Blockchain has proven its security capabilities and mechanism, says Ian Deakin of Innov8ID
Blockchain technology is driving a significant evolution in the way security for IT and telecommunications is currently being developed.
Over the last years we have seen IT and telecommunications services evolve from dedicated centralised infrastructure, where today these are deployed across distributed virtualised cloud providers. In doing so the traditional controls for managing identity, security and data privacy can present many challenges.
The rise is cybersecurity attacks due to lack of IoT security
With a plethora of innovative digital devices and low cost internet of things (IoT) that typically shipped with default security passwords are connecting with a broad range of IT services. This presents hackers an easy opportunity to spread malicious software to millions of IoT devices to be recruited into a coordinated distributed denial-of-service attack (DDoS).
We have seen many examples in the news where centralised systems being compromised through denial of service attacks. A DDoS attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests. Attackers can also use multiple compromised devices to launch this attack.
Today, most IT Security systems are based on central servers, used to identify and authenticate individual connecting IoT devices. As highlighted earlier, any centralization makes servers inherently vulnerable to potential DDoS and brute force attacks. If this centralised resource is compromised, everything attached and the service it provides will be equally affected.
In 2016 possibly the most severe example of this seen, was an attack on the internet DNS service provider ‘Dyn’. Where millions of internet digital cameras and DVR players were infected with special malware, known as a “botnet” were coordinated into bombarding a server with traffic until it collapses under the strain. The result brought down the internet across North America. Affecting many top internet brands including AirBnb, Twitter, Paypal and Netflix.
Blockchain Technology Security Foundations
Distributed Ledger Technologies or Blockchain as they are commonly referred to, are currently being used to power and secure a crypto currency market worth over 250 Billion USD (as of Sep 2019).
Blockchain is a truly distributed system, which has built-in protections against many potential cybersecurity and fraud attacks. The largest blockchain network today ‘Bitcoin’ has over 100,000 nodes. In 10 years of operation, its protocol has warded off several attempts made to attack this network. This distributed infrastructure of nodes makes it extremely difficult for successful cyberattack. Multiple blockchain nodes across many different institutions must be attacked to overwhelm the full system.
The foundation for how blockchain provides secure access based on cryptography functions uses Public key cryptography. The system uses Asymmetric cryptography, also known as public key cryptography, using public and private keys to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical (asymmetric).
One key is kept secret; it is called the private key used to encrypt messages and ensure the identity of the owner recording information or transacting on the blockchain can be trusted. The other key is called the public key. The public key is used to verify the message sent is from the holder of a specific private key. Public keys are distributed on the blockchain enabling anyone to use them to verify the identity and authenticity of a message or transactions.
This method eliminates the need for personal data i.e. username/password to be used as a means of authenticated access.
How Blockchain can enhance IoT security
With billions of IoT devices being produced and shipped to consumers globally. Typically manufacturers configure into the firmware default usernames/passwords enabling the devices to be shipped anywhere and be easily installed.
Instead the manufacturers of these IoT devices can embed into the firmware a unique private key for each IoT device. Storing each device identity with its corresponding public key onto a blockchain. Now each IoT device has a unique trusted identity that can be authenticated by any application using the public key from the blockchain.
Most blockchain private keys use SHA256 hashing to secure transactions. Roughly, if a supercomputer that can perform 15 trillion calculations per second employed in cracking a hash, it would take over a billion years to crack the hash of a single blockchain identity. Not only would it take a long time , but the cost to infiltrate a single device would make it very difficult and impractical to recruit sufficient number of devices to coordinate a DDoS attack using IoT devices.
Instead of having all the IOT device identities and public keys in a central resource. Using blockchain to distribute the public keys used to authenticate and verify IoT devices. Where each service or application provider can host their own node to ensure they have a local copy of the blockchain. Will prevent a DDoS attack on a central resource attempting to render the service availability.
Blockchain has proven its security capabilities and mechanism over the last 10 years. By integrating an IoT device identity and authentications service onto a blockchain will help to mitigate many of the know DDoS attack possibilities we have seen to date.