By Howard Poston on Jul 3, 2019 8:44:23 AM
The blockchain is an amazing technology that enables a whole host of applications that were not previously possible. The ability to create and maintain a secure, decentralized digital ledger allows organizations to function without requiring trust in a centralized authority.
However, the big question in blockchain is “is it secure?” Blockchain apologists will assure you that the blockchain is completely secure and unhackable; however, the news cycle almost constantly has stories of blockchains being hacked and cryptocurrency assets being stolen, demonstrating that the blockchain is most certainly not secure.
These positions seem mutually exclusive; however, there is a lot of truth in both of them. Understanding how the blockchain is secure and how it is still hackable is a vital step when deciding (or continuing) to use this new technology.
Blockchain: Secure by Design
Blockchain is designed to be a completely secure protocol for implementing a decentralized and distributed ledger. This allows the network to maintain a trustworthy record of its history without relying upon a centralized authority to do so. In order to accomplish this, the system needs a means to authenticate its users and a way to maintain the integrity and immutability of the ledger.
Authentication in the blockchain is dependent on public key cryptography. This type of cryptography (also called asymmetric key cryptography) uses a keypair consisting of a related private and public key. The private key can be used to decrypt messages encrypted with the corresponding public key and to generate digital signatures that can be verified with the public key. These digital signatures are an essential part of blockchain technology’s security since they prove that someone with access to a given private key generated a given transaction or block.
The other important feature of the blockchain is its immutability: it’s difficult or impossible to change the ledger after the fact. This is enabled by a combination of a few different features: digital signatures protect the integrity of transactions and blocks, blockchain consensus algorithms make it difficult for an attacker to create a fake version of a block, and hash functions link the blocks in the ledger together and ensure that any modifications to blocks are detectable. All together, these components create a ledger that is extremely resilient to modification.
The underlying design of the blockchain works, and it works well. While some blockchains have been exploited due to built-in vulnerabilities, these vulnerabilities have always either been deviations from the original blockchain design or created by poor implementations of the blockchain protocol. The underlying design of the blockchain is secure against attacks using modern technology.
The Cryptocurrency Security Paradox
The blockchain is theoretically secure; however, you can hardly go a month without hearing about some cryptocurrency being hacked. So what happened? Either blockchain is secure or it isn’t.
Robbing the Bank
Cryptocurrency hacks occur because of factors outside the control of the blockchain network. Blockchain is designed to create decentralized systems and allow people to “be their own bank”. However, this isn’t what many cryptocurrency users do. Instead, they take advantage of cryptocurrency exchanges and online crypto wallets.
Cryptocurrency exchanges are enticing because they provide a lot of convenience to their users. Instead of managing their own private keys, they store them with the exchange. In turn, the exchange simplifies the process of performing transactions, making trades, etc.
The downside of exchanges is that they provide a centralized target for hackers attempting to steal these valuable private keys. Like any other website, access to your exchange account is probably managed by a username and password and maybe a two-factor authentication (2FA) system. Usernames and passwords can be guessed or phished and many 2FA solutions can be easily defeated. If this occurs, the hacker then has access to your account and your private key.
The security model of public key cryptography is based upon your private key remaining secret. Anyone with that key is essentially “you” on the blockchain and can perform transactions in your name (including draining your account). As a result, hacking an exchange enables the hacks that make headlines.
Bandits on the Loose
Exchange hacks are bad enough, but they don’t account for every hack on the blockchain. A variety of other attack vectors exist that essentially boil down to cryptocurrency users doing something unwise.
The “Blockchain Bandit” is a cryptocurrency thief that took advantage of poor habits when generating private keys for use on the blockchain. Whether to help them remember their keys or for other reasons, users generated weak keys and used them to store value on the blockchain. The “Bandit” caught on and began automatically scanning for and stealing from these weak addresses, netting them almost 45,000 Ether.
Another mistake that has lost cryptocurrency users some Ether is poor misconfiguration of their blockchain software. A setting (disabled by default), allowed programs to interact with the wallet software via Remote Procedure Call (RPC) and perform transactions. Users who enabled this setting and didn’t protect it properly were prey to an attacker who scanned for open RPC ports and stole over $20 million in Ether.
Using Blockchain Securely
Blockchain technology is designed to be secure, but, like any system, it doesn’t stay secure if you give the keys away or leave the front door unlocked. The paradox between the security of the blockchain protocol and the rampant hacks of cryptocurrency is caused by people misusing the system, not any problem with the system itself.
Blockchain security is a complicated issue, but, from a user perspective, there are simple things that can be done to improve personal security on the blockchain. Even steps as simple as properly protecting your own secret keys (i.e. not entrusting them to an exchange) and ensuring that any blockchain software that you use is secure and updated can make a huge difference in your ability to protect your cryptocurrency assets.
Guest author Howard Poston is a cybersecurity and blockchain security consultant and trainer. This is the first part of a series on blockchain by Howard and he will be posting additional blockchain updates to the GhostVolt blog. You can reach Howard at firstname.lastname@example.org
GhostVolt, a powerful security application for teams, encrypts data using the AES-256 encryption algorithm both at rest and in transit. AES-256 is the algorithm approved by the US government for encryption of classified data and is considered the standard for data encryption. With GhostVolt, you can take an important step towards securing your data and meeting the regulatory criteria of CCPA, as well as GPDR and HIPPA requirements.