Blockchain’s Brilliant Approach To Cybersecurity

Uploaded on 2017-02-10 in TECHNOLOGY-Key Areas-Blockchain, NEWS-News Analysis, FREE TO VIEW, TECHNOLOGY--Developments

Hackers can shut down entire networks, tamper with data, lure unwary users into cyber-traps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure.

The Blockchain’s alternative approach to storing and sharing information provides a way out of this security mess. The same technology that has enabled secure transactions with cryptocurrencies such as Bitcoin and Ethereum could now serve as a tool to prevent cyberattacks and security incidents.

Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service (DDoS) attacks.

1. Protecting Identities

Public Key Infrastructure (PKI) is a popular form of public key cryptography that secures emails, messaging apps, websites, and other forms of communication. However, because most implementations of PKI rely on centralized, trusted third party Certificate Authorities (CA) to issue, revoke, and store key pairs for every participant, hackers can compromise them to spoof user identities and crack encrypted communications.

For instance, controversy recently broke over the key renegotiation process of WhatsApp, which could possibly be exploited to push false keys and perform man-in-the-middle attacks on one of the most popular and secure messaging apps in the world. Publishing keys on a blockchain instead would eliminate the risk of false key propagation and enable applications to verify the identity of the people you are communicating with.

CertCoin is one of the first implementations of blockchain-based PKI. The project, developed at MIT, removes central authorities altogether and uses the blockchain as a distributed ledger of domains and their associated public keys. CertCoin provides a public and auditable PKI that also doesn’t have a single point of failure.

More recently, tech research company Pomcor published a blueprint for a blockchain-based PKI that doesn’t remove central authorities but uses Blockchains to store hashes of issued and revoked certificates. This approach gives users a means to verify the authenticity of certificates with a decentralized and transparent source. It also has the side benefit of optimizing network access by performing key and signature verification on local copies of the blockchain.

Another interesting study of identification based on distributed ledgers is the IOTA, a project that applies Tangle (a blockless type of distributed ledger that is lightweight and scalable) to provide the backbone for millions of IoT devices to interact and identify each other in a peer-to-peer manner and without the need for a third-party authority.

“By referencing hashes that match identity attributes of an individual tied to the ledger one can start to reconstruct the entire identity management system. The fact that you can tie these attributes of person to a tamper-proof hash makes it impossible for someone to forge your identity,” says IOTA cofounder David Sønstebø.

2. Protecting data integrity

We sign documents and files with private keys so that recipients and users can verify the source of the data they’re handling. And then we go to great lengths to prove that those keys haven’t been tampered with, which is difficult when the key is meant to be secret in the first place.

The blockchain alternative to document signing replaces secrets with transparency, distributing evidence across many blockchain nodes and making it practically impossible to manipulate data without being caught. How do you prove that the San Antonio Spurs were the champions of the 2014 NBA Playoffs? You don’t need to because it’s general knowledge. The same applies to data on a blockchain distributed ledger.

Keyless Signature Structure (KSI), a blockchain project led by data security startup GuardTime, is one group that aims to replace key-based data authentication. KSI stores hashes of original data and files on the blockchain and verifies other copies by running hashing algorithms and comparing the results with what is stored on the blockchain. Any manipulation of the data will be quickly discovered because the original hash exists on millions of nodes.

As GuardTime CTO Matthew Johnson told me, the blockchain approach to data authentication offers “mathematical certainty over the provenance and integrity” of information. The U.S. Department of Defense’s DARPA agency is considering KSI as a potential fit to protect sensitive military data.

And on the health care front, blockchain company Gem is using blockchain to provide data transparency, change-auditing, and fine-grained access control of health records. This is especially important as healthcare providers handle reams of sensitive data and have been victims of huge data breaches.

“Data controlling critical business processes, patient health, and clinical trials are all attack surfaces in healthcare industry,” said Gem VP of Engineering Siva Kannan. “Blockchain technology would help in verifying the integrity of patient data shared across different organizations, create immutable audit trails for data governing health care business processes, and maintain the integrity of data collected in clinical health trials.”

3. Protecting Critical Infrastructure

A massive October DDoS attack taught us all a painful lesson about how easy it has become for hackers to target critical services. By bringing down the single service that provided Domain Name Services (DNS) for major websites, the attackers were able to cut off access to Twitter, Netflix, PayPal, and other services for several hours, yet another manifestation of the failure of centralized infrastructures.

A blockchain approach to storing DNS entries could, according to Coin Center’s Peter Van Valkenburgh, improve security by removing the single target that hackers can attack to compromise the entire system.

Nebulis is a project that is exploring the concept of a distributed DNS system that will never fail under an excess of requests. Nebulis uses the Ethereum blockchain and the Interplanetary Filesystem (IPFS), a distributed alternative to HTTP, to register and resolve domain names.

“The killer weakness of the current DNS system is its overreliance on caching,” Nebulis founder Philip Saunders said. “Caching makes it possible to stage DDoS attacks against DNS servers and allows oppressive regimes to censor social networks and manipulate DNS registries.”

Blockchain will also remove the network fees associated with DNS reads and will only impose costs on updates and new entries. “This has great potential for lifting a great deal of pressure from the physical backbone of the Internet,” Saunders said. “It also means we can do away with many of the redundancies of the traditional DNS and come up with something much better.

A transparent, distributed DNS where domain records are under their owners’ control will also make it virtually impossible for any single entity, including governments, to manipulate entries at their whim.

New and unexpected cybersecurity threats will continue to emerge while old threats linger. Blockchains won’t be a silver bullet to fix everything that’s wrong with the Internet, but they will be a powerful tool experts and engineers can leverage to harden their systems against the multitude of threats that surround us, especially where centralized weaknesses and single points of failure are concerned.

Venturebeat:       What Happened To The Blockchain Revolution?:      Could Bitcoin’s Blockchain Run An Entire City?:

 

« Only In Texas: Ransomware Steals Data From Police
Suspect Monitoring & Surveillance Technology »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Fuel Recruitment

Fuel Recruitment

Fuel Recruitment is a specialist recruitment company for the IT, Telecoms, Engineering, Consulting and Marketing industries.

Cambray Solutions

Cambray Solutions

Cambray Solutions specializes in locating and securing technical professionals, managers, and executives.

HPE Aruba Networking

HPE Aruba Networking

HPE Aruba Networking, a Hewlett Packard Enterprise company, is a leading provider of next-generation network access solutions for the mobile enterprise.

MyCERT

MyCERT

MyCERT is the National Computer Emergency Response Team of Malaysia.

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

ComCode

ComCode

ComCode provides consulting services and solutions in the area of digitization and cyber security for mid-sized and big businesses.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

Avertro

Avertro

Avertro helps leaders manage the business of cyber. We help explain cybersecurity to executives, forecasting outcomes, right-sizing your spend, and validating your cyber strategy.

SecAlliance

SecAlliance

SecAlliance is a cyber threat intelligence product and services company.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

Bitdefender

Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide.