The security and Privacy of the Blockchain, beyond technology and cryptocurrencies

Blockchain technology allows value transactions between users without intermediaries involved in the process, that is, it decentralizes the management of the transactions and presents all its participants with the same register book or distributed database ( distributed ledger ). Transactions can be monetary (cryptocurrencies) or of another nature (goods, information, services, etc.) and are developed on platforms whose nodes communicate through peer-to-peer networks (P2P) through Internet connections. the blockchainIt offers a dynamic and unalterable representation or registration of these transactions over time that replaces intermediaries and centralized trust authorities (eg notaries, banks, insurers, etc.) that support the transactions by the digital trust that users They have deposited in this technology.

The blockchain offers transparency (all participants can see all the information contained in the distributed database), sharing and decentralization (one copy of the database in all nodes), irreversibility (once a data is registered, cannot be modified or deleted) and disintermediation (without central arbitrator, participants make decisions by consensus). The blockchain links the sequence of transactions and incorporates a timestamp that gives transparency and traceability to operations without thereby breaching the privacy of users a priori (path can be known and the content although it is not always feasible to infer the identity of the user). Actors can adopt three roles: users with the right to have and consult a copy of the distributed database ( accessors ), participants with the right to perform transactions ( participants ) and users in charge of validating transactions and creating blocks ( miners ). All of them have a validated and unique copy of the database.

Each platform establishes its rules of participation, operation and governance. Platforms can be open (public) if they are accessible without restrictions ( permissionless ledgers ), such as the Bitcoin cryptocurrency. They are semi-public or authorized ( permissioned ledgers ) when participation, the right to veto of new members or the possibility of deciding the consensus protocol at the beginning of the chain are conditioned. They can also be private when an actor sets the rules; In this case, the difference between a blockchain and a conventional decentralized database is blurred.

The blockchain uses cryptographic security mechanisms to access, sign and encrypt transactions, blocks and their chaining. Private keys can be linked to the identity of the users or intermediate elements; for example, the digital portfolios with which the platform offers anonymity of operations. The rules that execute the transactions can be established through smart contracts 3 ; in the Ethereum blockchain , for example, they ensure a common understanding of the transaction between the parties, in particular on the obligations incurred, offering limited visibility to interested parties (third parties of the blockchain outside the contract do not have access to its stipulations or compliance).

The technological challenges

The complexity, the speed of growth, the proliferation of a large number of different platforms or their high business potential make it difficult to solve significant technological challenges such as scalability, standardization or interoperability, aspects of particular impact on security.

The need for scalability is accentuated by the exponential growth of the main public platforms (for example, Bitcoin grew 450% between July 2012 and July 2016). As the network grows, the competition to perform validations increases, it takes longer and the unit cost per transaction increases. Therefore, new consensus mechanisms are needed that reduce processing time without compromising security.

The need for interoperability is accentuated given the proliferation of different solutions and the need to share data between platforms or use common electronic wallets. The exchange of data requires the translation between protocols and the reconciliation of different consensus mechanisms, which is hindered by the absence of standards. Beyond the technical aspects, interoperability between platforms will also have to respond to needs such as the ease of use of applications and the ability to transfer assets, limit the volume of transactions, prevent them or establish safeguards against fraudulent ownership changes.

A technological challenge in constant debate is energy efficiency , given the high intrinsic consumption of the blockchain and the significant hidden cost linked to the consensus mechanisms for the validation and calculation of blocks made by mining nodes. These factors are directly related to environmental impact 4 and determine the need for more efficient and safe validation protocols that facilitate participation in the blockchain platform of autonomous devices with limited consumption, for example, IIoT in the industrial field.

Blockchain security

The blockchain is a conceptually secure technology thanks to its distributed nature, the irreversibility of transactions and the intensive use of encryption. Vulnerabilities usually arise as a result of the implementation of platforms and applications, that is, they are linked to the development of the computer code, communication protocols or the simplification of the validation and consensus mechanisms of the blocks.

The blockchain is a recent and complex technology. Despite thorough code design and revision, vulnerabilities cannot be excluded as a result of programming errors. Once these have been identified, they are especially complicated to patch without affecting the service due to the distributed architecture and the immutability of the blockchain. Vulnerabilities are accentuated by the multiplicity of programming languages and protocols, that is, by the absence of technological standards. This fragmentation slows the maturity curve of this technology, reduces the possibilities of error detection and implementation of controls on the code and disperses the experience of developers, under constant pressure to shorten delivery times.

Likewise, the integration of blockchain platforms with the information systems that support the company's business processes or interoperability between different blockchain platforms is still very incipient, which limits efficiency and increases cybersecurity risks. It may take years to reach a degree of maturity and technical consensus that facilitates the convergence of security standards and interoperability between platforms. Therefore, developers and companies must inevitably incorporate security methodologies by design from the early stages of development with the participation of the information systems and cybersecurity departments.

Platforms, services and networks share security risks with information technologies, such as confidentiality, privacy, key management, cryptography, identification and patching of vulnerabilities or awareness of social engineering threats. But they also offer specific risks: 

• Hijacking of the consensus mechanism through the coalition of users ( 51% attack ) or timely acquisition of large cloud computing capacity in order to alter the validation (for example, denying transactions or reallocating an already spent asset);
• Mining of side or parallel chains ( sidechains) by having less mining capacity or the possibility of attacks that can block a side chain and reverse the transactional burden by overloading the root blockchain ;
• Denial of service attacks distributed by injecting a high number of spam transactions (vulnerability accentuated by the possibility of storage in the blockchain of data and algorithms);
• Attacks focused on the capabilities of the managing entity (sole) of an authorized blockchain ( permissioned ).

As the number of blocks in a chain increases, mining nodes tend to pool ( pools ), since the possibility of an individual node sealing a block and obtaining the reward decreases. This concentration may pose vulnerabilities in order to obtain a reliable consensus if the preponderance of a few pools is dominant in the platform.

In relation to the widespread use of smart contracts to carry out transactions, they are exposed to errors and vulnerabilities - most likely to the extent that smart contracts are more complex - derived from their coding and those of the platform of the data string in which they run. In addition to programming errors, blockchain technologies face risks that have to do with cryptographic techniques that ensure the confidentiality and integrity of the transaction log, such as the custody of user access codes, hosting purses or the hypothetical rupture of cryptographic algorithms through quantum computing in the future.

The privacy design

The blockchain raises new and complex issues around the protection of privacy rights in the use of personal data and in particular in the application of the GDPR when transactions manage personal data or the information of the blocks makes reference to personal data of the participants.

Features such as decentralization of data processing and storage make interpretation of the Regulation difficult. National regulatory authorities and European institutions promote regulatory analysis and issue guidelines and reports that are mandatory references for developers. In this area, the contribution of the EU Blockchain Observatory and Forum should be mentioned .

It is important to indicate that the RGPD does not evaluate a technology in terms of privacy, but the way in which the different use cases and applications use it. Therefore, it is unavoidable to initiate any design of a blockchain platform or application by performing an exhaustive analysis on the impacts on privacy, evaluating the desirability of adopting more appropriate alternative solutions to the blockchain or the need and proportionality of the design options that have been chosen. For example, the convenience of using a public blockchain should be assessed , since authorized and private ones pose less regulatory difficulties (for example, in blockchainEvery user can trace transactions from origin to destination or download the registration book, which makes it difficult to exercise the right to be forgotten or rectified). Equally sensitive is the use of smart contracts that may be the source of personal data leaks.

A blockchainIt can contain two categories of personal data: those that allow the identification of the sender and receiver of the transaction through public keys and the information included in the transaction related to third parties. Based on this distinction, the GDPR analysis methodology (identification of the data controller, rights and safeguards, risk management, etc.) is applicable. Broadly speaking, the regulatory tensions over the GDPR that capitalize on the debate between authorities and developers revolve around the identification of the roles of controller and data processor or what implications it has for several participants to decide to process the transactions together with the derived obligations, to the anonymization of personal data and to the exercise of rights such as rectification, erasure, right to be forgotten, objection to processing or portability of personal data. Likewise, the design must pay special attention to the obligations arising from outsourcing or to the rules of governance in the international transfer of data, in particular between public blockchain

In this regard, the EU Blockchain Observatory and Forum indicates to developers four general application guidelines:

• Start the design at a high level preventing the blockchain from becoming an innovative solution in search of a problem: what is the value contribution of the solution to the user? Is a blockchain platform really necessary ? How to manage the data?
• Avoid storing personal data in the blockchain ; use obfuscation, encryption and aggregation techniques to anonymize this data.
• Keep personal data out of the blocks whenever possible or use authorized or private blockchain ; analyze the transfer of personal data by connecting private blockchain with public.
• Offer full transparency to users about data processing.

Conclusions

The blockchain is one of the most disruptive, complex and incipient information technologies, whose vertiginous growth is transversal to all sectors of activity in the public and private spheres. Beyond cryptocurrencies, it has enormous potential as a paradigm of decentralization and empowerment of natural and legal persons, together with not a few regulatory, jurisdictional and technological challenges such as scalability, interoperability or environmental impact.

The blockchain is a conceptually very secure technology that is exposed in the course of its implementation to errors and vulnerabilities of any information system, added to those specific to this technology. To this are added the security, interoperability and technological challenges derived from its progressive maturity, complexity, lack of standardization and diversity of protocols, to which the demands of a vibrant competitive environment are superimposed.

Alignment with the GDPR regulation in this area is a complex and open task to study with the necessary support of regulatory authorities. It must offer a response, among other aspects, to the identification of the roles of controller and data processor, anonymization, the exercise of rights such as rectification, erasure, right to be forgotten, objection to processing or portability. , obligations arising from outsourcing or international data transfer.

Consequently, the application of the principles of security and privacy by design are unavoidable from the initial phases of the design together with considerations resulting from integrating the blockchain platform to business processes or operations, such as impacts on the organization and on the business processes Facing these challenges requires the creation of multidisciplinary teams that have the participation since the beginning of the legal / regulatory, cybersecurity and information systems area of companies.

www.blockchainx.tech