slides from my 2018 talk at the RSA Asia Pacific Conference in Singapore. First a basic overview of Blockchain for the audience and then a complete discussion of how the security of blockchain is really about the security of the whole stack, with the chain itself being the last thing you focus on.
6. #RSAC
Bitcoin
Simple Operations to transact
Ethereum = “Turing Complete”
Can solve ANY problem given enough
time and resources
Bitcoin vs Ethereum (Turing Completeness)
Used with Permission: https://xkcd.com/505/
7. #RSAC
Why do people use/want crypto currencies?
7
Eliminate the need for a central bank, third party
Want to be anonymous / pseudo-anonymous
Trade it like it is a stock using exchanges like a stock market
Away to transfer wealth / grow wealth / speculation
Raise funds for a project – ICO
Faster global payment mechanism with no currency conversion
8. #RSAC
Reasons why people want to use Blockchain
8
Removes the need to trust a third party
Removes the need to WAIT for a third party
Peer Pressure
Safe from single source attacks, safe from data modification
Strongly encrypted, mathematically sound
Scientifically immutable
(Proof of Work, Proof of Stake)
10. #RSAC
Why talk about this at a security conference
10
This is “real money” and needs to be protected as such
Many projects put speed to market ahead of security & testing
Limited controls that “are well known to banks”
Suffer from first adopter problems
Rarely talk to the security experts
12. #RSAC
Blockchain [ Ethereum, NEO, Cardano ]
Smart Contracts / Keys / API Logic
End User Facing ”Interface”
Blockchain
”layers”
Blockchain projects almost always have a
public/private chain, contracts/logic, and
applications facing API/Users
13. #RSAC
The Chain
● Chain Code
● Math Libraries
● Node Workers
- Usually -
Safe from single source attacks (but … 51% attack)
Safe from data modification
Strongly encrypted
Mathematically sound (Quantum safe?)
Scientifically immutable
(Proof of Work, Proof of Stake)
15. #RSAC
The Applications
• Written by Humans
• Have API’s
• Likely “new” languages
• Are used by Humans
(input validation, timeouts)
• May be on the internet
17. #RSAC
The “Blockchain Security” 20
17
Identify the entire scope of your Hardware/Cloud Create affective boundary defenses
Identify the entire scope of your Software footprint Create a data recovery plan & transaction control
Configure everything with security in mind Conduct security training
Scan for vulnerabilities & fix them Log, Log, Monitor, Analyze, Study
Application Security, especially smart contracts Practice “Least Privilege” Access
Malware Protection Control and monitor all accounts, no sharing!
Create a secure network configuration Be ready to respond to incidents
Control administrative privileges Control your data (encryption, protection)
Pen Test & Red Team, especially smart contracts Code Securely and learn from the world
Lock down your mobile app Advise end users how to safely interact with you
18. #RSAC
What Now ?
18
Pull this information together with the rest of the day to fill in your
knowledge gaps
YouTube videos, online education through Udemy, and others are
great training mechanisms to get good at the basics
Look up the recent attacks and do your own research into the areas
of crypto / blockchain / currencies you are most concerned about