Blockchain, multi-level security
By Data Manager Online
November 11, 2021
Blockchains allow you to store data in a secure and unalterable way, and therefore constitute perfect digital registers. Their security, however, touches on various aspects, from those of the network to the implementation of the software
A blockchain is a digital ledger in which information is written in blocks, and each block contains a cryptographic hash imprint of the previous block. Therefore, to alter a transaction in a block you have to change the content of all subsequent blocks, otherwise the accounts do not add up. For the same reason, the data stored in it cannot be modified or deleted in a blockchain; you can only add new data at the bottom of the chain. Furthermore, blockchains are managed by a peer-to-peer (P2P) network of computers, each of which stores a copy of the entire chain. In other words, a blockchain is a decentralized digital ledger. Among the many types of existing blockchains we consider the permissioned ones, of particular interest for the industrial world. Often used to store information on the quality and traceability of products, they are managed by consortia of companies, which must collaborate but are potentially in competition with each other. The inalterability of blockchains allows them to be used to notarize information, guaranteeing the non-repudiation of the same and their existence at a certain date. In such a situation, it is evident that the security aspects are very relevant. Since blockchains operate on multiple technological levels, we need to consider the security of each of them. Starting from the network level, the nodes of the P2P network communicate with each other over the Internet, using appropriate protocols.
Depending on where the computers on the network are located, and depending on the attacker’s ability to control network connections, the network may be segmented. In this way, each portion of the network will make its own copies of the blockchain evolve autonomously – and incompatible with the others. At the level of cryptographic operations, it is very difficult to cheat, making transactions or information that violate protocols recognized as valid. In the case of permissioned blockchains, however, users write information on the blockchain using specific cryptographic credentials, issued and managed by a Certification Authority (CA). Even if the CA were 100% reliable and honest, it constitutes a single point of failure, as anyone who takes control of it could create and revoke credentials at will. By making the CA unavailable, on the other hand, it can be avoided so that it can correctly manage the revocation of credentials that are no longer valid.
Authority, network security and software implementation, the critical points of the #blockchainClick To Tweet
At the software level, it is possible for a user to use a client – to interact with the blockchain – maliciously modified by an attacker. This would allow the user to be shown information other than those that are actually read or written in the blockchain, deceiving them on the amount of cryptocurrency used in payments, or on the validity of the information displayed. Similar attacks carried out on the software that allows the P2P network nodes to manage the blockchain are much more difficult, and much less likely, as if one node of the network deviates from the expected protocol, the other nodes notice it. Finally, there is the problem of the correctness of smart contracts, which are programs stored on the blockchain and which are executed by the nodes of the P2P network. Since smart contracts can write information on the blockchain, for example by executing pre-programmed cryptocurrency transactions, trivial programming errors can have unpleasant and important consequences. When implementing (and using) a blockchain, all these aspects must be taken into account. And the fact that the attackers can have excellent technical skills, and a lot of imagination.
Alberto Leporati scientific committee CLUSIT – associate professor of the Department of Computer Science, Systems and Communication of the University of Milan-Bicocca