Mestrado em Engenharia Informtica

Engenharia de Segurana Informtica

Risk Analysis and Integration of Security Practices

Blockchain

June 2017

Diogo Amaral
Tiago Moura
Andr de Sousa
Luk Vokrko
Risk Analysis and Integration of Security Practices

Index

Index ................................................................................................................................. 1

Introduction ....................................................................................................................... 2

What is Blockchain ........................................................................................................... 3

How Blockchain works ..................................................................................................... 4

A distributed database ...................................................................................................... 6

Security offered by Blockchain ......................................................................................... 7

Advantages and disadvantages ....................................................................................... 8

Application in the real world ............................................................................................. 9

Blockchain applied in IoT ............................................................................................... 11

Conclusion ...................................................................................................................... 13

Bibliography .................................................................................................................... 14

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 1

Risk Analysis and Integration of Security Practices

Introduction
This work focusses on presenting Blockchain and how it is going to change society.
Blockchain is the technology behind digital currencies but it promises to have a vast
impact on every society and individual.

Today anyone of us can send an email across the other side of the planet in seconds,
thats amazing but what if we want to send hundred euros to our neighbor it will take at
least one week and he is right there. This happen because the system needs a third
party, a middleman, to assure trust however this might be about to change.

Blockchain is a technology that can able to ensure trust, allowing for immediate
communication to all the people, more secure, with less costs and more productivity.

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 2

Risk Analysis and Integration of Security Practices

What is Blockchain
Blockchain is a data structure that allows for the generation of a digital ledger of
transactions and share that ledger to a distributed network of computers. It allows each
participant on the network to manipulate the ledger, in a secure way using cryptography,
without the need for a central authority. [1]

This network being composed of private computers storing data and performing
computations, notice that the ledger is not stored in any central server or datacenter
contrary to what happens in the traditional way like, for example, financial institutions
currently use. To each of the computers on the network from now on we will address to
them as node and each one node has a copy of the ledger.

Fig. 1. Central/traditional vs distributed/blockchain ledger. (by OLIVER WYMAN)

Technically, blockchain is a distributed database that is used to maintain a continuously

growing list of records, called blocks. Each block contains a timestamp and a link to a
previous block. A blockchain is typically managed by a peer-to-peer network collectively
adhering to a protocol for validating new blocks. Prior to adding any transactions, those
must be verified by participants on the network, all of them with copies of the existing
blockchain, they will process the new transaction to check if it is valid and correct. If the
majority of participants validate the transaction then it is approved and added to the
blockchain. Once recorded, the data in any given block cannot be altered retroactively
without the alteration of all subsequent blocks and the collusion of the network.

Nowadays the name Blockchain commonly represents a version of this distributed ledger
structure and the distributed workflow process. There are many Blockchain

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 3

Risk Analysis and Integration of Security Practices

configurations that use variations of the distributed workflow process depending on the
needs of the participants and organizations involved. The most known example is
probably the bitcoin Blockchain.

How Blockchain works

Blockchain relies on the existence of a digital file that contains the records for every
transaction and that is available to anyone on the network, this file or database is usually
called a ledger.

LEDGER
Account Owner Transaction
Larry 10
Melanie 2
William 5

Table 1. Simplified ledger representation.

This ledger file is distributed on the network. This network being composed of private
computers storing data and performing computations, notice that the ledger is not stored
in any central server or datacenter contrary to what happens in the traditional way like
for example financial institutions currently use. To each of the computers on the network
from now on we will address to them as node and each one node has a copy of the
ledger.

Now imagine Larry wants to pay 2 coins to Melanie for something she sold him, Larry
broadcasts to the network the transaction he wants to perform, the transaction states
that his account balance should lower by 2 coins and Melanie account should increase
by the same value. Every node on the network will then update their own copy of the
ledger keeping it updated.

LEDGER
Account Owner Transaction
Larry 8
Melanie 4
William 5

Table 2. Ledger updated.

But before users can perform transactions on the network they need what is called a
digital wallet. Basically it is a computer program that has the ability to store and exchange

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 4

Risk Analysis and Integration of Security Practices

coins. The wallets are protected by a cryptographic method that uses a pair of digital
keys, one private and one public. For example, if Larry sends a payment to Melanie he
sends the transaction encrypted with the private keys of his wallet to assure that he is
the owner of the wallet, he is the only one who has the private key to his wallet. Each
node on the network, using the public key of their wallet, can cross check the transaction
request. This process generates a digital signature composed by a combination of the
transaction request and the private wallet key to prevent interference from a possible
middleman. Other nodes use this digital signature to guarantee authenticity of the
request.

The public key of the wallet matches its send address. It means that it is what other
users use to send to that wallet account. Notice that as the user only broadcasts the
transaction after it is encrypted, the private key always remains private. Another detail
on transactions is that each time a transaction is requested it must contain links to the
previous transactions that sum at least the value of the proposed transaction, to assure
by the nodes that the value exist and has not yet been spent.

Fig. 2. Blockchain formation. (by WIKIPEDIA)

Blockchain use a peer-to-peer network and a distributed timestamping server. By storing

data across its network, the blockchain eliminates the risks that come with data being
held centrally. Every node or miner in a decentralized system has a copy of the
blockchain. Data quality is maintained by massive database replication and
computational trust. No centralized "official" copy exists and no user is "trusted" more
than any other. Mining nodes validate transactions, add them to the block theyre
creating, and then broadcast the completed block to other nodes.

All the system is open source so everyone with a computer and an internet connection
can use it.

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 5

Risk Analysis and Integration of Security Practices

A distributed database
Blockchain is a distributed database that is used to maintain a continuously growing list
of records. It's a decentralized and distributed digital ledger that is used to record
transactions across many computers so that the record cannot be altered retroactively
without the alteration of all subsequent blocks and the collusion of the network.

Information held on a blockchain exists as a shared and continually reconciled database.

This is a way of using the network that has obvious benefits. The blockchain database
isnt stored in any specific location, meaning the records it keeps are truly public and
easily verifiable. No centralized version of this information exists for a hacker to corrupt.
Hosted by millions of computers simultaneously, its data is accessible to anyone on the
internet [2]. Decentralization means the network operates on a user-to-user (or peer-to-
peer) basis.

Fig. 3. Centralized (left), decentralized (center) and distributed (right) network.

Peer-to-peer systems share these characteristics:

Its design ensures that each user contributes resources to the system;
All nodes have the same functional capabilities and responsibilities.

Simply put, a blockchain is a peer-to-peer network that timestamps records by hashing

them into an ongoing chain of hash-based proof-of-work, forming a record that cannot
be changed without redoing the proof-of-work. On the other hand, a distributed ledger is
a peer-to-peer network that uses a defined consensus mechanism to prevent
modification of an ordered series of time-stamped records. All blockchains are distributed
ledgers, but not all distributed ledgers are blockchains. By storing data across its
network, the blockchain eliminates the risks that come with data being held centrally. Its
network lacks centralized points of vulnerability that computer hackers can exploit [2].

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 6

Risk Analysis and Integration of Security Practices

Security offered by Blockchain

By storing data across its network, the blockchain eliminates the risks that come with
data being held centrally. Blockchain security methods use encryption technology.

The basis for this are the so-called public and private keys. A public key (a long,
randomly-generated string of numbers) is a user address on the blockchain. Bitcoins
sent across the network gets recorded as belonging to that address. The private key is
like a password that gives its owner access to their digital assets. Store your data on the
blockchain and it is incorruptible. This is true, although protecting your digital assets will
also require safeguarding of your private key by printing it out, creating whats referred
to as a paper wallet. [2]

The Blockchain network handles transactions by placing them in blocks. Each block
contains a defined number of transactions and a link to the preceding block. This system
is what sets blocks one after the others in time, therefore the name Blockchain. Each
block is considered to have happen in the same time and transactions outside the blocks
are in a state in which they still need confirmation, this is all done by the individual nodes.

So how does the system agree on the order of the blocks and the creation of new blocks?
Before being appended to the chain each block must process a complex mathematical
problem generated by a cryptographic hash function. To solve this problem it needs
information contained in the previous block. However, because the network contains
many nodes trying to solve the same problem, the node that first solved the problem is
the one placing the block on the chain and broadcasting it to the network.

Fig. 4. The longest chain rule.

Blockchains can increase security on three fronts: [10]

Blocking identity theft;

Preventing data tampering;

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 7

Risk Analysis and Integration of Security Practices

Stopping Denial of Service attacks.

The blockchain network lives in a state of consensus, one that automatically checks in
with itself every ten minutes. A kind of self-auditing ecosystem of a digital value, the
network reconciles every transaction that happens in ten-minute intervals. Each group
of these transactions is referred to as a block. [2]

Two important properties result from this:

Transparency - data is embedded within the network as a whole, by definition it

is public;
It cannot be corrupted - altering any unit of information on the blockchain would
mean using a huge amount of computing power to override the entire network.

Advantages and disadvantages

The blockchain, like other technologies, has many advantages which can be applied in
several software. Lets see a few of these advantages, starting with security.

The in-block structure used in blockchain is virtually inviolable. For it to be violated, the
invader would have to control over half of the nodes, to be able to make permitted
changes [7]. To change any register, the invader would have to rewrite all the database,
therefore, it is again inviable. We can even consider it impossible [7]. Another big
advantage is availability. The distribution structure keeps a system working if nodes are
down. When those nodes return to the network, they will start updating automatically.
Probably the most important is confidence. Since the data in blockchain cannot be
deleted or changed, we can assure that register transactions are legitimate and true. The
transactions are public, wherefore is transparent in your transactions. Because of
cryptography, the users in the system dont need to send their identification, however, it
is possible, if necessary, to link the identities. This aspect helps ensuring that the user is
really legitimate in the transaction.

The operating costs are very low compared to a central computer system, however vary
according to how it is applied, but generally, the distribution model implies shared
processing and storage.

There are many other topics with advantages:

Reduce of information in several systems

Approving or Voting system.
Smart Contracts

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 8

Risk Analysis and Integration of Security Practices

Possibility of making financial transactions through bitcoin.

Working with P2P network
Using cryptography and digital signature with identity prove, authenticity and
increase the read and write accesses
Giving reading permissions to a group of participants and writing permissions to
other groups
Having a defence mechanism which makes it very difficult to change the historic
records and possible to detect probable attacks.

There also disadvantages in blockchain:

Need more talent and know-how

Need a success example of application in industries
It is expensive for the profits of some companies
A bit unknown to the general population

Application in the real world

Blockchain impact on society will be huge, it is a true revolution for the internet was we
know it and for the way society performs transactions of value (money, art, work, etc.).
Across industries and services there will come the need for business process
reengineering, the adoption of Blockchain technology will have the most of its changes
in business process and not so much in technology implementation.

The current role of intermediaries has to be rethought because Blockchain technology

does not have the need for a third party to provide trust and validate the transaction. We
can establish a parallel with the appearing of the internet in the late 90`s and the change
that occurred on many industries and services (TV operators, newspapers, postal
services among many others).

Blockchain brings a new flow of value, not just money, but for any kind of value because
with this technology value can move faster, efficiently, freely and cheaply.

One of the deepest impacts is certainly the decentralized governance of Blockchain, the
users control the protocol and this is not imposed by governments or corporations. There
will have to be a large discussion and consensus between nations to regulate the
adoption of the Blockchain technology across the world and this leads to another major
change that is needed: new legal and regulatory laws. There will have to exist regulations
but those regulations will have to be a lot lighter than the current existing ones and that
will be a big challenge, especially for the most conservative societies.

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 9

Risk Analysis and Integration of Security Practices

Bitcoin is the first decentralized digital currency that operates through the internet. Some
of the most important facts about bitcoin are:

Bitcoin transactions are done directly between participants without any

middleman or third party;
There are no pre-requisites to the use of bitcoin (except for an internet
connection);
Availability worldwide and to everyone;
Is completely public and open-source (the code).

To the end user Bitcoin is nothing more than a mobile or computer application that
provides a digital wallet that allows his owner to receive and send Bitcoins.

The blockchain is in growing because of the advantages existing in this technology,

thereby, a few number of businesses are using the Blockchain. An example is NASDAQ
(National Association of Securities Dealers Automated Quotations). In market of
featuring stock quotes credibility is very important, so it was necessary to find a good
solution to win more confidence in this business. The problem is the process in
negotiation of quotes is very slow and inefficient because it involves many people.

The solution is creating a Linq platform in partnership with Chain, to make easier the
sending, classification and register transfer of quotes. This platform uses Blockchain
technology and the process is going to become efficient and speedily.

Blockchain can also be applied to track features, such as in diamonds. By determining a

stone's origin, frauds, synthetic diamonds or those sourced in war zones can be
detected. As paper certificates can be forged, there was a need for a safer register. So,
in May 2015 Leanne Kemp founded Everledger, a global digital registry for diamonds,
powered by the blockchain. Everledger creates a diamonds ID using more than 40
features, including colour and clarity. [9]

Everledger has digitised more than a million diamonds and partnered with firms including
Barclays. The 20-person company has expanded its focus from polished stones to rough
ones. This way, Everledger can monitor conflict diamonds, such as those mined in war
zones, which frequently sneak into the market in their uncut form. [9]

Kemp, who is in her mid-forties, hopes that in the future, Everledger's core tech - a
system relying on the Bitcoin blockchain and proprietary ledgers - could be aided by
other tools, including computer-vision algorithms. [9]

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 10

Risk Analysis and Integration of Security Practices

Blockchain applied in IoT

How often do you ask: Is that safe?. Probably many times, but it is more probable that
you have bought a gadget and this device had software bugs or security breaches.

Everyday many bugs are reported in smartphones, computers and other devices with
different operating systems. Internet of things is only adding intelligence to devices so
that they can help us daily.

Nevertheless, you have bought these devices with bugs because they have software
with problems and you may have a security issue. If you have a smart house and your
house doesnt have proper security, probably you will be robbed. A way to minimize this
is the application of blockchain in IoT.

Telstra is Australia's largest telecommunications and media company, which builds and
operates telecommunications networks and markets voice, mobile, internet access, pay
television and other entertainment products and services. This company is
experimenting a combination of blockchain and biometric security for its Internet of
Things (IoT) smart home offerings, according to Katherine Robins (Principal Security
Expert of Telstra).

Initially Telstra has used Ethereum, which is described as a decentralized platform for
applications that run exactly as programmed without any chance of fraud, censorship or
third-party interference. After, has used Apache Hyperledger and Ripple blockchains.
Robins said she questioned whether a solution could be found for devices with a tiny
amount of storage through IoT blockchain.

In terms of the IoT network to be used into the future, Telstra has previously pointed
towards the narrowband (NB-IoT) network. Telstra is also experimenting with using
blockchain for legal interception, environmental sensor monitoring, car safety,
agriculture, network operations, fraud, compliance, audit and e-voting.

In the image below, its showed the operation of blockchain and in IoT it works the same
way. First, someone requests a transaction, for example, sends an order to open a door
in your smart home.

The requested transaction is broadcasted to P2P network, consisting of computers,

known as nodes. After that, the network of nodes validates the transaction and the users
status using known algorithms.

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 11

Risk Analysis and Integration of Security Practices

The new block is then added to the existing blockchain, in a way that is permanent and
unalterable. Finally, the transaction is complete and the door is opened.

Fig. 5. How does BlockChain work? [8]

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 12

Risk Analysis and Integration of Security Practices

Conclusion
Blockchain will do for transactions what the email did to communication. Not only
currency and financial applications will be affected but all kind of applications like identity
proof to smart contracts the possibilities are limitless.

A look into the future of society with Blockchain lets us preview things like:

Blockchain adopted by central banks will become natural allowing for safer and
faster transactions and make it harder for money laundry or parallel economies;
Cyber risks will be reduced by being able to prove identity through a visible
ledger;
Smart contracts will allow for cars being rented on confirmation of payment and
insurance information. Products being able to monitor their state and respective
guarantee;
Instant payments to everyone and worldwide;
Industries will increase performance and be more profitable;
Elections will be more transparent and the results quicker to obtain.

In authors opinion, Blockchain will allow us to build a better society, more equal, more
connected and to ensure that the economic power becomes more balanced. That is if
we are willing to implement the changes needed and to break from the current state of
things.

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 13

Risk Analysis and Integration of Security Practices

Bibliography
[1] https://en.wikipedia.org/wiki/Blockchain

[2] https://blockgeeks.com/guides/what-is-blockchain-technology/

[3] https://www.ethereum.org/

[4] https://www.sans.org/reading-room/whitepapers/threats/detecting-crypto-currency-
mining-corporate-environments-35722

[5] https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/blockchain-technology-9-
benefits-and-7-challenges.html

[6] https://en.wikipedia.org/wiki/Distributed_computing

[7] https://www.techopedia.com/definition/27788/distributed-network

[8] https://assets.pcmag.com/media/images/439265-how-blockchains-work.jpg

[9] http://www.wired.co.uk/article/blockchain-conflict-diamonds-everledger

[10] https://venturebeat.com/2017/01/22/blockchains-brilliant-approach-to-
cybersecurity/

Diogo Amaral, Tiago Moura, Andr Sousa, Luk Vokrko 14