Allan Zhang: Challenges to Decentralized Blockchain Security
With nearly 20 years of experience in data/information security, Allan Zhang has noticed that the industry has evolved from decentralization to centralization. However, the emerging blockchain technology brings the industry back to decentralization again.
Centralization and decentralization are two ends of a spectrum where the industry trend changes from one to another. Blockchain, as a growing field, are putting new demands on the industry.
Centralized — Decentralized — Centralized
Changes came to the information security industry around 2008.
“The earliest security detection was based on a remote device detecting the vulnerability of the system. Later on, more and more applications are migrating from local enterprises to the cloud, which is as we usually refer to as ‘SaaS,’” says Allan Zhang, founder of DxChain, a Silicon Valley startup aims to transform computing and storage with blockchain.
SaaS, or Software-as-a-service, is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS applications are hosted in the cloud. It is also referred to as “on-demand software” because unlike traditional software installation, it provides products or services as users require.
This posed new challenges for security protection. If you follow the previous practice — setting security protection on the terminal or the company’s internal network, users need to traverse the VPN back and forth, which results in great obstacles. The better approach is to move the protection boundary from local enterprises to the cloud. Think of it as a shift from building a “wall” around the enterprise to building a “wall” around the cloud.
“The boundaries of protection have changed, from security on a single terminal to firewalls around the cloud,” Allan explains.
In 2004, Zhang joined nCircle Network Security, a company specializes in vulnerability detection and provides security solutions for enterprises and governments. It was acquired by Tripwire in 2013.
Then, in 2008, Allan saw firewalls as a new trend in the security industry. “At the time we were planning a new generation of firewalls, which would completely overturn the previous device-based security protection model. It was not based on IP and port numbers, but was built around applications,” Zhang says.
Betting his future on firewalls, Zhang left nCircle and was hired by Palo Alto Networks as one of its first security engineers. The company went public in 2012, with a market value of more than $20 billion.
Zhang left the company later and turned down a few offers from other security companies, such as network security company FireEye and cloud security company Zscaler networks. He founded his own company Trustlook, which aims to deliver next-generation mobile-based cybersecurity products.
In 2012, the dearth of high-quality mobile security protection was leaving Android more likely to be under attacks. A veteran in corporate security, Zhang realized that the vulnerability of Android security protection also affected enterprises’ security system. “The terminals in enterprise security services are fixed at most times, but mobile devices are shuttling through various networks and are very vulnerable to attack. If the attacked terminal returns to the enterprise network, it will bring a more significant ‘safety hazard,’” Zhang says. In this case, he set his sights on the side of terminals.
His idea was to enable more advanced security protection features in each mobile device, including not being maliciously monitored and maliciously photographed. In the next few years, Trustlook products are rooted in every Huawei mobile phone and Qualcomm chips. It also provides security services for OPPO phones and Amazon stores.
This trend of decentralization presents new phenomenon after blockchain shows up: The completed open-sourced code and the publicized data on the chain pose new challenges to security and privacy.
New challenge: More open and more vulnerable
Zhang believes the development of security lies in “data protection.” Where data goes, the security protection follows. When blockchain introduces an unprecedented decentralization, the security protection will once again trend a path towards distribution.
Today, the amount of data in blockchains is pretty small. Blockchain is still immature in providing data security compared with traditional transaction processes. “The current blockchain mainly stores ledger data, Bitcoin has 200G, and Ethernet has 700G. It is not an order of magnitude compared with the traditional Internet,” Zhang says.
Blockchain security is mainly involved in two areas: Private key and smart contract security, and data security. No security area can be monetized like blockchain security in the human’s history.
In the case of Bitcoin, for example, a master private key generates many wallet addresses through a protocol. If someone steals the user’s master private key, it means that they can access all assets in the bitcoin chain. Therefore, the protection of the master private key becomes critical.
“At present, our security protection of private key is pretty good. For example, there are many software and hardware wallets to ensure the security of the key, but the reality is that only some users with strong security awareness will put their tokens in their hardware right after buying them. Most users still keep their tokens directly in the exchange wallet, which are likely to be attacked,” Allan said. Therefore, the security of keys is also a significant problem and challenge facing many exchanges.
The use of smart contracts pioneered by Ethereum brought a variety of functions to the world as well as various risks.
In Ethereum, the code is public to anyone. From a perspective of the open source community, the open sourced code can be used to improve programs and fix bugs. However, from a different view, it also raises stakes to be attacked. In the meantime, the programming language is flexible. Each programmer’s writing is unique, causing the vulnerability challenging to be avoided. In the traditional Internet world, this kind of program vulnerability is likely to cause the program to crash, but in the blockchain world, it directly leads to the loss of assets. A game by Fomo3D has recently led to more than 10,000 Ethereum being stolen, or under 3 million US dollars.
Zhang is more concerned with the future challenge of blockchain security when data goes on the chain. That means blockchain will have the same amount of data as the traditional Internet.
He believes what he envisions will become a reality someday. “The actual industrial application has not appeared yet, but I believe that it is impossible to remain like that. The combination of blockchain and industrial scenarios is the future. Blockchain will spawn a new ecosystem just like the Internet.”
This requires a combination of blockchain and big data, which is the reason why DxChain was founded.
“All the data put on the blockchain is publicly available. There is no privacy at all,” Zhang says. “This is the next challenge we should be looking into.”
Security and privacy lays the foundation for data on-chain
DxChain is a distributed storage and computing network, with the aim to provide adequate privacy protection for valuable data transactions. Zhang believes that putting data on the blockchain will have a significant impact, but it is impossible without the development of blockchain storage and computing.
Zhang describes the data transaction model designed by DxChain: “Personal data goes on the chain, and under decentralized storage, no center can control it. Individuals are the real owners of data. Anyone who wants to use data has to pay data providers with tokens through smart contracts.”
Currently, user data is stored in a centralized data center, which is a black box. “Users are neither able to know what encryption algorithms these data centers use, nor know that they are not encrypted. In theory, they need to inform users when they exchange users’ data with any third-party, but we have no access to know if they exchange or not,” Zhang says. “This traditional model is unfair.”
It is known that IT giants like Facebook generate huge revenues because they have user data. For example, a year ago, the famous American genetic data startup 23&me sold 3,000 patient genetic data for 60 million US dollars. The average single patient data costs 20,000 US dollars, but no user has benefited from that.
Zhang has an ambitious plan: He aims to use one chain to enable decentralized data storage, break massive data monopoly control, give data ownership back to users, and transform the tech industry.
For individuals and the society, putting data on-chain can bring a positive impact. For example, the personal data held by a breast cancer patient, and the therapeutic effect data of one or several drugs on them will be critical to cancer treatment drugs, driving the advancement of medical research institutes ten years to twenty years ahead of schedule. In the DxChain-designed model, these institutes pay a certain amount of tokens to get the data from patients.
In the decentralized storage, computing and transaction model Zhang has described, data security and privacy protection are particularly important. As a platform, DxChain has a distinctive design.
DxChain first encrypts the data to ensure security. This encryption algorithm can encrypt in the forward direction, and no one can reverse decrypt it unless they have a key. In this case, a user can put their data on the chain instead of keeping them on their hard drive. In other words, as long as the user can ensure that their key is safe, they can upload the data such as medical data as much as they want and be the only owner of their data.
Unlike traditional AWS file storage which does not encrypt files, DxChain’s user data will be encrypted first when uploaded. From this perspective, the privacy protection is stronger.
Next is back up. Decentralized data storage is more secure than traditional centralized data storage, such as AWS.
After encrypting the files, DxChain divides the data into several copies, each with duplicates and redundancy. For example, if you split the data into 30 copies, ten files contain all the original files. That is to say, as long as 10 of them exist, the security of the original data can be guaranteed not to get lost.
There are a variety of solutions for file security replication. Filecoin, a startup also provides blockchain storage solution, divides the files into small pieces, make duplication, and then randomly distributed them on mining machines.
DxChain sees both encryption and replication as critical components of the chain’s storage functionality. In the meantime, DxChain believes that not just storage, computing also plays a crucial role in enabling valuable data transactions.
For the privacy issue, the blockchain industry currently adopts several methods, such as Homomorphic Encryption and Multi-Party Computation, both of which protect privacy through computational encryption. Also ubiquitous is SGX, which is encrypted by hardware. In DxChain’s view, homomorphic encryption and multi-party computation are theoretically not good enough and might cause more problems during the implementation process, while SGX has an unusually high requirement for hardware.
DxChain’s privacy protection is based on the recognition that people are willing to trade some data, even if it is very private. Their concern is privacy: No one should be able to extrapolate their personal identity, or affect their purchase of health insurance, or intervene their life and social activities.
DxChain uses a more practical solution in privacy protection, “desensitization,” which protects vital data related to privacy by masking the user’s name, home address, and personal identity.
“It sounds straightforward but that is not the case. Desensitization has a higher requirement for the computation of the chain,” Zhang says. With DxChain’s support for compute capability, the company can perform fine-grained data operation and organize data into organized into a structured repository so that they can find and encrypt the essential information.
DxChain’s computing chain is also responsible for running parallel computing. When users upload data to the DxChain platform, DxChain can directly return valuable results.
From the perspective of privacy protection, DxChain provides valuable results rather than raw data. As such, DxChain can prevent confidential data from being exchanged again and ensure its privacy.
Data security and privacy are the foundation of putting data on the chain, as well as the premise and base for building the value Internet and a new blockchain ecosystem that is truly valuable to society.
DxChain is prepared for security and privacy protection when building a new value Internet platform.
With regards to DxChain: A Decentralized Big Data and Machine Learning Network Powered by a Computing-Centric Blockchain.