Blockchain holds key to safe digital transactions
Blockchain has proven its security capabilities and mechanism, says of Innov8ID
Blockchain technology is driving a significant evolution in the way security for IT and telecommunications is currently being developed.
Over the last number of years, we have seen IT and telecommunications services evolve from dedicated centralised infrastructure, where today these are deployed across distributed virtualised cloud providers. In doing so the traditional controls for managing identity, security and data privacy can present many challenges.
The plethora of innovative digital devices and low-cost internet of things (IoT), that typically shipped with default security passwords, are connecting with a broad range of IT services. This presents hackers an easy opportunity to spread malicious software to millions of IoT devices to be recruited into a coordinated distributed denial-of-service attack (DDoS).
We have seen many examples in the news where centralised systems being compromised through denial of service attacks. A DDoS attack floods systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this attack.
Today, most IT security systems are based on central servers, used to identify and authenticate individual connecting IoT devices. As highlighted earlier, any centralisation makes servers inherently vulnerable to potential DDoS and brute force attacks. If this centralised resource is compromised, everything attached and the service it provides will be equally affected.
In 2016, possibly the most severe example of this seen, there was an attack on the internet DNS service provider ‘Dyn’. In this attack, millions of internet digital cameras and DVR players were infected with special malware, known as a “botnet”. These were coordinated into bombarding a server with traffic until it collapsed under the strain. The result brought down the internet across North America, affecting many top internet brands including AirBnb, Twitter, Paypal and Netflix.
Distributed Ledger Technologies or Blockchain, as they are commonly referred to, are currently being used to power and secure a cryptocurrency market worth over US$250 billion (as of Sept 2019).
Blockchain is a truly distributed system, which has built-in protections against many potential cybersecurity and fraud attacks. The largest blockchain network today, ‘Bitcoin’ has more than 100,000 nodes. In 10 years of operation, its protocol has warded off several attempts made to attack this network. This distributed infrastructure of nodes makes it extremely difficult for successful cyberattack. Multiple blockchain nodes across many different institutions must be attacked to overwhelm the full system.
The foundation for how blockchain provides secure access, based on cryptography functions, uses public-key cryptography. The system uses asymmetric cryptography, also known as public-key cryptography, using public and private keys to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical (asymmetric).
One key is kept secret; it is called the private key used to encrypt messages and ensure the identity of the owner recording information or transacting on the blockchain can be trusted. The other key is called the public key. The public key is used to verify the message sent is from the holder of a specific private key. Public keys are distributed on the blockchain enabling anyone to use them to verify the identity and authenticity of a message or transactions.
This method eliminates the need for personal data, i.e. username/password to be used as a means of authenticated access.
With billions of IoT devices being produced and shipped to consumers globally. Typically manufacturers configure into the firmware default usernames/passwords enabling the devices to be shipped anywhere and be easily installed.
Instead, the manufacturers of these IoT devices can embed into the firmware an unique private key for each IoT device, storing each device identity with its corresponding public key onto a blockchain. This gives each IoT device its own unique trusted identity that can be authenticated by any application using the public key from the blockchain.
Most blockchain private keys use SHA256 hashing to secure transactions. In broad terms, if a supercomputer that can perform 15 trillion calculations per second employed in cracking a hash, it would take more than a billion years to crack the hash of a single blockchain identity. Not only would it take a long time, but the cost to infiltrate a single device would make it very difficult and impractical to recruit the sufficient number of devices to coordinate a DDoS attack using IoT devices.
Instead of having all the IOT device identities and public keys in a central resource, we can use blockchain to distribute the public keys used to authenticate and verify IoT devices. This would allow each service or application provider to host its own node to ensure they have a local copy of the blockchain. This would also prevent a DDoS attack on a central resource attempting to render the service availability.
Blockchain has proven its security capabilities and mechanism over the last ten years. By integrating an IoT device identity and authentications service onto a blockchain will help to mitigate many of the know DDoS attack possibilities we have seen to date.
