top blockchain security challenges you should think about
TRANSCRIPT
© 2016 IBM Corporation
1
Blockchain Security, Integration and Use Cases
Luke [email protected]@luke11234
1
V1.0 18 Nov 16
© 2016 IBM Corporation
2
Blockchain Refresher
© 2016 IBM Corporation
3
Problem - Difficult to monitor asset ownership and transfers in a trusted business network
Counter-partyrecords Bank records
Party C’s Records Auditor records
Party B Records
Party A’s Records
API-integrations
Incident
Inefficient, expensive, vulnerable
Ledger
Ledger
Ledger
Ledger
Ledger
Ledger
© 2016 IBM Corporation
4
Solution – shared, replicated, permissioned ledger
Counter-partyrecords Bank records
Party C’s Records Auditor records
Party B Records
Party A’s Records
Consensus, provenance, immutability, finality
Ledger
Ledger
Ledger
Ledger
Ledger
Ledger
Participants have multiple shared ledgers
NOTE : Participants same as before
© 2016 IBM Corporation
5
Blockchain for business …
Append-only distributed system of record shared across
business network
Business terms embedded in transaction database & executed with transactions
All parties agree to network verified transaction
Ensuring appropriate visibility; transactions are
secure, authenticated & verifiable Privacy
Shared ledger
… Saves Time, lowers cost, reduces risk and increases trust
Smart contract
Consensus
© 2016 IBM Corporation
6
Blockchain benefits
Saves time
Removescost
Reducesrisk
Transaction time from days to near
instantaneous
Overheads and cost intermediaries
Tampering, fraud & cyber crime
© 2016 IBM Corporation
7
Blockchain for BusinessIBM Point of View
© 2016 IBM Corporation
8
Community + CodeLinux Hyperledger Project
Open Source Code: Blockchain for business;Consensus | ProvenanceImmutability | FinalityOpen Governance – 100 member cross industry board
CloudIBM Blockchain
Blockchain managed service on IBM Cloud and z Systems;Identity | Consensus | System Integration | Hardware-assist for Performance & SecurityIBM Blockchain on Bluemix
ClientsBlockchain SolutionsBlockchain Garage
Making Blockchain real for businessBlockchain Garage; New York | London | Singapore | TokyoBlockchain Services Practice
Blockchain for Business – Our Point of View
© 2016 IBM Corporation
9
Blockchain for Business – Our Point of View
© 2016 IBM Corporation
10
Blockchain NOW
Supporting serious blockchain deployment!
Hyperledger fabric on Docker Hub
Fastest development of blockchain solutionsCertified Hyperledger fabric instancesSupported by IBM – available cross platform
High security business blockchain on Bluemix
Dedicated compute power – isolated partitionSecure key management (FIPS 140-2 Level 4)
Tamper resistant service containerPerformance optimized (Operating System & Privacy Services)
Bluemix blockchain service
Fast blockchain network on Bluemix – also now ChinaSamples for deployment, customization & usageTool support for development and deployment
© 2016 IBM Corporation
11
Blockchain Engagement Model
© 2016 IBM Corporation
12
Engagement model overview
1. Discuss Blockchain technology
2. Explore customer business model
3. Show Blockchain Application demo
1. Understand Blockchain concepts & elements
2. Hands on with Blockchain on Bluemix
3. Standard demo customization
1. Design Thinking workshop to define business challenge
2. Agile iterations incrementally build project functionality
3. Enterprise integration
1. Scale up pilot or Scale out to new projects
2. Business Process Re-engineering
3. Systems Integration
Remote or face to face Remote or face to face Face to face Face to face
Free of charge Free of charge For fee For fee
Let’s Talk
BlockchainHands-on
First Project
Scale
© 2016 IBM Corporation
13
1. Unique combination of Bluemix Garage Practice with Blockchain community to drive market shift to Cloud Blockchain applications
2. Both Blockchain & Bluemix have stand alone offerings that will continue to be leveraged and sold in “IBM Garages” combined garages will offer “best of both” approach
3. Combined strengths will offer “best of both” approach for unique GTM positioning and client value
4. Locations currently in London, Singapore, Tokyo and New York
Garage Methodology IBM Design Thinking Blockchain Approach
What are Bluemix Blockchain garages?
© 2016 IBM Corporation
14
Educate Yourself!• Everything is available through the web:
- http://hyperledger.org- https://github.com/hyperledger- http://ibm.com/blockchain
© 2016 IBM Corporation
15
IBM Offerings
© 2016 IBM Corporation
16
IBM Blockchain Offerings
Docker
Hyperledgerfabric
IBM managed on IBM cloud
self managed
Support for Hyperledger Fabric
Generally Availablehttps://hub.docker.com/r/ibmblockchain/fabric/
*.*any Docker environment
all running Hyperledger fabric:
IBM Blockchain Starterfor Developers
Public Betaprovision now on IBM Bluemix!
IBM Blockchain for High Security Business Networks
Generally Available
Available on IBM Bluemix!
High Security Business NetworkStarterStart writing chaincode in seconds
High performance and reserved capacity
Integrated dashboard, logs and tools
Best in Industry security, isolation and spec support
Proven Audit environment for compliance and forensics
Community samples, tutorials, and quickstarts
GA
GA
IBM offers technical support for x86, Power and System z
© 2016 IBM Corporation
17
Starter PlanFour peer starter network with Developer dashboard, tools and samples
3
2
IBM Blockchain on Bluemix
Key Capabilities:Starter Network Four connected peers and a CA for a complete permissioned blockchain network with PBFT
Tools and Samples Deploy, customize and utilize samples. Integrated tools for invoking fabric APIs and managing your deployment
IBM Beta
Developer DashboardDashboard for developer control of network activities, logs and monitoring
Fabric Version Management Easily manage the lifecycle of the network and stay current on Hyperledger fabric version updates
© 2016 IBM Corporation
18
High Security Business Network PlanBusiness network running on dedicated high security compute
3
2
IBM Blockchain on Bluemix
Key Capabilities:Dedicated ComputeFour connected peers and a CA in an isolated partition on dedicated compute
SecureKey and HSMOn board HSM with tamper resistant cards providing up to FIPS 140-2 Level 4 security
IBM
Secure Service ContainerProtection from horizontal and vertical tampering with all code running in a secure virtual appliance
Performance OptimizedCrypto acceleration, high speed network all running on the worlds fastest Linux system
© 2016 IBM Corporation
19
Blockchain acceleration and security on z & LinuxONE
Consensus Algorithm
Cryptographic Protocols
Smart Contracts
Shared Replicated Ledger
App 1 App2 App3 …
API Layer
• In Memory (10TB)
• Hashing
• Integrate Existing Business Processes: CICS, IMS, TPF, DB2, VSAM
• Elliptical Curve Digital Signatures
Optimized network between blockchain nodes – up to 7X more throughput, 82% faster response time
• Global Security Compliance:Enterprise PKCS11, FIPS 140-2Secure Service
Containers
• Crypto Accelerators
Protects against misuse of privileged user credentials, leakage of information from one party's environment to another, with keys secured in HSM
© 2016 IBM Corporation
20
Security Principles of Blockchain
© 2016 IBM Corporation
21
Security Principles• Cryptographic / PKI
infrastructureEvaluating cryptographic standards/sovereignty and management of PKI infrastructure to appropriate standards
• Privacy Transaction privacy, membership services, contract confidentiality, permissioning
• Identity Credentials and authentication, onboarding process, end point and Blockchain node security
• Consensus Verification, resiliency
• Integration Continuity of transaction, event creation, transformation between databases 3rd party access
• Internal controls, Assurance and regulatory compliance
Protection of the data being held / passed across the blockchain meets with the appropriate regulatory standards
• Blockchain resiliency Penetration testing / Blockchain resilience to attack and typologies / methodologies required and pen testing
© 2016 IBM Corporation
22
Permissioned Ledger Access (Today)
© 2016 IBM Corporation
23
Requestscertificates
1xEcert, NxTcert
Consensus Network
Blockchain User A
usesEcert
Tcert invokes SC txn (signed with TkeyA,
encrypted with TkeyA, TkeyB…)
TkeyA
Smart contract
deployed on every validating peer
Enrollment certificates (Ecerts) and Transaction certificates (Tcerts) can
only be linked by CA and user
…
(signed with Ekey of origin,encrypted with validators’ key)
Blockchain User B
TkeyB
TkeyB
shares Tcert public key
Accesses ledger
Blockchain at work…
U
UApplicatio
n
Application
uses
TkeyB
sc
Membership
Certificate Authority (CA)
(stored in wallet)
© 2016 IBM Corporation
24
Cryptography
© 2016 IBM Corporation
25
Cryptographic Service Providers (CSP)
Currently Supported Algorithms *1:
– Hash: SHA2, SHA3– Encryption, HMAC: AES– Signatures: ECDSA– Consensus: PBFT
ECA
TCA
CSP
Membership service
CSP
Validating Peer
CSP
Client SDK
Get Tcert(s)
Sign Transaction
Verify Transaction
Issue Tcert(s)
Issue ECert Get ECert
CSP
*1 Hyperledger crypto standards
© 2016 IBM Corporation
26
Alternative Approach: Identity Mixer
Proving identity claims- but does not send a full
certificate- only proof of TCert possession:
- fresh- unlinkable
© 2016 IBM Corporation
27
Cyber Security for Blockchain?
© 2016 IBM Corporation
28
How blockchains could change the fraud landscape
© 2016 IBM Corporation
29
Integration with Existing Systems
© 2016 IBM Corporation
30
Blockchain network
…
Integrating with Existing Systems
Transform Existing systems
4. System events
3. Blockchain events
Smart contract 1. call out to existing
systems to enrich smart contract logic
2. call into Blockchain network from existing systems
© 2016 IBM Corporation
31
Use Cases
© 2016 IBM Corporation
32
Key Industry Use-Cases for BlockchainFinancial Government Healthcare Insurance Manufacturing
Retail &CP
Letter-of-Credit Land Registry Medical records Claims processing
Supply chain
Cross currency payments
Vehicle Registry Medicine supply chain
IoT integration for policy
monitoring
Product parts
Mortgages (and Contracts)
Citizen ID Provenancetracking
CollateralManagement
EducationCertification
Digital PropertyManagement
Post trade settlement
Voting Real EstateCars
Trade Agreements,
Contract
Cross Industry
Shared reference data
Internal financial ledger
Audit and compliance enablement
Regulatory view
Improved efficiencies
IoTCars, Robots, Drones
© 2016 IBM Corporation
33© 2016 IBM Corporation
HSBC, Bank of America, IDA Trade Finance - Letter of Credit
ABN AMRO Financial Restructuring & Recovery
Crédit Mutuel Arkéa Consortium Shared Ledger
Japan Exchange Group (JPX) Post Trade
Mizuho Digital Currency
IBM Global Finance Shadow Chain for Dispute Resolution
Everledger Diamond provenance
Bank of Tokyo – Mitsubishi UFJ Business Partner Contracts
CLS Bilateral netting service
UBS Digital trade finance
IBM & Hyperledger – Selected References
© 2016 IBM Corporation
34© 2016 IBM Corporation
Benefits1. Consolidated, consistent
dataset reduces errors
2. Near-real-time of reference data
3. Naturally supports code editing and routing code transfers between participants
What • Competitors/collaborators in a business network need to share reference data, e.g. bank routing codes
• Each member maintains their own codes, and forwards changes to a central authority for collection and distribution
• An information subset can be owned by organizations
How • Each participant maintains their own codes within a Blockchain network
• Blockchain creates single view of entire dataset
Consensus use case – Shared routing codes
© 2016 IBM Corporation
35© 2016 IBM Corporation
Benefits1. Lowers cost of audit and
regulatory compliance
2. Provides “seek and find” access to auditors and regulators
3. Changes nature of compliance from passive to active
What • Financial data in a large organization dispersed throughout many divisions and geographies
• Audit and Compliance needs indelible record of all key transactions over reporting period
How • Blockchain collects transaction records from diverse set of financial systems
• Append-only and tamperproof qualities create high confidence financial audit trail
• Privacy features to ensure authorized user access
Immutability use case – Financial ledger
© 2016 IBM Corporation
36
Benefits1. Increase speed of execution
(less than 1 day)
2. Vastly reduced cost
3. Reduced risk, e.g. currency fluctuations
4. Value added services, e.g. incremental payment
What • Bank handling letters of credit (LOC) wants to offer them to a wider range of clients including startups
• Currently constrained by costs & the time to execute
How • Blockchain provides common ledger for letters of credit• Allows all counter-parties to have the same validated
record of transaction and fulfillment
Finality use case – Letter of credit
Letter of creditRepublic of A
Buyer’s bank issues LC and sends to
seller’s bankA Plus Bank
Bank B
Seller’s bank authenticates LC and credits Company B
Sales contractCompany B: Seller/beneficiary
Company A: Buyer/applicant
B-land
Buyer applies for LC
© 2016 IBM Corporation
37
Q&A