On Blockchain Security: Is Blockchain As Secure As We Thought?
No matter how secure blockchains may seem, they’re not hacker-proof. Nothing is.
It’s difficult to write anything about blockchain these days. You always run the risk of making predictions that, in a few years, could turn out to be completely wrong. So, in this article, I won’t make predictions, nor will I provide opinions on the future of blockchain technology. Instead, it’s meant as a discussion of some of the underlying security issues that, just like any other technology, blockchain faces.
Before delving into why blockchain is not as secure as some may think, I want to first outline some of the concepts and mechanisms that the technology is based on.
Security Through Obscurity Vs. Cryptography
When securing anything, especially information, there are two methods that are usually followed — security through obscurity and/or cryptography.
The concept of security through obscurity is what people are most familiar with in their day-to-day lives. It involves hiding the information from everyone else other than the people that need to know it. One example is hiding a plain text password file in a remote folder on your computer where it would be very difficult for someone else to find if s/he gained access to your machine. The security through obscurity methodology is not used as often anymore. The reason is simple — secrets always have a way of being discovered.
Cryptography, on the other hand, is the concept of making the location of the information public but encrypting the data so that only the ones with the decryption key would have access.
One of the first use cases of cryptography dates back to the ancient Romans who sent military messages using words where the letters had been shifted by n. For example, if n was three, then the word “hello” would have been written as “khoor”. Thus, important messages were coded and sent via messengers who did not know the value of n. If a messenger was to be captured, the captors would find the message but would not know how to decode it. Today, this may seem like an easy code to crack, but in ancient times, this methodology was the height of cryptography. Today’s cryptographic functions are much more complex, utilizing some clever methodologies resulting in almost unbreakable codes.
Blockchain uses one of the many ways of encrypting information, namely the hashing function (described in the “Hashing” section below). Encrypted blocks of information are recorded in the blockchain, and only those with the right key are able to access individual blocks within the chain.
Randomness
Randomness is a very important aspect of any cryptography function, including hashing. Encryption functions rely heavily on random data generation. The randomly generated data, or seed, is not dependent on any one person, but it’s rather machine-created. This makes it harder for the encryption to be cracked as you’d have to know the random seed to decrypt the hash.
Randomly generated data from a computer works in favor of blockchain. Random strings are appended to the block’s data to make it even more secure before the block is added to the public ledger. On the surface, this looks great. It doesn’t seem like there are any weaknesses in using random string generators, which greatly decreases the chance of a blockchain hack.
However, since the random data are being generated by a computer, there’s one problem — they are not truly random. Machines have no concept of randomness the way humans do. Instead, computers use formulas to generate pieces of “random” data. They follow a formula that produces an even distribution of random strings so that, to us, they appear to be random values. In fact, the randomness is just an illusion. No matter how good the formula is, the values that it produces can never be truly random. Mathematical functions can only produce calculated values.
This fact doesn’t bode well for blockchain. The randomness weakness is a well-known issue within the hacking community and has already been exploited by multiple attacks.
Is there a way to generate true randomness? Can we generate a random value on natural events instead of a mathematical formula? I would venture to guess that nothing is truly random, even in nature. Everything, even the seemingly random collisions of subatomic particles, can be predicted given the right starting points and forces (but this is for physicists and philosophers to ponder).
Hashing
I won’t go into detail on how hashing works. For those not familiar with hash functions, follow the link to this Wiki page. It does a pretty good job of giving an overview.
Hashing is heavily used by blockchain to encrypt blocks before adding them to the public ledger. The sequence of events a block has to go through before being added to the chain is the following:
- The new block data is encrypted using a hash function.
- Random data (string) is added to the encryption from step 1.
- The combined data from step 2 is then hashed once more.
- The hash from step 3 is compared to a difficulty level. If it’s not good enough, change the random string in step 2 and repeat.
- Once the final hash passes all checks, including difficulty level, the block is added to the chain and public ledger.
Although pretty secure, there are two issues with hashing in general — collisions and brute-force attacks.
Collisions occur because hash functions are designed to always produce a fixed-length output. A 256-bit hash function always produces an output of length 256. So, for any piece of information going through this cryptographic function, the end result will always be 256-characters-long. Whether you hash the word “hello” or the entirety of the encyclopedia text, the hash value of both of those data will be different, but both will be 256-characters-long.
Collisions in a hash function are, therefore, two or more strings that map to the same 256 hash value. Although the permutations of a 256-bit string (or any other finite length string) are very large, there is still a finite amount of hash values that can be mapped to it. Meanwhile, the number of possible text is infinite — you can always add another “a” at the end of a string to make it different than all others, ad infinitum. Thus, every string going through a hash function has an infinite number of collisions with other strings. This means that there is no need to know the original string. You’d just have to find one of an infinite number of strings that has the same hash output as the original to crack the encryption or introduce a security flaw.
Brute-force attacks for hashes are common, especially when shorter strings are concerned. If you have the encrypted hash value of an n-length string, you can find the decrypted version easily if you have a pre-populated dictionary of all values up to n-characters-long. Alternatively, you can start calculating every string of length 1 to n and compare the output to the encrypted value. If it matches, you know the value of the original string. With a powerful enough machine running for long periods of time, you can pre-populate dictionaries with a large value of n.
An article from the MIT Technology Review — Once Hailed as Unhackable, Blockchains are Now Getting Hacked — outlines examples of how blockchains have already been hacked. And so, I agree that security will most likely be a growing concern in blockchain adaptation as the technology becomes more accessible to everyday people, meaning those outsides of the few pioneering companies that are already heavily involved with blockchain. The more blockchain gets used in different business lines, the more people will try to find weaknesses and abuse it.
No matter how secure blockchains may seem, they’re not hacker-proof. Nothing is. This is simply because some of the concepts that the technology is based and built on are not as secure as most would think. As outlined in the sections above, both hashing and random string generators have their weaknesses.
The lack of true randomness in random string generators along with collisions and brute-force attacks in hashing functions might seem far-fetched at the moment, but as processing power increases, AI crawls, quantum computing leaps forward, and machine costs go down, it’s not inconceivable to hack a blockchain, given enough resources.
Just like any other technology out there based on cryptography, the more popular it becomes, the more security vulnerabilities will be discovered.
If you want to know more about security vulnerabilities and how quantum computing will affect current systems, I recommend the following report from the U.S. National Academies of Sciences, Engineering, and Medicine — Quantum Computing Progress and Prospects (2019).
Thank you for reading.
Subscribe to get my essays and if you have a topic you’d like me to cover, don’t hesitate to let me know.
