COGNIZANT CONSULTING
Helping organizations engage people and uncover insight from data to shape the products, services and experiences they offer
Learn More
  • Working to reshape business models, modernize products and enhance customer experiences to drive growth.
  • Reinventing and managing your most essential business processes with new ways of working.
  • Simplifying, modernizing and securing the IT infrastructure and applications that are the backbone of your business.
COGNIZANT CONSULTING
Helping organizations engage people and uncover insight from data to shape the products, services and experiences they offer
Learn More

Contact Us

THANKS FOR YOUR INTEREST IN COGNIZANT.

We'll be in touch soon!

x CLOSE

Refer back to this favorites tab during today's session for access to your selections.
Refer back to this favorites tab during today's session for access to your selections.x CLOSE

Perspectives

Toward Building Secure Blockchains (Part One of a Two-Part Series)

2018-08-23


Recent blockchain hacks highlight security vulnerabilities that are innate to distributed ledger technology, as well as those that arise from cryptographic limitations and poorly designed and implemented smart contracts. Here’s what organizations should be thinking about as they move forward on their blockchain journeys.

Safe, secure, trusted, transparent … these are the bywords of the next-generation Internet, powered by blockchain thinking and technology. But these are merely relative terms. Any network system conceived by human beings can be cracked by human beings, particularly those who can assemble enough compute power. To this point, several security breaches of blockchain systems have recently come to light: DAO, Bitfinex, Mt. Gox, Pony Botnet, Coincheck and others represent growing list of such cases. A recent study found several vulnerabilities in smart contracts that automate the operation of select business applications on blockchain networks. Not surprisingly, a Greenwich survey finds banking, financial and technology executives wary of security concerns in blockchain (see Figure 1). 

These findings highlight an urgent and vital need to acknowledge and thoroughly comprehend the full spectrum of security vulnerabilities, and start initiating measures to improve security. Part one of this two-part series focuses on different types of vulnerabilities in blockchain networks, smart contracts and cryptography while part two provides an overview of ways in which these vulnerabilities can be addressed through a well-conceived security policy.

Figure 1

Challenges

Blockchain security challenges stem from both within and outside organizations. Those that originate externally are well known and common to most IT environments. And those that emerge from within are either evolutionary or structural. Evolutionary challenges emerge as blockchain matures from infancy to early childhood, much like the early days of Internet commerce. The structural ones are emerging from the defining characteristic elements of blockchain that give it the distinctiveness and strengths comprising its unique selling proposition (USP). In this sense, these elements are double-edged swords and companies that implement blockchain need to diligently master their use of blockchain technology and its accompanying tools.

Common Security Issues

Common security issues arise mainly due to human errors and relate to the safe-keeping of the private key, an identity and security credential in blockchain. The individual computers used to connect to the blockchain suffer from risks that are common to the Internet. Any negligence or human error could be a cause for concern. 

Vulnerability exists when users decrypt the data. Once hackers access the private key of a node they get a freehand to attack its network. Recent attacks show that hot wallets used to store the keys are prone to attacks despite the claims of wallet providers that they safeguard the keys employing cold storage methods. 

The safe-keeping of the key is critical in blockchain since lost or stolen keys mean irrecoverable loss of the corresponding tokenized digital asset itself. Known as non-reputable ownership, this unique element of the blockchain makes itself attractive to cyber criminals. 

Nodes that become intermittently uncommunicative place the network at risk since the network integrity in blockchain systems is dependent on continuous communication. 

Vulnerabilities from Structural Limitations

Blockchains operate on consensus protocols. Due to this mechanism, anyone gaining access to 51% of nodes on a system can get full control and decide the outcomes. When the number of nodes is small, as is the case with early-stage systems, this remains a potential weakness, while this 51% limitation-based attack is a remote possibility in other scenarios except perhaps when quantum computing emerges sometime in the distant future.  

Distributed Nature and its Susceptibilities

Distributed nature is both a boon and bane to blockchains, just as centralized nature is to traditional systems. While traditional systems suffer from “single point of failure” limitation due to centralization, blockchain systems’ distributed nature makes it difficult to notice and prevent break-in attempts since hackers have a vast surface to attack. 

Even reactive measures such as shutting down a malicious program, and consistently and time-effectively patching holes is exceedingly difficult in a distributed environment.

Evolutionary Issues

Decentralized governance is largely an uncharted territory for enterprises and best practices are yet to emerge. Strategic decisions made in such settings can potentially render a blockchain network susceptible to attacks. 

Moreover, organizations are still grappling with blockchain’s technological complexity. Systems built to handle intricate business functions are expected to carry vulnerabilities that pose security threats. In most enterprise settings, security begins with centralized logging and monitoring. This is yet to be matched with a blockchain system equivalent. 

Transaction reversal, a common practice in the event of fraudulent transactions, is difficult to implement in blockchain-based systems. Formats and protocols necessary to ensure interoperability between blockchain networks that use different distributed ledgers is still a work-in-progress given the early stage of blockchain’s evolution.

Design deficiencies, time lags and flawed third-party systems can cause vulnerabilities. Design deficiencies can adversely affect the ability of the blockchain to perform at the required speed. When exchange doesn’t happen at the right speed, the system becomes vulnerable to risks. Time lags in the absence of adequate speed also make blockchain networks susceptible to double spending, a problem whose solution forms the very USP of blockchain. Third-party systems containing flaws may also render a distributed ledger vulnerable even when the blockchain is properly designed and functions well with requisite safeguards as has been the case with NiceHash, a bitcoin mining marketplace that relied on a third-party platform with vulnerability.

Smart Contract Programming Flaws

Programming code defects that go unchecked in smart contracts that run on blockchain make themselves susceptible. Analyses of smarts contracts that delved into the deficiencies in smart contracts programming unearthed several causes such as transaction-ordering dependence, time-stamp dependence, mishandled exceptions and re-entrancy vulnerability, etc. 

Limitations of Cryptography 

Traditional cryptographic security methods face severe limitations when applied to blockchain. Use of non-standard crypto such as the Elliptic Curve Digital Signature Algorithm (ECDSA) that are unsupported by most security encryption hardware can present scaling challenges that are necessary in blockchain settings. Private key seeding in which certain processes are employed to generate multiple private keys from the seed are mostly unsupported by security hardware. Multi-sign scalability is another challenge since the secure hardware can only handle thousands but needs the capacity to handle millions of keys in blockchains. 

As quickly as these loopholes emerge, blockchain innovators are setting their focus on ways and means to effectively address security concerns in this nascent technology. Part two details 12 ingredients that can be used to develop and deploy a holistic security policy to effectively tackle security concerns.

For additional insights, please visit the Security Services, Blockchain Technology & Integration and Blockchain Primary Research sections of our website, or contact us.

Related Thinking

Save this article to your folders


Save

PERSPECTIVES

Blockchain for Power Utilities: Preparing...

Power utilities should take action now to understand how they can...

Save View

Save this article to your folders


Save

PERSPECTIVES

Blockchain for Trade Finance: Trade...

By tokenizing trade assets on blockchain and digitally managing trade...

Save View

Save this article to your folders


Save

PERSPECTIVES

Banking on Blockchain in Asia-Pacific

Financial services organizations in the region see blockchain as a...

Save View
Toward Building Secure Blockchains (Part One of a Two-Part Series)