1

Bitcoin? NO! Block Chain? YESS!!!

Sandeep K. Shukla Interdisciplinary Center for Cyber Security and Cyber Defence of Critical Infrastructure Indian Institute of Technology Kanpur

Email: sandeeps@cse.iitk.ac.in URL: https://security.cse.iitk.ac.in

2

2

2

2

2

2

2

2

2

2

2

2

2

2

Bit coin and other Blockchain based Currency• Too much interest by investors to park their assets • Less use as a medium of value exchange • Private Key stealing or private keys at exchange — risk • Coding vulnerabilities — risk • Volatility • Energy Waste — climate impact • Too much concentration in one country — risk • Regulatory risk • Usage for criminal activities — Silk Road

3

What is a Block Chain?• Blockchain technology is a digital innovation that has the potential to

significantly impact trusted computing activities and therefore cybersecurity concerns as a whole.

• Attractive properties of Blockchain • Log of data with digital signature • Immutable (once written – cryptographically hard to remove from

the log) • Cryptographically secure – privacy preserving • Provides a basis for trusted computing on top of which applications

can be built

4

Why Blockchain? • Any contract/transaction document can be hashed and put in a

blockchain to ensure integrity (Land records, Deeds, Insurance agreements….)

• The timestamp of the document can be included in the hash to ensure tamper resistant time stamping

• Any access to public databases such as UIDAI biometric data or sensitive health data can be hashed and logged for verification by public – public trust

Why Blockchain? (2) • Provide identity of digital assets without certification

authorities

• Recall NIC signing digital certificates for google.com and yahoo.com domain name • Fake digital certificates from Symantec last year

• Prevention of insider attack -- logging high privileged user activities in blockchain

6

Why Blockchain? (3) • Use of blockchain tokens and smart contracts for smooth GST

Payments

• Use of blockchain tokens to reduce net banking and credit card based payments – reducing exposure (indirection)

• Secure communication via Block Chain based PKI to ensure identity of personnel and confidentiality and integrity of messages

7

NATIONAL AND INTERNATIONAL BUZZINTERNATIONAL

• Estonian government – all government documents are on blockchain • Citizen information access can be verified

publicly – trust in governance enhanced

• UK Health information database access on blockchain • Citizens can verify accesses and no tampering of

access logs

• UAE government announced all public transactions and documents to be on blockchain

• Private players for enterprise and institutional blockchain solutions and applications

• Hyperledger • Algorand • Multi Chain • Ethereum

NATIONAL

• Government of Andhra implementing for land records

• Government of Telengana implementing for E-goverance

• Others states have been discussing including Maharashtra, West Bengal

• Only fragments of possibilities explored • A major driver is ICOs and cryptocurrency

markets – but that should not be the driver • Instead, leverage the tamper resistant logging,

and public trust components of blockchain

Alternatives and Choices

• Proof of work requires huge power consumption • Waste of resources • Climate damage

• A crypto-token or currency drives the computation and currency needs to be generated through hash puzzle solving • Prices are market driven • Currently a bubble waiting to burst

• One could conceive of a more controlled pricing of crypto-tokens for india specific applications • However, with proof of work – too much wasteful computing • Proof of stake may work – but that has “winner takes all” problem

KSI Blockchain • Easier to implement • Proof of work not required • No power wastage • No climate impact

• Requires infrastructural support at multiple levels of networks • The latest hash value is published weekly in well circulated

news papers to ensure public trust • No crypto-currency needs to be defined

10

11

What problems we are addressing?• Who accessed your Aadhaar biometrics? • Who accesses your health data? • Who accessed your Tax data? • Did the privileged users of your IT system change your files or

data? • GST input tax credit fiasco — can Blockchain solve the delays? • Supply Chain logistics and tracking provenance of components • Is it possible to have secure e-voting? • Securing IoT infrastructure for Critical Infrastructure? • PKI infrastructure, DNS infrastructure on block chain?

12

12

12

DETECTING INSIDER ATTACKS ON DATABASES USING BLOCKCHAINS

SHUBHAM SAHAI SRIVASTAVA SHUBHAM SHARMA

RAHUL GUPTA DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING,

IIT KANPUR

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

PROBLEM STATEMENT : INSIDER THREAT ?

▸ Detection

▸ Attribution

▸ Non-Repudiation

▸ Prevention

PROBLEM STATEMENT : OARS SYSTEM

PROBLEM STATEMENT : OARS SYSTEM

PROBLEM STATEMENT : OARS SYSTEM

PROBLEM STATEMENT : OARS SYSTEM

PROPOSED SOLUTION : OVERVIEW

PROPOSED SOLUTION : OVERVIEW

PROPOSED SOLUTION : OVERVIEW

PROPOSED SOLUTION : OVERVIEW

BCast

PROPOSED SOLUTION : OVERVIEW

BCast

Confirmations

PROPOSED SOLUTION : OVERVIEW

BCast

Confirmations

Push Changes

BLOCKCHAIN TRANSACTION

BLOCKCHAIN TRANSACTION

BLOCKCHAIN TRANSACTION

Extract Columns

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)Extract Columns

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)Extract Columns

Hash the tuple

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)

Hash(Professor , Course, Grade)

Extract Columns

Hash the tuple

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)

Hash(Professor , Course, Grade)

Extract Columns

Hash the tuple

Digitally Sign

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)

Hash(Professor , Course, Grade)

Extract Columns

Hash the tuple

Digitally Sign

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)

Hash(Professor , Course, Grade)

Extract Columns

Hash the tuple

Digitally Sign

Broadcast

BLOCKCHAIN TRANSACTION

(Professor , Course, Grade)

Hash(Professor , Course, Grade)

Extract Columns

Hash the tuple

Digitally Sign

Broadcast

DATABASE SCHEMA MODIFICATION Unique identifier of the user issuing the query

DATABASE SCHEMA MODIFICATION

1 2 … k

Unique identifier of the user issuing the query

DATABASE SCHEMA MODIFICATION

1 2 … k Txnid Uid

Unique identifier of the user issuing the query

DATABASE SCHEMA MODIFICATION

1 2 … k Txnid Uid

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

Unique identifier of the user issuing the query

DATABASE SCHEMA MODIFICATION

1 2 … k Txnid Uid

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

Unique identifier of the user issuing the query

DAPP VERIFICATION

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

[Hash(x,y, … , z)]sign(sk)

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

[Hash(x,y, … , z)]sign(sk)

Verify Signature

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

[Hash(x,y, … , z)]sign(sk)

Verify SignatureHash(x,y, … , z)

Verify Hash

Hash

DAPP VERIFICATION1 2 … k Txnid Uid

x y … z * *

(x,y, … , z)

Block n

Txn1...

Txn k

Block n+1

Txn1.

Txn a.

Txn k

Block m

Txn1...

Txn k

[Hash(x,y, … , z)]sign(sk)

Verify SignatureHash(x,y, … , z)

Verify Hash

Hash

Result

IMPLEMENTATION

Decentralized PKI model

Traditional PKI

• For server authentication, we use digital certificate in our Client-Server system.

• Certificates will be issued by the CAs along with keys.

• Keys can be generated by the user or it can be generated and issued by CA.

Problem with Traditional PKI• Centralised controller. • Trusted Third Parties are forced to issue

certificate for the parties who are not supposed to get them.

• User should worry about the security of CA. • Recall Symantec, as well as Stuxnet case

Blockchain based PKI• Interested member has to generate its own asymmetric key pair

(prk ,pbk) using any of the asymmetric key techniques and post the public key (pbk) on the public key (transaction) pool.

• Miner verifies the public key (for its constraints – key length, algorithm, etc) and include in the blocks further it is broadcasted to all the connected members.

Re-Keying• In case any existing nodes wish to change the public key

(pbk) then it can send the revised digitally signed public key (pb’k)using existing private key (prk).

• After verification of the digital signature, device able to mine the block will update the key of respective device.

Detecting the Malicious• Attacker who guessed the private key of a party A can also change the key pair

of the device.

• This process will restrict the device A to take part in the network. However, it can be detected once the block containing the modified key reaches the device A.

• To avoid this attack, updated key should not be used at least for next seven blocks mined above the key updated block.

• The updated key containing block will reach all the device within seven next blocks constructed over it.

Communication

• Asymmetric algorithms are mainly used for secure key sharing not for secure messaging.

• Once the public key is shared with the blockchain network, any party/device wish to communicate with other device can securely exchange the symmetric key.

• Both devices can negotiate for the key size, symmetric algorithms, etc. similar to Secure Socket Layer (SSL) and share the key securely using the shared public keys.

No Third Party• Blockchain based PKI allows every member to create their

own key pair as per requirement and re-create whenever required.

• Private key is only with the owner not with any other third parties.

• For backup, members can share parts of the key with multiple users and derive it whenever required.

Challenges

• Emercoin[1] based on blockchain provides the public key infrastructure in coordination with the OpenSSH.

• However authentication of a member while adding the public key in the block is a open challenge.

Blockchain and IoT

• IBM and Samsung • ADEPT

• Guard2me and Instrinsic-ID • Alliance on IoT (KSI and PUF)

• Slock.it and RWE • BlockCharge

• Chronicled.com • IITK and IIITA -- EtherIoT

33

ADEPT• Decentralize the IoT configuration and control to address

• Cost • Scalability • Longevity • Privacy and Security

• Use Ethereum smart contracts • Manage own consumable supplies • Servicing appointments • Maintenance alerts • Communicate with peer devices with security

• Technology used • P2P encrypted messaging (TeleHash) • Distributed File Sharing (BitTorrent) • Decentralized programming language for Blockchain (Ethereum)

https://www.coindesk.com/ibm-reveals-proof-concept-blockchain-powered-internet-things/

34

Alliance on IoT (KSI and PUF) • Launched by European commission • Use SRAM PUF for device identity • KSI blockchain for Data integrity and authentication • Examples cited: • e-Healthcare • IoRT (Internet of Robotic Things) • Robotic Swarm Systems • Hardening of PKI (e.g., Videri authentication Gateway)

https://guardtime.com/files/KSI%20for%20IoT%20Security%20-%20Turning%20Defence%20Into%20Offence%20-%20Guardtime%20Whitepaper.pdf

35

BlockCharge

RWE and Slock.it• RWE is a German Utility

Company • Slock.it – Blockchain Technical

Integrator • BlockCharge – EV charging and

payments via smart contracts • Authentication, auto-billing • Uses Ethereum

36

Supply Chain Logistics• Authenticity and Traceability • Supply chain management • Registration of products on the block chain • Life cycle management • Inventory

http://www.digitalistmag.com/finance/2017/08/23/how-the-blockchain-revolutionizes-supply-chain-management-05306209

37

KSI Block Chain

38

KSI and Estonia E-Governance

39

Algorand• Problems with Bitcoin and Ethereum • Consensus is expensive • 500 MW • Not well distributed

• Algorand provides a more distributed solution

40

Take Away• Block Chain is more of a platform technology • Tamper resistance • Publicly verifiable • Democratic decision making • Very suitable for E-governance with enhanced public trust • Suitable for IT and Internet governance • Further scopes — copyright enforcement, fighting fake news,

trusted election

41