Bitcoin? NO! Block Chain? YESS!!! · • Blockchain based PKI allows every member to create their...
Transcript of Bitcoin? NO! Block Chain? YESS!!! · • Blockchain based PKI allows every member to create their...
1
Bitcoin? NO! Block Chain? YESS!!!
Sandeep K. Shukla Interdisciplinary Center for Cyber Security and Cyber Defence of Critical Infrastructure Indian Institute of Technology Kanpur
Email: [email protected] URL: https://security.cse.iitk.ac.in
Bit coin and other Blockchain based Currency• Too much interest by investors to park their assets • Less use as a medium of value exchange • Private Key stealing or private keys at exchange — risk • Coding vulnerabilities — risk • Volatility • Energy Waste — climate impact • Too much concentration in one country — risk • Regulatory risk • Usage for criminal activities — Silk Road
3
What is a Block Chain?• Blockchain technology is a digital innovation that has the potential to
significantly impact trusted computing activities and therefore cybersecurity concerns as a whole.
• Attractive properties of Blockchain • Log of data with digital signature • Immutable (once written – cryptographically hard to remove from
the log) • Cryptographically secure – privacy preserving • Provides a basis for trusted computing on top of which applications
can be built
4
Why Blockchain? • Any contract/transaction document can be hashed and put in a
blockchain to ensure integrity (Land records, Deeds, Insurance agreements….)
• The timestamp of the document can be included in the hash to ensure tamper resistant time stamping
• Any access to public databases such as UIDAI biometric data or sensitive health data can be hashed and logged for verification by public – public trust
Why Blockchain? (2) • Provide identity of digital assets without certification
authorities
• Recall NIC signing digital certificates for google.com and yahoo.com domain name • Fake digital certificates from Symantec last year
• Prevention of insider attack -- logging high privileged user activities in blockchain
6
Why Blockchain? (3) • Use of blockchain tokens and smart contracts for smooth GST
Payments
• Use of blockchain tokens to reduce net banking and credit card based payments – reducing exposure (indirection)
• Secure communication via Block Chain based PKI to ensure identity of personnel and confidentiality and integrity of messages
7
NATIONAL AND INTERNATIONAL BUZZINTERNATIONAL
• Estonian government – all government documents are on blockchain • Citizen information access can be verified
publicly – trust in governance enhanced
• UK Health information database access on blockchain • Citizens can verify accesses and no tampering of
access logs
• UAE government announced all public transactions and documents to be on blockchain
• Private players for enterprise and institutional blockchain solutions and applications
• Hyperledger • Algorand • Multi Chain • Ethereum
NATIONAL
• Government of Andhra implementing for land records
• Government of Telengana implementing for E-goverance
• Others states have been discussing including Maharashtra, West Bengal
• Only fragments of possibilities explored • A major driver is ICOs and cryptocurrency
markets – but that should not be the driver • Instead, leverage the tamper resistant logging,
and public trust components of blockchain
Alternatives and Choices
• Proof of work requires huge power consumption • Waste of resources • Climate damage
• A crypto-token or currency drives the computation and currency needs to be generated through hash puzzle solving • Prices are market driven • Currently a bubble waiting to burst
• One could conceive of a more controlled pricing of crypto-tokens for india specific applications • However, with proof of work – too much wasteful computing • Proof of stake may work – but that has “winner takes all” problem
KSI Blockchain • Easier to implement • Proof of work not required • No power wastage • No climate impact
• Requires infrastructural support at multiple levels of networks • The latest hash value is published weekly in well circulated
news papers to ensure public trust • No crypto-currency needs to be defined
10
11
What problems we are addressing?• Who accessed your Aadhaar biometrics? • Who accesses your health data? • Who accessed your Tax data? • Did the privileged users of your IT system change your files or
data? • GST input tax credit fiasco — can Blockchain solve the delays? • Supply Chain logistics and tracking provenance of components • Is it possible to have secure e-voting? • Securing IoT infrastructure for Critical Infrastructure? • PKI infrastructure, DNS infrastructure on block chain?
DETECTING INSIDER ATTACKS ON DATABASES USING BLOCKCHAINS
SHUBHAM SAHAI SRIVASTAVA SHUBHAM SHARMA
RAHUL GUPTA DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING,
IIT KANPUR
BLOCKCHAIN TRANSACTION
(Professor , Course, Grade)
Hash(Professor , Course, Grade)
Extract Columns
Hash the tuple
BLOCKCHAIN TRANSACTION
(Professor , Course, Grade)
Hash(Professor , Course, Grade)
Extract Columns
Hash the tuple
Digitally Sign
BLOCKCHAIN TRANSACTION
(Professor , Course, Grade)
Hash(Professor , Course, Grade)
Extract Columns
Hash the tuple
Digitally Sign
BLOCKCHAIN TRANSACTION
(Professor , Course, Grade)
Hash(Professor , Course, Grade)
Extract Columns
Hash the tuple
Digitally Sign
Broadcast
BLOCKCHAIN TRANSACTION
(Professor , Course, Grade)
Hash(Professor , Course, Grade)
Extract Columns
Hash the tuple
Digitally Sign
Broadcast
DATABASE SCHEMA MODIFICATION
1 2 … k Txnid Uid
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
Unique identifier of the user issuing the query
DATABASE SCHEMA MODIFICATION
1 2 … k Txnid Uid
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
Unique identifier of the user issuing the query
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
[Hash(x,y, … , z)]sign(sk)
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
[Hash(x,y, … , z)]sign(sk)
Verify Signature
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
[Hash(x,y, … , z)]sign(sk)
Verify SignatureHash(x,y, … , z)
Verify Hash
Hash
DAPP VERIFICATION1 2 … k Txnid Uid
x y … z * *
(x,y, … , z)
Block n
Txn1...
Txn k
Block n+1
Txn1.
Txn a.
Txn k
Block m
Txn1...
Txn k
[Hash(x,y, … , z)]sign(sk)
Verify SignatureHash(x,y, … , z)
Verify Hash
Hash
Result
Traditional PKI
• For server authentication, we use digital certificate in our Client-Server system.
• Certificates will be issued by the CAs along with keys.
• Keys can be generated by the user or it can be generated and issued by CA.
Problem with Traditional PKI• Centralised controller. • Trusted Third Parties are forced to issue
certificate for the parties who are not supposed to get them.
• User should worry about the security of CA. • Recall Symantec, as well as Stuxnet case
Blockchain based PKI• Interested member has to generate its own asymmetric key pair
(prk ,pbk) using any of the asymmetric key techniques and post the public key (pbk) on the public key (transaction) pool.
• Miner verifies the public key (for its constraints – key length, algorithm, etc) and include in the blocks further it is broadcasted to all the connected members.
Re-Keying• In case any existing nodes wish to change the public key
(pbk) then it can send the revised digitally signed public key (pb’k)using existing private key (prk).
• After verification of the digital signature, device able to mine the block will update the key of respective device.
Detecting the Malicious• Attacker who guessed the private key of a party A can also change the key pair
of the device.
• This process will restrict the device A to take part in the network. However, it can be detected once the block containing the modified key reaches the device A.
• To avoid this attack, updated key should not be used at least for next seven blocks mined above the key updated block.
• The updated key containing block will reach all the device within seven next blocks constructed over it.
Communication
• Asymmetric algorithms are mainly used for secure key sharing not for secure messaging.
• Once the public key is shared with the blockchain network, any party/device wish to communicate with other device can securely exchange the symmetric key.
• Both devices can negotiate for the key size, symmetric algorithms, etc. similar to Secure Socket Layer (SSL) and share the key securely using the shared public keys.
No Third Party• Blockchain based PKI allows every member to create their
own key pair as per requirement and re-create whenever required.
• Private key is only with the owner not with any other third parties.
• For backup, members can share parts of the key with multiple users and derive it whenever required.
Challenges
• Emercoin[1] based on blockchain provides the public key infrastructure in coordination with the OpenSSH.
• However authentication of a member while adding the public key in the block is a open challenge.
Blockchain and IoT
• IBM and Samsung • ADEPT
• Guard2me and Instrinsic-ID • Alliance on IoT (KSI and PUF)
• Slock.it and RWE • BlockCharge
• Chronicled.com • IITK and IIITA -- EtherIoT
33
ADEPT• Decentralize the IoT configuration and control to address
• Cost • Scalability • Longevity • Privacy and Security
• Use Ethereum smart contracts • Manage own consumable supplies • Servicing appointments • Maintenance alerts • Communicate with peer devices with security
• Technology used • P2P encrypted messaging (TeleHash) • Distributed File Sharing (BitTorrent) • Decentralized programming language for Blockchain (Ethereum)
https://www.coindesk.com/ibm-reveals-proof-concept-blockchain-powered-internet-things/
34
Alliance on IoT (KSI and PUF) • Launched by European commission • Use SRAM PUF for device identity • KSI blockchain for Data integrity and authentication • Examples cited: • e-Healthcare • IoRT (Internet of Robotic Things) • Robotic Swarm Systems • Hardening of PKI (e.g., Videri authentication Gateway)
https://guardtime.com/files/KSI%20for%20IoT%20Security%20-%20Turning%20Defence%20Into%20Offence%20-%20Guardtime%20Whitepaper.pdf
35
BlockCharge
RWE and Slock.it• RWE is a German Utility
Company • Slock.it – Blockchain Technical
Integrator • BlockCharge – EV charging and
payments via smart contracts • Authentication, auto-billing • Uses Ethereum
36
Supply Chain Logistics• Authenticity and Traceability • Supply chain management • Registration of products on the block chain • Life cycle management • Inventory
http://www.digitalistmag.com/finance/2017/08/23/how-the-blockchain-revolutionizes-supply-chain-management-05306209
37
Algorand• Problems with Bitcoin and Ethereum • Consensus is expensive • 500 MW • Not well distributed
• Algorand provides a more distributed solution
40
Take Away• Block Chain is more of a platform technology • Tamper resistance • Publicly verifiable • Democratic decision making • Very suitable for E-governance with enhanced public trust • Suitable for IT and Internet governance • Further scopes — copyright enforcement, fighting fake news,
trusted election
41