchain and security: bank and insurance applications - Digital Security
Insurances
Automatic compensation of flight delays:
« Flight Delays Suck! » : https://fdd.etherisc.com/
Blockchain use cases
P. 25 Blockchain and security: bank and insurance applications - Digital Security
Blockchain security
« The DAO » case (1/2)
The DAO (Decentralized Autonomous Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain)
More than $150 millions were collected (15% of all ethers at this time), a lot more than required!
Blockchain security
P. 27 Blockchain and security: bank and insurance applications - Digital Security
« The DAO » case (2/2)June 17th, 2016: robbery of one third of the funds using an implementation vulnerability with the recursive call of the contract
« Hard Fork » to modify the contract and save the funds
« Ethereum Classic » (ETC) appears: governance issues...
Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution
Blockchain security
P. 28 Blockchain and security: bank and insurance applications - Digital Security
How to choose blockchain technologyThe blockchain
Important criterions:
Maturity
Security
Interoperability(oracles and sidechains)
Support
Smart contract possibilities
Scaling (transaction max size, delay between blocks)
Some blockchains:Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ...
Blockchain security
P. 29 Blockchain and security: bank and insurance applications - Digital Security
How to choose blockchain technologySmart contract programming language
Imperative languages:
Common
Easier to write
Complex to verify using formal proofs
Functional languages:
Unusual
Complex
Quite easy to verify using formal proofs (no side effect)
Blockchain security
P. 30 Blockchain and security: bank and insurance applications - Digital Security
Security best practicesFunctional best practices
Simplicity, modularity, code reuse
Unit testing & integration testing
Economic incentives:
Limitation of amounts
Bug bounties(ex. : https://bountyfactory.io )
Prediction markets(ex. : https://gnosis.pm/ , https://augur.net/ )
Separation of conditions and actions in the code(« Condition-Oriented programming »)
Blockchain security
P. 31 Blockchain and security: bank and insurance applications - Digital Security
Security best practicesTechnical best practices
Implementation of a « killswitch » in the smart contracts
Pre & post-conditions in the functions
Use of formal proofs
Use of « mocks » in tests
Use of test environments (frameworks, testnets…)
Blockchain security
P. 32 Blockchain and security: bank and insurance applications - Digital Security
Blockchain services
Our blockchain services
Blockchain solutions
Technical and legal risk analysis
Blockchain trainings
Smart contract & PoC development
Smart contracts & cryptography audits
For the best specific recommendations for your project,contact us!
P. 34 Blockchain and security: bank and insurance applications - Digital Security
Thanks!
Questions?IT & IoT Security
Contact:
renaud.lifchitz@digitalsecurity.fr
info@digitalsecurity.fr
P. 35 Blockchain and security: bank and insurance applications - Digital Security
Follow us on Twitter!: @iotcert