top blockchain security challenges you should think about

© 2016 IBM Corporation

1

Blockchain Security, Integration and Use Cases

Luke [email protected]@luke11234

1

V1.0 18 Nov 16


2

Blockchain Refresher


3

Problem - Difficult to monitor asset ownership and transfers in a trusted business network

Counter-partyrecords Bank records

Party C’s Records Auditor records

Party B Records

Party A’s Records

API-integrations

Incident

Inefficient, expensive, vulnerable

Ledger

Ledger

Ledger

Ledger

Ledger

Ledger


4

Solution – shared, replicated, permissioned ledger

Counter-partyrecords Bank records

Party C’s Records Auditor records

Party B Records

Party A’s Records

Consensus, provenance, immutability, finality

Ledger

Ledger

Ledger

Ledger

Ledger

Ledger

Participants have multiple shared ledgers

NOTE : Participants same as before


5

Blockchain for business …

Append-only distributed system of record shared across

business network

Business terms embedded in transaction database & executed with transactions

All parties agree to network verified transaction

Ensuring appropriate visibility; transactions are

secure, authenticated & verifiable Privacy

Shared ledger

… Saves Time, lowers cost, reduces risk and increases trust

Smart contract

Consensus


6

Blockchain benefits

Saves time

Removescost

Reducesrisk

Transaction time from days to near

instantaneous

Overheads and cost intermediaries

Tampering, fraud & cyber crime


7

Blockchain for BusinessIBM Point of View


8

Community + CodeLinux Hyperledger Project

Open Source Code: Blockchain for business;Consensus | ProvenanceImmutability | FinalityOpen Governance – 100 member cross industry board

CloudIBM Blockchain

Blockchain managed service on IBM Cloud and z Systems;Identity | Consensus | System Integration | Hardware-assist for Performance & SecurityIBM Blockchain on Bluemix

ClientsBlockchain SolutionsBlockchain Garage

Making Blockchain real for businessBlockchain Garage; New York | London | Singapore | TokyoBlockchain Services Practice

Blockchain for Business – Our Point of View


9

Blockchain for Business – Our Point of View


10

Blockchain NOW

Supporting serious blockchain deployment!

Hyperledger fabric on Docker Hub

Fastest development of blockchain solutionsCertified Hyperledger fabric instancesSupported by IBM – available cross platform

High security business blockchain on Bluemix

Dedicated compute power – isolated partitionSecure key management (FIPS 140-2 Level 4)

Tamper resistant service containerPerformance optimized (Operating System & Privacy Services)

Bluemix blockchain service

Fast blockchain network on Bluemix – also now ChinaSamples for deployment, customization & usageTool support for development and deployment


11

Blockchain Engagement Model


12

Engagement model overview

1. Discuss Blockchain technology

2. Explore customer business model

3. Show Blockchain Application demo

1. Understand Blockchain concepts & elements

2. Hands on with Blockchain on Bluemix

3. Standard demo customization

1. Design Thinking workshop to define business challenge

2. Agile iterations incrementally build project functionality

3. Enterprise integration

1. Scale up pilot or Scale out to new projects

2. Business Process Re-engineering

3. Systems Integration

Remote or face to face Remote or face to face Face to face Face to face

Free of charge Free of charge For fee For fee

Let’s Talk

BlockchainHands-on

First Project

Scale


13

1. Unique combination of Bluemix Garage Practice with Blockchain community to drive market shift to Cloud Blockchain applications

2. Both Blockchain & Bluemix have stand alone offerings that will continue to be leveraged and sold in “IBM Garages” combined garages will offer “best of both” approach

3. Combined strengths will offer “best of both” approach for unique GTM positioning and client value

4. Locations currently in London, Singapore, Tokyo and New York

Garage Methodology IBM Design Thinking Blockchain Approach

What are Bluemix Blockchain garages?


14

Educate Yourself!• Everything is available through the web:

- http://hyperledger.org- https://github.com/hyperledger- http://ibm.com/blockchain

http://hyperledger.org/

https://github.com/hyperledger

http://ibm.com/blockchain


15

IBM Offerings


16

IBM Blockchain Offerings

Docker

Hyperledgerfabric

IBM managed on IBM cloud

self managed

Support for Hyperledger Fabric

Generally Availablehttps://hub.docker.com/r/ibmblockchain/fabric/

*.*any Docker environment

all running Hyperledger fabric:

IBM Blockchain Starterfor Developers

Public Betaprovision now on IBM Bluemix!

IBM Blockchain for High Security Business Networks

Generally Available

Available on IBM Bluemix!

High Security Business NetworkStarterStart writing chaincode in seconds

High performance and reserved capacity

Integrated dashboard, logs and tools

Best in Industry security, isolation and spec support

Proven Audit environment for compliance and forensics

Community samples, tutorials, and quickstarts

GA

GA

IBM offers technical support for x86, Power and System z

https://hub.docker.com/r/ibmblockchain/fabric/


17

Starter PlanFour peer starter network with Developer dashboard, tools and samples

3

2

IBM Blockchain on Bluemix

Key Capabilities:Starter Network Four connected peers and a CA for a complete permissioned blockchain network with PBFT

Tools and Samples Deploy, customize and utilize samples. Integrated tools for invoking fabric APIs and managing your deployment

IBM Beta

Developer DashboardDashboard for developer control of network activities, logs and monitoring

Fabric Version Management Easily manage the lifecycle of the network and stay current on Hyperledger fabric version updates


18

High Security Business Network PlanBusiness network running on dedicated high security compute

3

2

IBM Blockchain on Bluemix

Key Capabilities:Dedicated ComputeFour connected peers and a CA in an isolated partition on dedicated compute

SecureKey and HSMOn board HSM with tamper resistant cards providing up to FIPS 140-2 Level 4 security

IBM

Secure Service ContainerProtection from horizontal and vertical tampering with all code running in a secure virtual appliance

Performance OptimizedCrypto acceleration, high speed network all running on the worlds fastest Linux system


19

Blockchain acceleration and security on z & LinuxONE

Consensus Algorithm

Cryptographic Protocols

Smart Contracts

Shared Replicated Ledger

App 1 App2 App3 …

API Layer

• In Memory (10TB)

• Hashing

• Integrate Existing Business Processes: CICS, IMS, TPF, DB2, VSAM

• Elliptical Curve Digital Signatures

Optimized network between blockchain nodes – up to 7X more throughput, 82% faster response time

• Global Security Compliance:Enterprise PKCS11, FIPS 140-2Secure Service

Containers

• Crypto Accelerators

Protects against misuse of privileged user credentials, leakage of information from one party's environment to another, with keys secured in HSM


20

Security Principles of Blockchain


21

Security Principles• Cryptographic / PKI

infrastructureEvaluating cryptographic standards/sovereignty and management of PKI infrastructure to appropriate standards

• Privacy Transaction privacy, membership services, contract confidentiality, permissioning

• Identity Credentials and authentication, onboarding process, end point and Blockchain node security

• Consensus Verification, resiliency

• Integration Continuity of transaction, event creation, transformation between databases 3rd party access

• Internal controls, Assurance and regulatory compliance

Protection of the data being held / passed across the blockchain meets with the appropriate regulatory standards

• Blockchain resiliency Penetration testing / Blockchain resilience to attack and typologies / methodologies required and pen testing


22

Permissioned Ledger Access (Today)


23

Requestscertificates

1xEcert, NxTcert

Consensus Network

Blockchain User A

usesEcert

Tcert invokes SC txn (signed with TkeyA,

encrypted with TkeyA, TkeyB…)

TkeyA

Smart contract

deployed on every validating peer

Enrollment certificates (Ecerts) and Transaction certificates (Tcerts) can

only be linked by CA and user

…

(signed with Ekey of origin,encrypted with validators’ key)

Blockchain User B

TkeyB

TkeyB

shares Tcert public key

Accesses ledger

Blockchain at work…

U

UApplicatio

n

Application

uses

TkeyB

sc

Membership

Certificate Authority (CA)

(stored in wallet)


24

Cryptography


25

Cryptographic Service Providers (CSP)

Currently Supported Algorithms *1:

– Hash: SHA2, SHA3– Encryption, HMAC: AES– Signatures: ECDSA– Consensus: PBFT

ECA

TCA

CSP

Membership service

CSP

Validating Peer

CSP

Client SDK

Get Tcert(s)

Sign Transaction

Verify Transaction

Issue Tcert(s)

Issue ECert Get ECert

CSP

*1 Hyperledger crypto standards


26

Alternative Approach: Identity Mixer

Proving identity claims- but does not send a full

certificate- only proof of TCert possession:

- fresh- unlinkable


27

Cyber Security for Blockchain?


28

How blockchains could change the fraud landscape


29

Integration with Existing Systems


30

Blockchain network

…

Integrating with Existing Systems

Transform Existing systems

4. System events

3. Blockchain events

Smart contract 1. call out to existing

systems to enrich smart contract logic

2. call into Blockchain network from existing systems


31

Use Cases


32

Key Industry Use-Cases for BlockchainFinancial Government Healthcare Insurance Manufacturing

Retail &CP

Letter-of-Credit Land Registry Medical records Claims processing

Supply chain

Cross currency payments

Vehicle Registry Medicine supply chain

IoT integration for policy

monitoring

Product parts

Mortgages (and Contracts)

Citizen ID Provenancetracking

CollateralManagement

EducationCertification

Digital PropertyManagement

Post trade settlement

Voting Real EstateCars

Trade Agreements,

Contract

Cross Industry

Shared reference data

Internal financial ledger

Audit and compliance enablement

Regulatory view

Improved efficiencies

IoTCars, Robots, Drones


33© 2016 IBM Corporation

HSBC, Bank of America, IDA Trade Finance - Letter of Credit

ABN AMRO Financial Restructuring & Recovery

Crédit Mutuel Arkéa Consortium Shared Ledger

Japan Exchange Group (JPX) Post Trade

Mizuho Digital Currency

IBM Global Finance Shadow Chain for Dispute Resolution

Everledger Diamond provenance

Bank of Tokyo – Mitsubishi UFJ Business Partner Contracts

CLS Bilateral netting service

UBS Digital trade finance

IBM & Hyperledger – Selected References



Benefits1. Consolidated, consistent

dataset reduces errors

2. Near-real-time of reference data

3. Naturally supports code editing and routing code transfers between participants

What • Competitors/collaborators in a business network need to share reference data, e.g. bank routing codes

• Each member maintains their own codes, and forwards changes to a central authority for collection and distribution

• An information subset can be owned by organizations

How • Each participant maintains their own codes within a Blockchain network

• Blockchain creates single view of entire dataset

Consensus use case – Shared routing codes



Benefits1. Lowers cost of audit and

regulatory compliance

2. Provides “seek and find” access to auditors and regulators

3. Changes nature of compliance from passive to active

What • Financial data in a large organization dispersed throughout many divisions and geographies

• Audit and Compliance needs indelible record of all key transactions over reporting period

How • Blockchain collects transaction records from diverse set of financial systems

• Append-only and tamperproof qualities create high confidence financial audit trail

• Privacy features to ensure authorized user access

Immutability use case – Financial ledger


36

Benefits1. Increase speed of execution

(less than 1 day)

2. Vastly reduced cost

3. Reduced risk, e.g. currency fluctuations

4. Value added services, e.g. incremental payment

What • Bank handling letters of credit (LOC) wants to offer them to a wider range of clients including startups

• Currently constrained by costs & the time to execute

How • Blockchain provides common ledger for letters of credit• Allows all counter-parties to have the same validated

record of transaction and fulfillment

Finality use case – Letter of credit

Letter of creditRepublic of A

Buyer’s bank issues LC and sends to

seller’s bankA Plus Bank

Bank B

Seller’s bank authenticates LC and credits Company B

Sales contractCompany B: Seller/beneficiary

Company A: Buyer/applicant

B-land

Buyer applies for LC


37

Q&A

top blockchain security challenges you should think about

Technology