Hackers can shut down entire networks, tamper with data, lure unwary users into cybertraps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure.
The blockchain's alternative approach to storing and sharing information provides a way out of this security mess. The same technology that has enabled secure transactions with cryptocurrencies such as Bitcoin and Ethereum could now serve as a tool to prevent cyberattacks and security incidents.
Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service attacks.
Public Key Infrastructure (PKI) is a popular form of public key cryptography that secures emails, messaging apps, websites, and other forms of communication. However because most implementations of PKI rely on centralized, trusted third party Certificate Authorities (CA) to issue, revoke, and store key pairs for every participant, hackers can compromise them to spoof user identities and crack encrypted communications.
For instance, controversy recently broke over the key renegotiation process of WhatsApp, which could possibly be exploited to push false keys and perform man-in-the-middle attacks on one of the most popular and secure messaging apps in the world. Publishing keys on a blockchain instead would eliminate the risk of false key propagation and remove the shadow of doubt about the authenticity of users' conversation parties.
CertCoin is one of the first implementations of blockchain-based PKI. The project, developed at MIT, removes central authorities altogether and uses the blockchain as a distributed ledger of domains and their associated public keys. CertCoin provides a public and auditable PKI that also doesn't have a single point of failure.
More recently, tech research company Pomcor published a blueprint for a blockchain-based PKI that doesn't remove central authorities but uses blockchains to store hashes of issued and revoked certificates. This approach gives users a means to verify the authenticity of certificates with a decentralized and transparent source. It also has the side benefit of optimizing network access by performing key and signature verification on local copies of the blockchain.
Another interesting study of identification based on distributed ledgers is the IOTA, a project that applies Tangle (a blockless type of distributed ledger that is lightweight and scalable) to provide the backbone for millions of IoT devices to interact and identify each other in a peer-to-peer manner and without the need for a third-party authority.
“By referencing hashes that match identity attributes of an individual tied to the ledger one can start to reconstruct the entire identity management system. The fact that you can tie these attributes of person to a tamper-proof hash makes it impossible for someone to forge your identity,” says IOTA cofounder David Sønstebø.
We sign documents and files with private keys so that recipients and users can verify the source of the data they're handling. And then we go to great lengths to prove that those keys haven't been tampered with, which is difficult when the key is meant to be secret in the first place.
The blockchain alternative to document signing replaces secrets with transparency, distributing evidence across many blockchain nodes and making it practically impossible to manipulate data without being caught. How do you prove that the San Antonio Spurs were the champions of the 2014 NBA Playoffs? You don't need to because it's general knowledge. The same applies to data on a blockchain distributed ledger.