SESSION ID: ACB-RO2 Blockchain and distributed ledger technologies Security risks, threats and vulnerabilities Kurt Callewaert Researchmanager Applied Computer Sciences HOWEST UNIVERSITY @KurtCallewaert Kurt.Callewaert@howest.be #RSAC Blockchain and distributed ledger technologies Are there still security risks, threats and vulnerabilities ? 2 #RSAC Building blocks in Blockchain & DLT technology 3 Blockchain & Tracebility in the foodsector Presenter’s Company Logo – replace or delete on master slide #RSAC 4 Blockchain functional view architecture Presenter’s Company Logo – replace or delete on master slide #RSAC 5 Blockchain Model Presenter’s Company Logo – replace or delete on master slide #RSAC 6 Example block Presenter’s Company Logo – replace or delete on master slide #RSAC 7 Hashing Presenter’s Company Logo – replace or delete on master slide #RSAC 8 Blockchain implementations Presenter’s Company Logo – replace or delete on master slide #RSAC 9 Consensus model Presenter’s Company Logo – replace or delete on master slide #RSAC 10 Smartcontract or chaincode Presenter’s Company Logo – replace or delete on master slide #RSAC 11 Forking Presenter’s Company Logo – replace or delete on master slide #RSAC 12 #RSAC CIA … what are the results of the research project ? 13 Confidentiality Network access : firewall , VPN , VLAN , IDS , … According to the National Institute of Standards and Technology (NIST), confidentiality refers to “the property that sensitive information is not disclosed to unauthorized individuals, entities, or processes” Access control on application level Information Security Management System Cryptography : key generation PKI : Public Key Infrastructure Full encryption of the data blocks Authentication & authorization controls Key management key storage , key loss , key theft Wallet management  Key theft , unauthorised access to data Quantum resistant cryptography  SHA-256 replaced by SHA-384 Integrity Integrity is defined as the “guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity”according to NIST Data encryption - hash comparison – digital signing Immutability -> sequential hashing and cryptography + distributed Consensus models Tracebility – non repudiation -> time stamped and digital signed Smart contracts  S-SDLC Data quality  Trusted oracles : data feed third party service in smart contracts GDPR  Right to be forgotten Consensus Hijack  Fraudulent transactions - Sybil attaque Availability NIST defines availability as “ensuring timely and reliable access to and use of information” No single point of failure  IP based DDos no effect Operational Resilience  Distributed nodes , peer to peer, 24/7 Global internet outage Scalability  unexpected growth of the DLT database Denial of Service  large volumes of small transactions #RSAC ISO/TC 307 Blockchain and distributed ledger technologies 17 Existing Threats #RSAC The first happens at the level of the transaction itself. In this category, the source of the threat is the behavior of a user, because of the user’s incompetence or dishonesty. One example of this category is a double-spending attack. The second happens at the level of transaction validation. In this category, the threat comes from the collective behavior of dishonest miners. One example in this category is the 51% attack problem. Presenter’s Company Logo – replace or delete on master slide 18 Existing vulnerabilities #RSAC User layer vulnerabilities • User apps vulnerabilities • Admin apps vulnerabilities Presenter’s Company Logo – replace or delete on master slide 19 Existing vulnerabilities #RSAC API layer vulnerabilities • • • External interfaces vulnerabilities User API vulnerabilities Admin API vulnerabilities Presenter’s Company Logo – replace or delete on master slide 20