Blockchain do not add additional security — Blockchain adds distributed trust
If your use case is primarily about additional security Blockchain technology is not the answer.
In many blockchain discussions, I have joined it is the perception that Blockchain is more secure than a traditional centralized solution. This is not the case! Blockchain does not add any security level that you cannot get at minimum the same level and at lower cost and better performance by using traditional centrally trusted intermediary on conventional technologies.
If your use case is primarily about additional security Blockchain technology is not the answer.
If your use case is a requirement for availability and integrity of critical data, or programs and trust throughout an ecosystem where parties are unknown or untrusted, and you don’t want a costly central trusted intermediary, then Blockchain is your right choice, but that is only because of the distributed nature of Blockchain not because of additional security levels compared to a centralized solution. And you don’t get anything for free, basing your solution on Blockchain is more costly and gives poorer performance.
Notice the third critical area of information security — confidentiality is not included, all though it is a perception by many that Blockchain adds confidentiality and privacy then this is not the case, and in many cases, it is just the opposite
If you are not familiar with how Blockchain works I will refer you to the many sources on the Internet, here I will focus on comparing security in Blockchain with security in a central solution using conventional technologies.
High availability but not higher
As every node in the Blockchain maintains it’s own copy of the shared ledger and the underlying consensus algorithm ensures that all nodes are always in sync, then any compliant node can fail, join or leave the Blockchain peer-to-peer network, without impacting the availability of the distributed system and data structure.
Any nodes can be corrupted, colluded or compromised without impacting the trustworthiness as long as the dishonest nodes represent less than half of the computational resources of the network. With Bitcoin in operations since 2009 and other “old” Blockchain platforms with thousands of nodes like Ethereum also operating continuously for several years, it is well documented that the established platforms have high availability.
For new platforms with only a few nodes that will be different as there is a risk that malicious entities can control the sufficient amount of nodes and gain the ability to modify the ledger. Notice that this may also be the case of what we today see as well-established networks, because maybe even Bitcoin and Ethereum may be losing their attractiveness and be abandoned by their nodes and thereby face increased vulnerability.
For private Blockchains the availability can be guaranteed by the entity managing the peer-to-peer network but will also be dependent on the number of nodes, getting the critical amount of nodes is one of the significant challenges of private network.
A well designed and governed distributed datacenter will give conventional centralized solutions the same level of availability as a Blockchain solution.
Integrity — Blockchain’s tamper resistance is not unique
On the Blockchain each block is signed, hashed and sequentially connected, thereby ensuring integrity and immutability. However, if data was signed, hashed and connected the same way on a central trusted provider, you will receive the same level of integrity and immutability. Even a database administrator having direct access to such central data would not be able to unnoticed tamper with these data. So, the famous tamper resistance of Blockchain can also be achieved using the same mechanism on a traditional central data storage.
Also notice that it is questionable if you want the complete immutability without the ability for e.g., rollback in case of software failure in smart contracts, the software needs to be bug-free from the start. And you may also face challenges with immutability on “right to be forgotten” legislation like GDPR.
The shortfalls of immutability have to be handled by the business logic in the application layer
You can also rest assured that like any other technologies Blockchain platforms will have exploitable software vulnerabilities both in the implemented Blockchain technology as well as in the underlying operating system like Microsoft Windows. As with any new technology Blockchain platforms also have to be exposed for hacker attacks for several years, before you can call it secure. And with the constant developing of new features on, e.g., Ethereum comes the risk that new security gaps are introduced.
Blockchains trusted sequencing of each new block that is added is a crucial value of Blockchain as it removes the need for intercompany reconciliations, everybody has the same trusted view of the truth, and it allows for distributed nodes as it prevents fraudulent transactions by malicious nodes. An important design feature in blockchain is the tolerance against faults in one or more nodes in the network; transactions are completed and recorded by the aggregation of nodes. This is a significant enabler of distributed trust, but if you compare it to a central trusted computer system, you do not need that because there is no malicious node in a centrally trusted solution.
Privacy — Conventional central technology is superior
Privacy on public Blockchains is about no one knowing your identity by covering everyone behind their hashed public key, but the sequence and content of events stored on the Blockchain often reveal too much information and should be protected from untrusted viewers. For example, an untrusted viewer can use analytics to gain knowledge of the characteristic of the transactions that have happened and the likely future transactions.
In permission Blockchains where untrusted nodes cannot join, the transaction parties’ identity is known at least to each other, but the transaction details can be encrypted. Permission Blockchains allow fine-grained control over each element in a transaction, enabling detailed specification of each party’s access rights. However, in several use cases, the shared ledger requirement collides with the confidentiality requirement.
Examples are where it is relevant for several parties further down the value chain to know about transactions happened earlier, and these transactions do at the same time have to be kept confidential from actors not part of the value chain. These parties do not know each other and do they not know precisely who will be producing and consuming each event, e.g., the trucker handling a shipping container. To keep the shared version of the truth together with confidentiality, it will be necessary to implement a very sophisticated concept for distribution of encryption keys.
It is worth noting that with a central trusted solution there is only one point of attack for hackers to try to get access to the data, but in a permission Blockchain there is several points of attacks, one for each node, wherefore data is only protected as good as the weakest link in the chain
In Blockchain, it is just the owner of data that can update the values and the owner of a smart contract that can execute it. The identity of users is done via public-private key’s and is as such not protected or governed by the consensus algorithm. Like with central solutions the security of cryptographic solutions is only as secure as the way the private key is protected. So, all the traditional methods to steal private keys (malware, phishing, social engineering, etc.) is just as good on Blockchain based solutions as it is on a central system
Summary — Focus is distributed trust, not security.
Blockchain does not add any security levels that cannot be implemented just as well in a conventional central trusted solution. But blockchain allows integrity, availability, and trust to be moved to a distributed peer-to-peer network, thereby enabling use cases that require secure distributed mutual trust in an eco-system. You will be able to place critical data or programs on the Blockchain resting assured that the security mechanism is as sufficient as with a centrally trusted middleman.
Blockchain provides the same protection at slower performance and higher cost than a conventional centralized solution. Blockchain enables distributed trust, that will change business models in every industry, but you have to be confident that your use case really needs availability, integrity and mutual trust among entities that do not know each other, but that need to share critical data and functionality among each other without the need of a trusted third party.
It is also important to understand that Blockchain is an underlying core technology of a solution but will not be the solution itself. Integration into business processes and systems will require a traditional application and infrastructure security considerations and good coding practices, just like on a central solution.
About the author
Henrik Hvid Jensen has a Master in Computer Science, and a Bachelor in International Economics
He is the innovator and designer of Maersk/IBM Blockchain initiative to digitalize global trade.
He is currently advising Blockshipping on their ICO as well as the design of their platform for building a blockchain based central container registry and a container handling service framework based on software agents running autonomously on the blockchain.
Previously he designed the platform for one of the globally most promising public digitalization effort the process of registration rights to properties in Denmark.
All three platforms are based on the visions and digital trends described in his book, that he has also taught at Copenhagen University and IT-University as external associate professor.