Think Blockchain’s Automatically Secure? Think Again

While the technology is generally believed to be secure, organizations shouldn’t assume that makes it automatically safe to use

When the price of a single Bitcoin jumped from $1,000 to $20,000 last year–and then promptly plummeted in early 2018–the critics said the endemic volatility of cryptocurrencies would kill off any chance of broad adoption.

No such blandishments, however, have accompanied predictions about the viability of the blockchain technology that underlies cryptocurrencies. Indeed, keen interest in blockchain’s potential has resulted in a beehive of development activity.

The Enterprise Ethereum Alliance now boasts more than 200 members and 17 working groups focused on establishing standards for projects adopting the technology. At the same time, the Linux Foundation’s Hyperledger group counts 231 organizations working on more than 400 projects.

Yet while the technology is generally believed to be secure, organizations shouldn’t assume that makes it automatically safe to use. A great deal relies on how it’s implemented, according to David Huseby, a security expert with the Linux Foundation’s Hyperledger project.

“The theory of blockchain is sound. The cryptography is sound. And the computer science behind it is sound,” Huseby said. “Bitcoin proves that global-scale blockchain applications that are secure can be built. The security models for blockchain, however, are really different from what people are familiar with.”

Enterprise blockchain projects mostly remain in the proof-of-concept stage by early adopters in a variety of industries. Financial services companies, which were among the first to test out the technology, are running pilot programs that focus on interbank clearing of transactions in near real time. The healthcare and shipping industries are testing blockchain technology as a way to track medicine and other goods through the supply chain. Even providers of sustainable seafood are trying their hand at using the blockchain to establish the provenance of the produce they sell.

“Any time you have accounting that has to happen between businesses where making that accounting more efficient — that is a slam-dunk case,” Huseby said. “For now, we are seeing business-to-business applications, but we will start seeing things where it is wholesale to retail.”

Yet, the security of applications relying on the blockchain can be complex. One site that tracks such failures, the Blockchain Graveyard, has documented 54 compromises of cryptocurrencies, exchanges, and wallet software.

“There is a lot to be learned from how poorly the implementations have been done,” said Marta Piekarska, director of ecosystem for the Linux Foundation. “The protocols are good and the technology is sound. But what we have been observing is that the implementation and usability have been failing.”

Companies need to not just understand the advantages of blockchain technology, but also disadvantages and the problems that come along with the blockchain technology, she said.

Encryption and Key Management

Unlike the credential-based security—think usernames and passwords—with which most information-security managers are familiar, the blockchain relies on public- and private-key infrastructure and inherits the management issues of that technology.

“This kind of security model has a very difficult user interface and set of problems,” said Hyperledger’s Huseby. “It requires the end user to have to manage their encryption keys, and key material is very sensitive data, and there is a lot of mistakes that people have in dealing with that.”

Managing encryption keys is a difficult problem. That complexity means that getting the security right is difficult, according to Saurabh Shintre, a principal researcher with Symantec Research Labs.

“It is very easy to make a mistake when implementing the technology,” he said.

Public, Private Blockchains and Security Models

While each record in the blockchain is secured by encryption, the way that transactions on the blockchain are verified is determined by whether the blockchain is public or private. Public blockchains rely on consensus to prevent fraud, but require a great deal of processing power, and generally need a currency—such as Bitcoin —to reward the infrastructure owners.

For example, the advertising technology firm, Verasity, uses a public blockchain and a fiat currency called Veracoin to create a way that advertisers can determine legitimate views of the video content. A public blockchain with anonymized information on ad views gives anyone the ability to check

“For advertisers, it is great,” said David Orman, CEO of Verasity. “You can check the ledger and look for anything suspicious or anything that does not add up.”

On the other hand, private blockchains rely on permitted nodes in the network to verify transactions.

“The consensus technology is really new with Bitcoin,” said Symantec’s Shintre. “While Bitcoin ‘s infrastructure has been well tested, it may not be the case with permissions ledgers, and that is something for which the people that are building these applications need to focus on.”

The problems will be worked out. But for companies who are joining the early adopters, they need to focus on not just the security of the technology, but on the security of the infrastructure and testing their management and monitoring processes.

Because, even with the uncertainties in security, blockchain is set to grow.

“We are just at the start of the block chain,” said Verasity’s Orman. “Just with existing technology, you are doing something already unique and different. And it is continuing to evolve, so between 18 months and 36 months from now, you will see a variety of new applications and businesses.”

If you found this information useful, you may also enjoy:

About the Author

Robert Lemos

Journalist

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology’s impact on society for two decades. He has covered cybercrime and security technology for almost two dozen publications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.