Webinar Recording

The Blockchain and Information Security


Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good afternoon, everyone. Welcome to our KuppingerCole webinar for blockchain and information security, augmenting trust with trustless, mathematical proof. This speaker today will be myself. I have Aline lead Analyst at KuppingerCole before we start, we'll have a brief introduction to KuppingerCole and what he does as well as some general housekeeping KuppingerCole is an enterprise it research advisory, decision support, and networking for it. Professionals it's main large branches of work are research services, advisory services, and events. And about the webinar, we have some upcoming events we're largely focused in identity, access management, information, security, and FinTech. So there's an upcoming, I don't think nexus conference. It's 10 years now. It's in its 10th anniversary. And in June, there will be a FinTech conference run by Kuppinger call some guidelines for the webinar, essentially muted. There will be just a pretty standard format. So there is a questions option in the go-to webinar. At the end of the presentation, there will be a possibility to respond to questions. So please type them in that section. And we'll try to answer as many as we can. Okay. Now, to begin,
Here's a general overline or outline about this webinar and sort of the topics we'll cover about getting, first of all, our heads around the blockchain, establishing a good definition for it, what it is and what it is not, and seeing potential future and current use cases. But before delving into the blockchain, let's begin with sort of the, the scene, the historical context within which the blockchain has come in to being, and has made quite a splash in these past three years. And this, this quote, when you invent the ship, you also met the shipwreck is kind of my approach to most new technology.
I've tried to avoid delving too deeply in it, jumping on the bandwagon because everyone else is, but neither dismissing it because both positions, both positions are risky yet everything new should always approach with a certain degree of caution. And as I'll highlight with the blockchain, there are a large amount of unknown unknowns. So we'll see more of these as we go along back to the context. So these core identity and trust dilemmas have been around almost since the Dawn of civilization. Who are you? And can I trust you? These are not technological challenges. These are societal challenges. And to a certain degree of implied trust is necessary in real life. In, in the cyber world. Society does not function without a degree of implied trust and trust assurance is largely dedicated to TPPs or trusted third parties such as DNS, route servers, certificate authorities, or government departments.
It's, it's quite normal. We don't all have the time during our day. It's a form of trust delegation it's they are to an extent necessary yet today, increasingly as we've known from previous attacks, the, the Digi notar attack was the most obvious, but also just in general, insider abuse of privileges, data breaches due to say, government employee having access to tax or health records of say celebrities, not just celebrities, it could be anyone, it could be minors. There always is the risk of who polices the police. How do we know that the trusted third party is neutral and has not itself been compromised? And like the de notar hack when it was compromised because of the very nature of the centralized trust model, the relying parties had no way of knowing that that CA could not be trusted anymore. So this is the, the general problem and challenge with trusted third parties today they're necessary.
And yet they are very costly. They represent single points of failure in the system, and now to go to the blockchain. So we know all of this, this is well known about the problems with the central points of failure. So why is the blockchain generating such hype such interest before we dive into that, let's give it a definition. I found this excellent, excellent succinct definition. The blockchain is a design pattern based on a linear append only data structure, which state is represented by an exhaustive record of discrete events. So it is essentially logs with rules. It's an append only linear data structure. And every successive entry is tied to the previous one in a tamper evident way. So to manipulate a previous entry is in effect to completely destroy the entire blockchain and to do that requires a significant amount of resources or control of a majority of nodes.
These are some key components of blockchains. There's the transaction metadata or the data stored about each transaction on the blockchain. There is public key cryptography, which is used to generate SU pseudonymity. So anyone can become a node on a blockchain. As we know it yet, anyone, this is just dependent on them generating a unique pair of keys. They they're not proving their identity with anyone else. They're just stating that they are a new node and they're not another node again. And the final and very important component, which makes the blockchain trustless is the proof of work or the consensus algorithm. So rather than delegating trust or delegating authority to a centralized control node, all the other nodes are democratically of equal standing. And they agree on what is, what is the correct state of the blockchain via a published or known mathematical algorithm?
So I want to make clear though, as well, that this is the most minimal definition of what a blockchain is. There are, as we'll see, there's blockchains are evolving. So the blockchain is not just the Bitcoin blockchain, which was specifically developed to be a digital currency and prevent the double spending problem. Yet there's many other blockchains such as we could say, Ethereum ripple guard time, which have, which varies subtly in characteristics yet, if something is to be called a blockchain, it at least has to have these, these minimal components. And we're gonna go into more detail in the next couple slides. So it's important with the blockchain to distinguish between what is novel and what is the known. And as we've just noticed, there's well known cryptographic algorithms used public photography, hashing algorithms. This isn't particularly new,
The, the topic of solving Byzantine General's problem, or how can I trust you? How can I establish consensus is, is a classical problem in information security research. So for many security researchers, they are, they take a dismissive route of the blockchain. They say theoretically or proof of concept systems of this sort have already been around for decades, Merkel tree, which is a chain hashing. Techno algorithm has been around since the seventies. So they are rather dismissive. Again, it's a bit like the iPhone didn't necessarily have brand new technology. Smartphones already were around. It was a case of it being there at the right time and hitting a critical point and thus mainstream hype. So what's novel is that now with the Bitcoin experience, we have real world implementation of what was up until now only theorized or implemented on a very small scale. And it's brought to the, to the spotlight, these research into distributed systems, which up until the advent of the block of the Bitcoin blockchain was just, something was some restricted to a very specialized field of researchers.
And what as well is amazing about Bitcoin, which is almost genius is its balancing of incentives. It's balancing of getting nodes to process transactions aren't necessarily their own by rewarding them for processing transactions. At the same time, it does it discourages bad behavior or attempts to destroy the blockchain or manipulated because to do so, it would be to destroy the, the value of the cryptocurrency. So there's no value to a thief for doing something that will end up to be value of no value. So here are some key blockchain characteristics. Now this is all a bit theoretical, but we'll go into actual applications. Soon. These are unique blockchain characteristics, the, the trouble with any new hype, whether it was cloud or social, or is that everyone is changing their labels and calling what was something, something else, all of a sudden everything's cloud the blockchain, therefore in order to understand it and analyze it requires us to know what it is and what it isn't.
So here are some key blockchain characteristics and functional specifications. It is trustless. It relies on algorithmic proof work rather than implicit trust. No single node has any more say than any other node. And this is important. It's both decentralized and distributed. So DNS certificate authorities, public infrastructure, they are geographically distributed, but they're not decentralized because as we know, they're hierarchical in their functional structure at the top of the chain is a root CA or a root DNS server. And that is the source of truth. So the Bitcoin is properly, both decentralized and distributed. Immutable means, as you mentioned, it's a pen only if you destroy the blockchain. If you destroy even one entry in the blockchain, you've already compromised. The entire thing. It means you've gained access to a majority of the nodes and that's a lot of work to do so it's time for evident as well for that reason. And the transparency element is key here. And rather than the implicit trust of just trust us, where, where the government, or just trust us, where did you notar? Total transparency means that any third party can verify because the algorithm of a given blockchain is published can verify the integrity of that blockchain themselves would they want to do so they don't need to rely on someone. Else's good word. So these are key blockchain characteristics.
And also another way to conceive of the blockchain is it's as a platform and as protocol, I'm just like, I have a comparison table here to just show how the blockchain in and of itself. It's not, it's not itself an application, but the same way you could say that routing protocols, which are at the core of what makes the internet possible. Even they aren't an application, but they they're enabling protocols or platforms. So these are just a few different key technologies today at varying levels of maturity, they're generally quite mature, and this is how I would compare them. And if you can see on the far, right, this is how I am comparing the blockchain's platform to say, network routing protocols. Now we'll go through all of this and I've already discussed most of this yet. This enables one to gain a bit of familiarity because most people in this room will probably be from a technology or consulting background. So whether it's network directories, federated authentication, these are all things that most of us are very, very knowledgeable about. So this slide will also be available after the webinar for inspection. So I'll go onto the next,
Another way of viewing this. And this is moving beyond just the Bitcoin is looking at it. We go from a distributed ledger to decentralized computing, decentralized compute platform. The Bitcoin blockchain intentionally does not have a turning complete scripting language. So it cannot be used for anything more complex like smart contracts or anything, anything beyond very simple scripting Ethereum instead was built from the ground up with that in mind. So with all of these various conceptualizations, we now are able to look at actual use cases of the blockchain. Again, we don't know the future, but we can see immediate, simple applications where blockchain can immediately provide value and future, which require a bit more complexity. There's a bit more unknowns yet with these two in mind, the blockchain as a ledger can, or as a blockchain, as a compute platform, we can instead, this was a paper done for myself in November, and here's the maturity on the Y axis. And on the X axis is timeframe.
This was done according to technical complexity, largely and as well economic interest. So we can see here high maturity and already pretty much available is customer to customer electronic payments. That's something that there is a tons of services using Bitcoin to do that through micropayments payments. Multi-party escrow is already part of the Bitcoin protocol. Multisignature it's called digital contracts can already be done. You know, very simply will go into this more detail. But because of that time stamping that chronological certainty of the blockchain, you can, you can use a one way hash to encode a document and then save that hash. And that signature on the blockchain itself at that point in time, disagreement was made. And it, it then operates as almost a sort of digital notary. No one can then negate or repudiate that transaction the same thing to do with time stamping.
And one way hashes we have in information rights management, how do you prove ownership to a new, to new content, to new intellectual property? You can sign it with a time and put that signature in the blockchain. And then you have proved that at that date and time you created that piece of intellectual property or work, that's already very feasible. There's already plenty of startups that are offering that. And it doesn't, it can, the existing Bitcoin blockchain can be ed decentralized identity of things is a little bit more complex, but again, they almost seem to be a natural fit. We're gonna have an upcoming research paper, which I'm writing currently, which is specifically about the blockchain and the internet of things and the benefits it can provide to, to the internet of things yet as of today because of the Bitcoin slow transaction speeds. And today we either have Bitcoin or Ethereum as really main, as really real world proven blockchains.
There's a lot of smaller ones. There's a lot of more specialized ones. Ripple comes to mind is private blockchains like guard time, but none yet specifically around the identity of things. So while we see enormous potential, we don't get to see an available blockchain, which can just naturally fit into this as there are some challenges to be overcome. And it's mainly to do with transaction speeds and the slowness of the computational proof of work smart contracts is again, we get with Ethereum. Once we have touring complete scripting on a blockchain, which is with Ethereum and we have interactions with say the identity of things we can enable complete smart contracts, which upon the fulfillment of certain agreed upon obligations, say, assets are released. This could have a number of applications, which would enormously simplifying, automate everything from back office bank processing to, to just regular conveying as well.
And further down the line. This is a bit more futuristic here. Once the speed is solved, we can have a fully distributed, secure computing, personalized data store, life management platforms. We will get into what a life management platform is. If you're not familiar with the term, but this we're already discussing the use of the blockchain with homomorphic encryption, which is the ability process, encrypted data without actually needing to decrypt it, which is has action implications. It just, it's very slow for the moment. So we'll move on from this screen and go on to the next again, applying, applying all those various use cases here to some central tenants of information, security, confidentiality, authenticity, non appreciation performance. These are a key tenants of information security. We can see how we've measured. How currently are these needs met or improved. So, pretty much if there is a green tick, it means the blockchain offers a better or a better value or value proposition.
There's a yellow one. It means that it's comparable with existing solutions out there. And I read cross means there's actually, it's, it's worse. So it's not yet able to compete with existing technologies. And generally as see the big red mark around authenticity. And as you mentioned, the blockchain offers pseudonym anonymity, and that's the trouble. The trouble with human identification, again, is not a technology problem. It's not something therefore that will be solved with a blockchain. The blockchain can assist, and there's many very useful applications, but at some point there will need to be a trusted third party, which certifies one's identity. And then say, for example, stores it in a blockchain. So we're not saying the blockchain is not, is unable to provide any form of proof of who you are just that the human identification factor is, is fraught with non technological complexities. So, and which the blockchain won't solve as the box, but in the future, it could.
And that's very much the way we see public institutions, which need to demonstrate transparency and integrity will often go to show that their records haven't been tampered with. So we're hoping the blockchain will be used a lot more in these cases. And performance also is a biggie. As we know, Bitcoin and Ethereum are both very slow homomorphic encryption works, but it's also very slow. So we're hoping that in the future, this is one of the biggest challenges of the blockchain is it's tr transaction processing speed. But now let's go into more specific use cases and here's eBusiness use cases.
So again, thinking of the blockchain as an immutable, append only log, this is how eBusiness case can happen. And we are a big problem of eBusiness is non-repudiation is ensuring that a transaction which has occurred cannot be negated by one of the parties and as well, a digital notary, something has happened at this point in time. And because of what we already have the use of hashes and digital signatures, we don't need to store the actual secret or confidential information on the blockchain. This is a key different approach to security. It's security by transparency because everything on the blockchain should be open for inspection. And it is, as you can tell with the Bitcoins block blockchain, the same thing with the digital notary, you don't need to store the actual confidential information to act as a notary. You can simply store a hash and that digitally and a digital signature on the blockchain.
So only those in possession of that sensitive data would be able to verify it using the blockchain, financial processing and digital contracts. Now there's lot of interest in it. Again, like we mentioned that high cost banks have extremely high cost in managing these large processing systems, which are yes, trusted third parties. They act as every individual user's trusted third party, the bank, and they're enormously expensive. So there's a lot of interest by banks to find alternative peer-to-peer systems. There's a current consortium about nine of the largest banks in the world. Looking specifically at financial processing, blockchains ripple is already a big case using case in point. It has some very interesting ways for by establishing consensus. It's quite fast and it's already being used significantly again with digital and smart contracts. So we start with, if the blockchain is just a ledger, then you have digital contracts. Once it becomes a compute platform and can do more than just record transactions, then you can have smart contracts. Then you can have actionable events. When, when my bank account receives your inbound transfer automatically transmit the access code to my house or to my car. These are smart contracts, and this is very much what people are looking at to further reduce back office processing costs.
And now we've alluded to life management platforms, but what are they exactly? A life management platform allows any individual to manage and access all relevant information about their daily life in particular data that is sensitive and typically paper bound today, like bank account information, insurance information, health information, or the key number of the car. So what's important about life management platforms. It's, it's almost like it's an ideal we should aspire to. It's the ability for users and we'll show what's some features of black management platforms. It's in today's problems with privacy. The ideal world would be a user controlled central store of all of their private data. So you can selectively grant parts of your information, sharing to third parties, such as a financial institution, a government or so always the problem with these repositories of personal information and, you know, sensitive data health records.
The problem is always the factor either. There is centralized authority, which holds all up the private keys and often users need this. So they can say reset their access credentials, but then the risk happens. If the administrator owns those keys, there is the potential for insider abuse, you know, and again, it comes down to this provider of this service saying, just trust us, we will, won't misbehave with your data, but I can't, I can't prove to you. I can't demonstrate you that I haven't looked into your data. I Haven I can't prove to you that I respected your privacy. That's why these, these sort of systems, that's why there's been the problem. The slow uptake of say electronic health records. Because again, it's all about the government saying, and they try very hard to really ensure that put in place systems. So these, this type of sensitive information like health records is not abused, but fairly enough, most people feel are awkward about sharing that data because there is no actual guarantee. So the ideal world would be a life management platform. These are the functional characteristics. The backend is how we would implement it in practice. How would we ensure that this data is confidential? And the user actually is the ultimate administrator.
So given the blockchain's transparency, there's a lot of proof of concept. There's a lot of research being done into homomorphic encryption, which is the ability, say, for example, it's the ability to perform operations on encrypted data. And this is key. So for example, if, if you need to do a credit wordiness check or you need to say book or reservation in a hotel, imagine an algorithm which can query if your bank has the amount requested, say the limit, they check without actually needing to know how much you have in your bank account. So it can query a function, some encryption data, and it can come back with a yes or no. And yet there is no third party, which actually knows your, the amount of, of money in your bank account. This is an example of home amorphic encryption. So that coupled with the blockchain's transparency could have remarkable applic applications for empowering life management platforms, because you could have provable transparency, time for evidence and complete user control of their private information.
And this is again where we see the blockchain providing support to a life management platform. And there still are a lot of challenges. And there still is a lot of work to be done here. But life management platforms are seen as so essential that we, we, we do hope and we see a lot of research being done in this area in coupling the blockchain with homomorphic encryption to enable user user controlled personal information stores. One thing though that where we see the blockchain as actually not providing good immediate value is in iden user identity and access management. This is again, as we referred to earlier, the, the challenges of user identification are not techno are not technological. They are, they are, it's very hard. Biometrics has its has its issues. There is no fail safe way for you to prove who you are digitally. So trusted. Third parties is pretty good for now, but as I mentioned in the past, there's no saying that there may be a very intelligent coupling of a trusted third party, such as government institution coupling a transparent ledger, such as a blockchain to encode, to encode user identity information. There's nothing saying that won't happen just at the moment, the blockchain out of the box, even by its very nature, does not provide additional mechanisms for the problem, the dilemma of user identification.
However, in regards to the internet of things, the blockchain is almost a natural fit. In fact, there is one firm called guard time, which does precisely that unlike a user, this ability to encode time defined information on the blockchain would allow, say a manufacturer to manufacture a device and then create a unique hash of that devices, serial number revision, make and model, and put it immediately on the blockchain. It would be the first mover. So if someone else were to say for, or modify that device or trying to make a copy with a forged serial number, they would be because that new device would not have the manufacturer's private key signature. It could be very easy for anyone to independently verify authenticity of that device. And furthermore, like what guard time does as well is they do configuration control too. So the configuration of the device, such as a network device, any device pretty much can be hashed, can be stored on the blockchain and can be defined who authorized that transaction.
So, and what can happen is in real time, these devices can transmit that hashtag. So without needing to reveal to any third party's sensitive information about their configuration or, or software version or any information that should not be known publicly, it is possible to verify the status of that device. Is it, is it, is it free from any sort of corruption or manipulation instantly without the verifying third party, really knowing anything about the device? These are just some examples not to mention also the problems of scalability that we'll have with the internet of things with so many devices coming soon to be connected to the internet. We just can't anymore deal with centralized commanding control structures anymore. So appear to peer model for deploying patches, for deploying configuration changes such as the blockchain would be a lot more efficient where you just let these sort of changes propagate along a peer-to-peer network, as opposed to having an overworked centralized system, which has to push configuration updates. It's one, it was fine when you had 50,000 PCs. Now we're probably gonna have a million devices that kind of scale just doesn't isn't easily responded to correctly with traditional centralized systems.
So here we come a bit to the challenges as we've discussed, the slow transaction speeds, our big one of the blockchains we know now. So ripple is reasonably fast, Ethereum and Bitcoin votes aren't guard time again is only specifically does a specific theme, which is hashing and Merkel trees. So it's very fast again, it's it is really limited to specific use cases, which is specific identity, internet things, but generally it it's. The, the computational proof work is necessary to a degree to avoid brute forcing of the blockchain. However, it's very wasteful. As we know, power is getting more and more expensive. So data center costs are always facing a downward spiral. There's we're looking at ways to reduce energy usage in the data center, not increase it by artificial usage of computational resources. Again, not all blockchains need to use a computational proof of work.
This mining. This is, this mining is very famous in Bitcoin because they imagine it as sort of digital gold where it's, it's the equivalent of mining gold. It's an effort which makes it a scarce resource. It's Ethereum. For example, mining is more a case of getting it's. It's a case of processing other people's other nodes compute requirements. And in turn acquiring currency sort of computational currency that can then in turn be spent on one's own applications, but still Ethereum, which is very promising, is quite slow. Another one is the mathematical consensus algorithm faces its own challenges. So it's well known the 51% attack, which is if one can obtain 51% of the nodes in a blockchain, it's possible then to manipulate it. This was almost this almost happened in Bitcoin, but again, due to the economic incentives immediately, the mining pool that was about to reach 51% immediately scale down because they knew that it would immediately destroy the value of Bitcoin.
But again, we won't always have a cryptocurrency. So this is something to consider. Another one to consider is the incentives generally for there is the selfish mining attack, which is where a minor, if we can control up to 25% of a blockchain can hold back problems it's solved and thus can in some way, perform a denial of service attack on the blockchain because holding back the processing of that block holds back all excessive blocks. So the challenge in general is that of balancing incentives to encourage good behavior participating nodes. This is, this is the computational equivalent of total democracy. And as we know, democracy in the real world is messy and complex. And more than once in history, have we had someone who said, this is just too complex, let's just have someone up there who just tells us what to do. It will make my life much simpler.
We all know what happened when people thought that was a good idea. So this is why it's very important to be aware of these. And now we have trusted third parties which have problems yet to jump headfirst into the blockchain would be in a sense, in many cases to swap known unknowns for unknown unknowns. So as always the blockchain, it, it offers enormous potentials, but one must really trade with caution and, and not get carried away in the hype, but neither dismiss it because it is too seminal an event in technology to, to be dismissed.
So that was my presentation. I wonder if there are any questions, as we said, there is a question bar below, please just type the questions in and we'll try to get through as many of them as possible. Okay, well, there's no questions. I'm just gonna final reminder that the upcoming coverage call conferences, as well as this video will be made available to all DS. And here are some related carpenter call research around the blockchain. Some of them are free access. And finally, if you want to get in touch with us, we have various divisions. So this was this. We have APAC north America headquarters in Germany. Please don't hesitate to get in call with us and thank you all for attending. Have a nice day.