Blockchain is a decentralised, distributed electronic ledger built on the model of offering absolute security and trust. Using cryptography, transactions are recorded chronologically and publicly, each one time-stamped and linked to the previous one. Critically, these digital ‘blocks’ can only be updated through the consensus of all participants, with data interception, modification and deletion near impossible.
As a result, since hitting Gartner’s fabled “peak of the hype cycle” in 2016, Blockchain has become something of a priority for industry leaders, especially in financial services, energy and manufacturing. Authenticating Bitcoin payments has perhaps become the most cited use case, but this technology can extend to applications like content delivery networks and smart grid systems too.
How does blockchain apply to cyber security?
Blockchain has the potential to improve everything from improving data integrity and digital identities to enabling safer IoT devices to prevent DDoS attacks. Indeed, blockchain might play across the ‘CIA triad’ of confidentiality, integrity and availability, offering improved resilience, encryption, auditing and transparency.
“Blockchain plugs the gaps that we have left with our poor implementation of security and lack of trustworthiness,” said Bill Buchanan, an acclaimed computer scientist and professor at the School of Computing at Edinburgh Napier University. “In 2018, we must encrypt by default. At the current time, you cannot verify that no one has read an email sent to you, and that it hasn’t been modified. We often can’t even verify the sender.”
“With blockchain methods, we can properly verify and sign our transactions,” says Buchanan. “While there is some hype around cryptocurrencies, the implementation of blockchain methods will actually build more trustworthy infrastructure for our digital services. The greatest application will be the transformation of our public sector, and create a more citizen-focused infrastructure. This will allow citizens to own their own identities, and then for each transaction to be verified. We could enact elements of our public services, such as the payment of benefits, using smart contracts, and based on signed assertions.”
Below are the real-world use cases for blockchain in security.
1. Securing edge devices with authentication
As IT focus shifts to supposedly “smart” edge devices with data and connectivity, so, too, goes security. After all, the network’s extension may be good for IT efficiency, productivity and power usage (i.e., good for cloud and data center resources), but it represents a security challenge for CISOs, CIOs and the wider business. Many are subsequently seeking ways of using blockchain to secure IoT and industrial IoT (IioT) devices, given that the technology strengthens authentication, improves data attribution and flow, and aids record management.
For example, startup Xage Security launched late in 2017 claiming that its “tamper-proof” blockchain technology platform distributes private data and authentication at scale across a network of devices. Furthermore, the firm says it supports any communication, can work at the edge with irregular connectivity, and secure a myriad of different industrial systems.
The firm says it is already working with ABB Wireless on power and automation projects requiring distributed security, as well as with Dell to deliver security services on Dell IoT Gateways and its EdgeX platform for the energy industry.
These improvements are being embedded at the chipset level, too. Startup Filament recently announced a new chip designed to enable industrial IoT devices to work with multiple blockchain technologies. The idea behind its Blocklet chip is to let IoT sensor data be coded directly into the blockchain with the goal to “provide a secure foundation for decentralised interaction and exchange.”
2. Improved confidentiality and data integrity
Although Blockchain was originally created without specific access controls (owing to its public distribution), some blockchain implementations now address the data confidentiality and access control challenges. This is clearly a critical challenge in an age where data can easily be manipulated or spoofed, but the full encryption of blockchain data ensures that this data will not be accessible to unauthorised parties while in transit (so little to no chance for successful man-in-the-middle [MiTM] attacks).
This data integrity extends to IoT and IIoT devices. For example, IBM provides its Watson IoT platform with an option to manage IoT data in a private blockchain ledger, which is integrated into Big Blue’s cloud services. Ericsson’s Blockchain Data Integrity service provides fully auditable, compliant and trustworthy data to app developers working within GE’s Predix PaaS platform.
3. Secure private messaging
Startups like Obsidian are using blockchain to secure private information exchanged in chats, messaging apps and through social media. Unlike the end-to-end encryption employed by the likes of WhatsApp and iMessage, Obsidian’s messenger uses blockchain to secure users’ metadata. The user will not have to use email or any other authentication method to use the messenger. The metadata is randomly distributed throughout a ledger and thus will not be available for gathering in one single point, from which it could be compromised.
Elsewhere, engineers at the Defense Advanced Research Projects Agency (DARPA) are reportedly experimenting with blockchain to create a messaging service that is secure and impenetrable to foreign attacks. With Blockchain rooted in secure, authenticated communications, expect this area to mature in the near future.
4. Boosting or even replacing PKI
Public Key Infrastructure (PKI) is the public key cryptography that secures emails, messaging applications, websites and other forms of communication. However, most implementations rely on a centralised third-part certificate authority (CA) to issue, revoke, and store key pairs, which criminals can target to compromise encrypted communications and spoof identities. Publishing keys on a blockchain instead would in theory eliminate the risk of false key propagation and enable applications to verify the identity of the people you are communicating with.
CertCoin is one of the first implementations of blockchain-based PKI. The project removes central authorities altogether and uses the blockchain as a distributed ledger of domains and their public keys. In addition, CertCoin provides a public and auditable PKI that also doesn’t have a single point of failure.
Start-up REMME gives each device its own specific SSL certificate based on the blockchain, which prevents intruders from faking certificates, while tech research company Pomcor has published a blueprint for a blockchain-based PKI that uses blockchains to store hashes of issued and revoked certificates (though, in this example, CAs are still required).
Perhaps PKI can be replaced outright, if Estonian data security startup Guardtime is anything to go by. The firm has been using blockchains to create a Keyless Signature Infrastructure (KSI), a replacement for PKI. Guardtime has grown into “the world’s largest blockchain company by revenue, headcount and actual customer deployments,” and it has secured all of Estonia’s one million health records with the technology in 2016.
5. A safer DNS
The Mirai botnet showed just how easy it is for criminals to compromise critical internet infrastructure. By bringing down the domain name system (DNS) service provider for most major websites, the attackers were able to cut off access to Twitter, Netflix, PayPal, and other services. A blockchain approach to storing DNS entries could, in theory, improve security by removing the single, attackable target.
Nebulis is a new project exploring the concept of a distributed DNS that supposedly never fails under a deluge of access requests. Nebulis uses the Ethereum blockchain and the Interplanetary Filesystem (IPFS), a distributed alternative to HTTP, to register and resolve domain names. “At the core of the Internet, we see critical services such as DNS providing opportunities for a large-scale outage and also for hacks against organisations,” says Buchanan. “Thus, a more trusted DNS infrastructure, using blockchain methods, would considerably aid the core trust infrastructure of the internet.”
6. Reduced DDoS attacks
Blockchain startup Gladius claims that its decentralised ledger system helps to protect from distributed denial of service (DDoS) attacks, a significant claim when attacks are rising over and above 100Gbps. The firm says its decentralised solutions can protect against such attacks by “allowing you to connect to protection pools near you to provide better protection and accelerate your content.”
Interestingly, Gladius claims that the decentralised network allows users to rent out their spare bandwidth for extra money, with this excess bandwidth then “distributed to nodes which in turn funnel the bandwidth to websites under DDoS attacks to make sure they stay up.” In less busy times (with no DDoS attacks), Gladius says its network “speeds up access to the internet by acting as a content delivery network.”
Blockchain security is not a panacea
Yet blockchain is no panacea, from technical complexity and myriad systems to the realisation it can’t guarantee 100 percent security. Buchanan is concerned about issues like limits on the rate of transactions that can be applied and “tensions about whether information should be stored on or off the blockchain.”
“2018 needs to be the year of applying cryptography to all our data, and blockchain will provide a foundation for this to scale across organisations,” says Buchanan. “The key challenges will be to break away from our existing legacy IT infrastructures and rebuild them using a core build around blockchain. A core element will be the creation of key pairs – with a public and a private key – that will identify individuals. Unfortunately, our law enforcement infrastructure is still focused on traditional IT methods, and a move towards a blockchain method would involve increased tensions between privacy and the rights of society to protect itself.”