Post on 26-May-2020
© 2018 RSA Conference. All rights reserved.
Blockchain Security improvement or security nightmare?
Dave Huseby, Security Maven, Hyperledger, The Linux Foundation
Marta Piekarska, Director of Ecosystem, Hyperledge r, The Linux Foundation
© 2018 RSA Conference. All rights reserved.
Marta PiekarskaDirectory of Ecosystem, Hyperledger, The Linux Foundation
PhD in User Informed Design of Privacy Tools
10 years of experience in technology companies, including Apple, Yahoo & Deutsche Telekom
4 years in Blockchain: Blockstream & Hyperledger
© 2018 RSA Conference. All rights reserved.
Dave HusebySecurity Maven, Hyperledger, The Linux Foundation
Security Maven
Open source developer for 25 years
Focused on software security and engineering best practices for the last decade
© 2018 RSA Conference. All rights reserved.
The first long-distance trade occurred between Mesopotamia and indusvalley in pakistan ~3000 b.C
We have been exchanging goods for years.
© 2018 RSA Conference. All rights reserved.
How Do You Agree on Assets Balance?
How to track the value of exchanged goods?
© 2018 RSA Conference. All rights reserved.
Traditional Ledgers
© 2018 RSA Conference. All rights reserved.
In the digital world there are many copies that may contain different versions. The challenge: which do you trust as a single source of truth?
Digital World
© 2018 RSA Conference. All rights reserved.
Internet Connected Reality
© 2018 RSA Conference. All rights reserved.
Now we can keep our ledgers in sync—provided we can agree
Potential of Peer to Peer Network
© 2018 RSA Conference. All rights reserved.
The roots of Bitcoin are located in the so called “Cypherpunks” movement a group of technical-skilled activists, who campaigned for protection of privacy and anonymity in the Cyberspace from the beginning of 1990s onwards.
Members of the Cypherpunks were activists like Hal Finney, Nick Szabo, David Chaum, Wei Dai, Phil Zimmermann, Julian Assange and Satoshi Nakamoto, who later developed the Bitcoin.
Blockchain is really old
© 2018 RSA Conference. All rights reserved.
Myth Debunked: Blockchain ≠ Cryptocurrency
© 2018 RSA Conference. All rights reserved.
Cryptocurrency is an application that sits on top of blockchain.
Not the other way around.
© 2018 RSA Conference. All rights reserved.
An append-only systemof record or log of transactions that is multiplied in a number of places
but kept in synch
What is a DLT?
© 2018 RSA Conference. All rights reserved.
• Everyone shares the ledger• No one participant owns it, but all agree• Leverages cryptography and consensus mechanism
technology• No single entity maintains it, the whole network
validates, maintains, and keeps a copy of the database
Properties of Distributed ledgers
© 2018 RSA Conference. All rights reserved.
Block Hash
Prev Hash
Merkel Root
Tx
Tx
Tx
Tx
Block Hash
Prev Hash
Merkel Root
Tx
Tx
Tx
Tx
Block Hash
Prev Hash
Merkel Root
Tx
Tx
Tx
Tx
Block Hash
Prev Hash
Merkel Root
Tx
Tx
Tx
Tx
Block Hash
Prev Hash
Merkel Root
Tx
Tx
Tx
Tx
TIME
It’s ”just” a Chain of Blocks
© 2018 RSA Conference. All rights reserved.
Network nodes both generate their own data and verify data
generated by others
Contain historic record of verified transactions and
easily auditable
Distributed Consensus eliminates costly and inefficient
reconciliation processes
No central repository –each node stores identical copies
of the ledger
Resilient due to network power and cryptographic
integrity
Large economicdisincentive for malicious actors
Facets of distributed, shared ledgers
© 2018 RSA Conference. All rights reserved.
The code or any complex program stored and executed on a blockchain.
There is more! What is a Smart Contract?
© 2018 RSA Conference. All rights reserved.
• Facilitate, verify, or enforce the negotiation or performance of a contract autonomously
• “If, then” statements or when “X happens, then automatically record or execute Y”
• Reinvent how business processes take place• Automate manual or bespoke processes
What is a Smart Contract?
© 2018 RSA Conference. All rights reserved.
All over the global market there are ledgers that organizations and
individuals alike must trust.
© 2018 RSA Conference. All rights reserved.
The Need for Trust The 2018 Edelman Trust Barometer, an annual survey of 33k people in 28 countries, reveals that the trust in key institutions continues to decline. For blockchain,
2018 needs to be the year of scale done well.
© 2018 RSA Conference. All rights reserved.
By 2025, 10% of global GDP will be assets tracked and traded using blockchain-based distributed ledgers
Report by WEF 2017
Everyone wants their own DLT
© 2018 RSA Conference. All rights reserved.
ConsensusPoW, PoS, POET, RaFT,
BFT, PBFT
Crypto/SecurityPKI, HASH, SHA-256,
zk-SNARK, HE, ECC, EXDSA, SGX
Ledger ConceptsMining, Blocks,
Forks, Parents, Uncles, Merkle Trees
Platform ConceptsNodes, Oracles,
Notaries, Wallet, Smart Contracts
Google These Words
© 2018 RSA Conference. All rights reserved.
No matter what technologySecurity should always be in the
center of your attention
© 2018 RSA Conference. All rights reserved.
• Pushing security to the edges makes wallets and the private keys they store into high value targets.
Moving from Old to New
© 2018 RSA Conference. All rights reserved.
• Graveyard contains analysis of 51 publicly available attacks
Have you heard about Bitcoin Graveyard?
© 2018 RSA Conference. All rights reserved.
API’s with minimal foot-guns.
“ Conversational” wallet interfaces.
Curated crypto library
Documentation, training, and support.
Misuse Resistant Design is Key
© 2018 RSA Conference. All rights reserved.
Hyperledger Crypto Libraryhttps://github.com/hyperledger-labs/crypto-lib
Curated by the community.Minimizes foot-guns.
Supports regulated configurations.Can also use experimental algorithms.
© 2018 RSA Conference. All rights reserved.
Lots of Moving pieces…
Clients
Peers
Consensus Network
Distributed Ledger Organization
© 2018 RSA Conference. All rights reserved.
Clients
Peers
Consensus Network
Front End Middleware Back End
Distributed Ledger Organization
Lots of moving pieces...but no more complicated than the modern web.
© 2018 RSA Conference. All rights reserved.
What do we know?Basic security matters.
Users may not be ready for this.
The same techniques apply as in the old world.
Don’t panic.
© 2018 RSA Conference. All rights reserved.
Blockchain promises to change the way business is conducted and transactions are executed across industries. Precisely how, and the pace at which,
each of these industries adopts blockchain will surely vary.
There will never be one global chain-of-all chains that all industries convert to.
© 2018 RSA Conference. All rights reserved.
Permissionless Public Permissionless Private Permissioned Public Permissioned Private
Public Polls Land tit les, University degrees
Medical recordsBitcoin, Ethereum
Spectrum of BlockchainsPermissioned vs. Permissionless: Who can write to a Blockchain (i.e., accessibility)Public vs. Private: Who can read from a Blockchain (i.e., visibility)
© 2018 RSA Conference. All rights reserved.
Logistics, Insurance,Governments
Healthcare , Supply Chain
Fintech
Blockchain Industries Curve
Diffusion of Innovations Curve, by Everett Rogers
© 2018 RSA Conference. All rights reserved.
Not all problems can be solved with Blockchain
© 2018 RSA Conference. All rights reserved.
This technology is young. It is still early days.
© 2018 RSA Conference. All rights reserved.
When Frenemies try to be FriendsEnterprises are not designed to collaborate
How do you protect IP?
Can Open Source help?
Why join Blockchain consortia?
Which technology to choose?
© 2018 RSA Conference. All rights reserved.
The importance of being EarnestResponsible disclosure in decentralized and anonymous environment?
It is still a Network! DDoS is a Dirty Drag.
Smart Contracts are only as smart as their authors.
We already know most of it, just need to be more cautious
© 2018 RSA Conference. All rights reserved.
Exemplary Deployment: Claims Transparency
© 2018 RSA Conference. All rights reserved.
Exemplary Deployment: Secure Supply Chain
© 2018 RSA Conference. All rights reserved.
Exemplary Deployment: Posture Validation
© 2018 RSA Conference. All rights reserved.
What’s Left to be done?
© 2018 RSA Conference. All rights reserved.
Report a Security Bug
security@hyperledger.org
We Have a Bug Bounty—
Use It!hackerone.com/hyperledger
Join a Working Group
wiki.hyperledger.org
Watch the Webinar Replay:
Get Involved!hyperledger.org/webinars/
get-involved
You too can help--the easy stuff.
© 2018 RSA Conference. All rights reserved.
Tineolahttps://github.com/tineola/tineola
A red-team tool for testing Hyperledger Fabric.
You too can help--the hard stuff.
© 2018 RSA Conference. All rights reserved.
Questions?
Marta PiekarskaDirector of Ecosystem, Hyperledgermarta@linuxfoundation.orgDave HusebySecurity Maven, Hyperledgerdhuseby@linuxfoundation.org
© 2018 RSA Conference. All rights reserved.
Massive online open-souce course
“ Blockchain for Business”
Publicationshyperledger.org/resources
Comparison of Hyperledger Frameworks
Collection of inte restinguse cases for Blockchain
technologies
On Bitcoinbitcoin.org/en/faq
Just subscribe MIT chainletter
Recommended Reading