Security Think Tank: Blockchain utility depends on business type and cost

The question I am addressing in this article is whether blockchain technology is an effective and usable tool in the arsenal of the InfoSec professional. Not all people, including InfoSec people, have heard of blockchain, although it’s more likely that they have head of bitcoin and cryptocurrency.

The aim of a blockchain is to allow digital information to be recorded and distributed, but once distributed, not tampered with. While blockchain technology was first outlined in 1991, it wasn’t until 2009 that the first real-world application made its appearance with the launch of bitcoin.  

The initial bitcoin specification together with Open-Source proof of concept software was published in early 2009 and was based on a public ledger that would hold every transaction ever executed and successfully processed.

It is this public ledger that is the “blockchain” which is descriptive of the fact that blocks containing transactions (each block can contain from one very big transaction to thousands of small ones) are linearly and chronologically added to the ledger so forming a chain of blocks.

Each block is also hash coded, making it uniquely identifiable from other blocks. The transactions that are included in a block are associated with a pair of “wallets” (pseudonyms) that respectively identify the sender and receiver of some digital assets.

These “wallets” connect into the blockchain network at “relay” nodes who in turn connect to the nodes that undertake block validation (known as the Miner/Validator node). 

The ledger (blockchain) is publicly viewable and readable. That means you can view any transaction held in the blockchain which includes the participants in the transaction, the time of the transaction and other details.

While a merchant might be formally identified, users making a transaction are identified by their digital signature (often a public key) or a user name. Specific information held in a transaction can be encrypted if necessary such as in the case of patient medical records.

As the blockchain itself is replicated to all the computers in the blockchain’s network, it is very difficult to for a hacker to change a transaction as it would change the hash code of the block being hacked and all the other computers with their copy of the blockchain would be able to identify the hack.

To make such a hack viable at least 51% of the blockchain copies (computers) would have to be compromised and quickly. Bitcoin has millions computers in its network so that 51% is a daunting task. The 51% threshold is built into the protocol to ensure consensus of participating computers verifying transactions.

While bitcoin was the first blockchain there are now more than 100 different blockchains, each with their own uniqueness and tailored to specific uses. Some are cryptocurrencies, others store and distribute information such as patient medical records, real estate information etc.

Examples include Ethereum, Steem and Zcash, while more established companies have realised the more abstract properties of blockchain such as resilience and integrity. Industrial consortia such as R3 and Hyperledger have broadened the scope of blockchain to create a technology known as distributed ledgers which may, due to their association with established partners in industry, lead to a greater adoption of the technology.

But is blockchain ready for prime time when it comes to information security? The answer is going to depend on a company’s business and economics.