© 2018 RSA Conference. All rights reserved.

Blockchain Security improvement or security nightmare?

Dave Huseby, Security Maven, Hyperledger, The Linux Foundation

Marta Piekarska, Director of Ecosystem, Hyperledge r, The Linux Foundation

© 2018 RSA Conference. All rights reserved.

Marta PiekarskaDirectory of Ecosystem, Hyperledger, The Linux Foundation

PhD in User Informed Design of Privacy Tools

10 years of experience in technology companies, including Apple, Yahoo & Deutsche Telekom

4 years in Blockchain: Blockstream & Hyperledger

© 2018 RSA Conference. All rights reserved.

Dave HusebySecurity Maven, Hyperledger, The Linux Foundation

Security Maven

Open source developer for 25 years

Focused on software security and engineering best practices for the last decade

© 2018 RSA Conference. All rights reserved.

The first long-distance trade occurred between Mesopotamia and indusvalley in pakistan ~3000 b.C

We have been exchanging goods for years.

© 2018 RSA Conference. All rights reserved.

How Do You Agree on Assets Balance?

How to track the value of exchanged goods?

© 2018 RSA Conference. All rights reserved.

Traditional Ledgers

© 2018 RSA Conference. All rights reserved.

In the digital world there are many copies that may contain different versions. The challenge: which do you trust as a single source of truth?

Digital World

© 2018 RSA Conference. All rights reserved.

Internet Connected Reality

© 2018 RSA Conference. All rights reserved.

Now we can keep our ledgers in sync—provided we can agree

Potential of Peer to Peer Network

© 2018 RSA Conference. All rights reserved.

The roots of Bitcoin are located in the so called “Cypherpunks” movement a group of technical-skilled activists, who campaigned for protection of privacy and anonymity in the Cyberspace from the beginning of 1990s onwards.

Members of the Cypherpunks were activists like Hal Finney, Nick Szabo, David Chaum, Wei Dai, Phil Zimmermann, Julian Assange and Satoshi Nakamoto, who later developed the Bitcoin.

Blockchain is really old

© 2018 RSA Conference. All rights reserved.

Myth Debunked: Blockchain ≠ Cryptocurrency

© 2018 RSA Conference. All rights reserved.

Cryptocurrency is an application that sits on top of blockchain.

Not the other way around.

© 2018 RSA Conference. All rights reserved.

An append-only systemof record or log of transactions that is multiplied in a number of places

but kept in synch

What is a DLT?

© 2018 RSA Conference. All rights reserved.

• Everyone shares the ledger• No one participant owns it, but all agree• Leverages cryptography and consensus mechanism

technology• No single entity maintains it, the whole network

validates, maintains, and keeps a copy of the database

Properties of Distributed ledgers

© 2018 RSA Conference. All rights reserved.

Block Hash

Prev Hash

Merkel Root

Tx

Tx

Tx

Tx

Block Hash

Prev Hash

Merkel Root

Tx

Tx

Tx

Tx

Block Hash

Prev Hash

Merkel Root

Tx

Tx

Tx

Tx

Block Hash

Prev Hash

Merkel Root

Tx

Tx

Tx

Tx

Block Hash

Prev Hash

Merkel Root

Tx

Tx

Tx

Tx

TIME

It’s ”just” a Chain of Blocks

© 2018 RSA Conference. All rights reserved.

Network nodes both generate their own data and verify data

generated by others

Contain historic record of verified transactions and

easily auditable

Distributed Consensus eliminates costly and inefficient

reconciliation processes

No central repository –each node stores identical copies

of the ledger

Resilient due to network power and cryptographic

integrity

Large economicdisincentive for malicious actors

Facets of distributed, shared ledgers

© 2018 RSA Conference. All rights reserved.

The code or any complex program stored and executed on a blockchain.

There is more! What is a Smart Contract?

© 2018 RSA Conference. All rights reserved.

• Facilitate, verify, or enforce the negotiation or performance of a contract autonomously

• “If, then” statements or when “X happens, then automatically record or execute Y”

• Reinvent how business processes take place• Automate manual or bespoke processes

What is a Smart Contract?

© 2018 RSA Conference. All rights reserved.

All over the global market there are ledgers that organizations and

individuals alike must trust.

© 2018 RSA Conference. All rights reserved.

The Need for Trust The 2018 Edelman Trust Barometer, an annual survey of 33k people in 28 countries, reveals that the trust in key institutions continues to decline. For blockchain,

2018 needs to be the year of scale done well.

© 2018 RSA Conference. All rights reserved.

By 2025, 10% of global GDP will be assets tracked and traded using blockchain-based distributed ledgers

Report by WEF 2017

Everyone wants their own DLT

© 2018 RSA Conference. All rights reserved.

ConsensusPoW, PoS, POET, RaFT,

BFT, PBFT

Crypto/SecurityPKI, HASH, SHA-256,

zk-SNARK, HE, ECC, EXDSA, SGX

Ledger ConceptsMining, Blocks,

Forks, Parents, Uncles, Merkle Trees

Platform ConceptsNodes, Oracles,

Notaries, Wallet, Smart Contracts

Google These Words

© 2018 RSA Conference. All rights reserved.

No matter what technologySecurity should always be in the

center of your attention

© 2018 RSA Conference. All rights reserved.

• Pushing security to the edges makes wallets and the private keys they store into high value targets.

Moving from Old to New

© 2018 RSA Conference. All rights reserved.

• Graveyard contains analysis of 51 publicly available attacks

Have you heard about Bitcoin Graveyard?

© 2018 RSA Conference. All rights reserved.

API’s with minimal foot-guns.

“ Conversational” wallet interfaces.

Curated crypto library

Documentation, training, and support.

Misuse Resistant Design is Key

© 2018 RSA Conference. All rights reserved.

Hyperledger Crypto Libraryhttps://github.com/hyperledger-labs/crypto-lib

Curated by the community.Minimizes foot-guns.

Supports regulated configurations.Can also use experimental algorithms.

© 2018 RSA Conference. All rights reserved.

Lots of Moving pieces…

Clients

Peers

Consensus Network

Distributed Ledger Organization

© 2018 RSA Conference. All rights reserved.

Clients

Peers

Consensus Network

Front End Middleware Back End

Distributed Ledger Organization

Lots of moving pieces...but no more complicated than the modern web.

© 2018 RSA Conference. All rights reserved.

What do we know?Basic security matters.

Users may not be ready for this.

The same techniques apply as in the old world.

Don’t panic.

© 2018 RSA Conference. All rights reserved.

Blockchain promises to change the way business is conducted and transactions are executed across industries. Precisely how, and the pace at which,

each of these industries adopts blockchain will surely vary.

There will never be one global chain-of-all chains that all industries convert to.

© 2018 RSA Conference. All rights reserved.

Permissionless Public Permissionless Private Permissioned Public Permissioned Private

Public Polls Land tit les, University degrees

Medical recordsBitcoin, Ethereum

Spectrum of BlockchainsPermissioned vs. Permissionless: Who can write to a Blockchain (i.e., accessibility)Public vs. Private: Who can read from a Blockchain (i.e., visibility)

© 2018 RSA Conference. All rights reserved.

Logistics, Insurance,Governments

Healthcare , Supply Chain

Fintech

Blockchain Industries Curve

Diffusion of Innovations Curve, by Everett Rogers

© 2018 RSA Conference. All rights reserved.

Not all problems can be solved with Blockchain

© 2018 RSA Conference. All rights reserved.

This technology is young. It is still early days.

© 2018 RSA Conference. All rights reserved.

When Frenemies try to be FriendsEnterprises are not designed to collaborate

How do you protect IP?

Can Open Source help?

Why join Blockchain consortia?

Which technology to choose?

© 2018 RSA Conference. All rights reserved.

The importance of being EarnestResponsible disclosure in decentralized and anonymous environment?

It is still a Network! DDoS is a Dirty Drag.

Smart Contracts are only as smart as their authors.

We already know most of it, just need to be more cautious

© 2018 RSA Conference. All rights reserved.

Exemplary Deployment: Claims Transparency

© 2018 RSA Conference. All rights reserved.

Exemplary Deployment: Secure Supply Chain

© 2018 RSA Conference. All rights reserved.

Exemplary Deployment: Posture Validation

© 2018 RSA Conference. All rights reserved.

What’s Left to be done?

© 2018 RSA Conference. All rights reserved.

Report a Security Bug

security@hyperledger.org

We Have a Bug Bounty—

Use It!hackerone.com/hyperledger

Join a Working Group

wiki.hyperledger.org

Watch the Webinar Replay:

Get Involved!hyperledger.org/webinars/

get-involved

You too can help--the easy stuff.

© 2018 RSA Conference. All rights reserved.

Tineolahttps://github.com/tineola/tineola

A red-team tool for testing Hyperledger Fabric.

You too can help--the hard stuff.

© 2018 RSA Conference. All rights reserved.

Questions?

Marta PiekarskaDirector of Ecosystem, Hyperledgermarta@linuxfoundation.orgDave HusebySecurity Maven, Hyperledgerdhuseby@linuxfoundation.org

© 2018 RSA Conference. All rights reserved.

Massive online open-souce course

“ Blockchain for Business”

Publicationshyperledger.org/resources

Comparison of Hyperledger Frameworks

Collection of inte restinguse cases for Blockchain

technologies

On Bitcoinbitcoin.org/en/faq

Just subscribe MIT chainletter

Recommended Reading