Maksim Kabakou - Fotolia
The question I am addressing in this article is whether blockchain technology is an effective and usable tool in the arsenal of the InfoSec professional. Not all people, including InfoSec people, have heard of blockchain, although it’s more likely that they have head of bitcoin and cryptocurrency.
The aim of a blockchain is to allow digital information to be recorded and distributed, but once distributed, not tampered with. While blockchain technology was first outlined in 1991, it wasn’t until 2009 that the first real-world application made its appearance with the launch of bitcoin.
The initial bitcoin specification together with open-source proof of concept software was published in early 2009 and was based on a public ledger that would hold every transaction ever executed and successfully processed.
It is this public ledger that is the “blockchain” which is descriptive of the fact that blocks containing transactions (each block can contain from one very big transaction to thousands of small ones) are linearly and chronologically added to the ledger so forming a chain of blocks.
Each block is also hash coded, making it uniquely identifiable from other blocks. The transactions that are included in a block are associated with a pair of “wallets” (pseudonyms) that respectively identify the sender and receiver of some digital assets.
These “wallets” connect into the blockchain network at “relay” nodes who in turn connect to the nodes that undertake block validation (known as the Miner/Validator node).
The ledger (blockchain) is publicly viewable and readable. That means you can view any transaction held in the blockchain which includes the participants in the transaction, the time of the transaction and other details.
Read more from Computer Weekly’s Security Think Tank about how information security professionals can use blockchain technology
While a merchant might be formally identified, users making a transaction are identified by their digital signature (often a public key) or a user name. Specific information held in a transaction can be encrypted if necessary such as in the case of patient medical records.
As the blockchain itself is replicated to all the computers in the blockchain’s network, it is very difficult to for a hacker to change a transaction as it would change the hash code of the block being hacked and all the other computers with their copy of the blockchain would be able to identify the hack.
To make such a hack viable at least 51% of the blockchain copies (computers) would have to be compromised and quickly. Bitcoin has millions computers in its network so that 51% is a daunting task. The 51% threshold is built into the protocol to ensure consensus of participating computers verifying transactions.
While bitcoin was the first blockchain there are now more than 100 different blockchains, each with their own uniqueness and tailored to specific uses. Some are cryptocurrencies, others store and distribute information such as patient medical records, real estate information etc.
Examples include Ethereum, Steem and Zcash, while more established companies have realised the more abstract properties of blockchain such as resilience and integrity. Industrial consortia such as R3 and Hyperledger have broadened the scope of blockchain to create a technology known as distributed ledgers which may, due to their association with established partners in industry, lead to a greater adoption of the technology.
But is blockchain ready for prime time when it comes to information security? The answer is going to depend on a company’s business and economics.
Embarking on a blockchain solution completely in-house can be costly due to the amount of computing power (and electricity) required to verify blocks being added to the blockchain and the developmental time to create a blockchain infrastructure. There would need to be a very careful review of the various blockchain implementations looking for the trade-offs between such areas as:
- Speed of transactions (blockchain has a much lower transactions per second (TPS) rate than conventional database systems);
- The time before a transaction has been included in a verified block on the blockchain (can be many minutes with 10 minutes being an accepted norm);
- Security in creating user identities and the privacy of transactional data (to encrypt or not), scalability and resources required to operate (computing power, air handling needs, electrical requirements and costs);
- Compliance issues cannot be ignored particularly where cryptocurrency and personal data are involved.
In my humble opinion, blockchain can be a candidate for a new or complete replacement projects, particularly where the business requirement allows the leveraging of a preexisting external blockchain network as only the “wallets” and any supporting infrastructure around their use will need to be developed.
However, the considerations identified above (transaction speed, security, privacy and regulatory etc.) must be taken into account when choosing to use such a pre-existing blockchain.