04 April 2017
Blogs by author: Global Services, We’re a leading global business communications provider
Blockchain is the big new idea in tech, but is it worth the hype? Discover how it actually works (and why it matters to the security of your applications).
Dr Jonathan Tate, Solution Architecture Lead, Security CTO Team
Dr Joshua J Daniel, Senior Researcher, Security Futures Practice
Blockchain is a topic currently receiving a lot of attention. And it’s perhaps inevitable that much of this attention ultimately derives from an interest in money.
Breathless prose in the mainstream press suggests that traditional currencies like dollars and Euros could be swept away, replaced by novel cryptocurrencies. The market capitalisation of the popular Bitcoin and Ether cryptocurrencies are at an all-time high of $17bn and $4bn respectively, as of mid-March 2017. These are amazing figures for crowdfunded currencies created as recently as 2009 and 2015.
Alongside, countless start-ups have also sprung up to ride the hype wave, with seemingly limitless venture capital (VC) funding thrown at them in the hope of capturing the ‘Next Big Thing’. There are shades of the dotcom era in both the perceived scale of opportunity, and the impossibility of many of these ventures succeeding.
Putting the more outlandish business models aside for a moment, however, the fact remains that the underlying blockchain technology is very much a real thing. Cryptocurrencies may get the press coverage, but a blockchain based on mathematically sound cryptographic primitives can exhibit security properties that are useful in diverse applications. And, perhaps, you can make use of this to bake-in security when designing your own applications.
In this series of articles, we’ll look at how you can get started in securing your applications with blockchain technology — as well as some of the issues you’ll need to consider. But, first, you need to understand what a blockchain is.
What is this blockchain thing anyway?
Perhaps it’s best to start with what a blockchain isn’t. Blockchain isn’t Bitcoin (although the latter is perhaps the best-known application). A blockchain isn’t in itself a distributed ledger, though we can use it to build these.
It’s better to think of blockchain technology as a foundation upon which we can build applications that require certain behavioural and security properties.
Facetiously, we can define ‘blockchain’ as a ‘chain of blocks’. In the finest tradition of computer science, this definition is both correct and unhelpful — not to mention wilfully incomplete. However, it does highlight that — if we strip away surrounding infrastructure and applications — a blockchain instance is not necessarily all that interesting in itself.
Tautologies aside, blockchain implementations typically exhibit useful security properties. These include:
- Confidentiality — hashes of transactions do not reveal details of transactions.
- Integrity — mathematically sound cryptographic hashes reveal tampering attempts.
- Availability — distributed peer-to-peer system without a central authority.
- Non-repudiation — no single party controls the chain, so cannot remove records.
If applied carefully, we can use blockchain within our own applications to exploit these properties.
Blocks, chains and blockchains
At its simplest, a blockchain is a data structure composed of an ordered series of blocks enforcing a specific sequential ordering. The first block is generally referred to as the ‘genesis block’. Blocks store records of transactions; precisely what is meant by a transaction will depend on your application.
Each block contains a number of fields:
- A set of one or more valid transactions, hashed and encoded into a Merkle Tree structure.
- A hash of the preceding block, defining a hashchain structure.
- Optionally, other elements like timestamps, nonces and other metadata.
The resulting blockchain allows integrity to be demonstrated by tracing back from any point in the hashchain to the genesis block.
The use of hashes of transactions encoded in a Merkle Tree allows us to efficiently record a proof of a set of transactions without revealing the exact content, and without the space overhead of storing every detail.
It also provides confidence that malicious actors cannot alter the blockchain record without being detected.
All aboard the hype train
Blockchain enjoys significant hype in the ideas marketplace. Some of this hype is deserved, although much is the result of people jumping on a bandwagon.
Similar to the related subject of encryption, blockchain is sometimes perceived as a magic ‘pixie dust’ that can somehow secure our applications if only we scatter enough around. It will come as little surprise that this enthusiastic application may yield little benefit if the technology isn’t really understood, or is misapplied.
The human condition being as it is, whenever we try to build protection with blockchain, it’s guaranteed that someone else will try to break it. If we attempt to secure valuable assets, be they sensitive data or actual money itself, then the value proposition for finding and exploiting errors in design and implementation becomes appealing.
Subtle, insidious corruption could go undetected for a long time, and a mathematically proven security property counts for nothing if the implementation is flawed. The accumulated history of software development shows that it usually is. If we’re lucky, the white-hats will get there first.
Even if we use blockchain in an application where its properties are relevant, and we somehow manage to implement it correctly, this does not necessarily imply that doing so was a good idea.
By Maslow’s Law of the Instrument, ‘if all you have is a hammer, everything looks like a nail’. In our enthusiasm to use the new technology, we may convince ourselves to apply blockchain to problems for which a simpler or cheaper alternative exists. The application not using blockchain wasn’t the problem we actually needed to solve.
Nevertheless, the emergence of blockchain is an exciting development for the security community as an enabling technology. The underlying principles are straightforward, the security properties are useful and — if implemented correctly — could allow us to build new applications.
Where do we go from here?
In this series, we’ll look at issues of interest to the application developer considering the use of blockchain technology. Some topics we’ll consider include:
- ‘Roll-your-own’ versus ‘Blockchain as a Service’.
- ‘Hello, blockchain!’ — your first steps with a blockchain service.
- Anatomy of a cryptocurrency, and handling your non-currency assets.
- Smart contracts and the Software Development Lifecycle
- Practical alternatives to blockchain.
- Future directions in blockchain technology.
So keep an eye out for the next article in the series to discover more about the wonderful world of blockchain (as well as how it can make a difference to your organisation). In the meantime, take a look at this article from Konstantinos Karagiannis to delve further into the topic.
Or if you want to see our Blockchain demo in person, why not visit Innovation 2017, our technology and innovation exhibition taking place in June.