university of hawaii maui...
TRANSCRIPT
• Debasis Bhattacharya, JD, DBA –Asst. Professor, UH Maui College, HI
• Mario Canul – Student, UH Maui College, HI
• Saxon Knight – Student, UH Maui College, HI
• http://maui.hawaii.edu/cybersecurity
• University of Hawaii Maui College
• May 16, 2019
• Supported by NSF ATE Award # 1700562
Security Issues for Bitcoins, Blockchains and Smart Contracts
5/16/19 CAE Tech Talk – May 16, 2019 2
Bitcoins and blockchains have existed since their introduction in late 2008 by Satoshi Nakamoto. Over the past few years, cryptocurrencies have soared and plummeted in value, while blockchains have become increasingly popular with businesses and global commerce.
As with any emerging, decentralized technology, there are numerous security issues and concerns. This talk provides an overview of Bitcoins, Blockchains and Smart Contracts and explains the security issues of each of these technologies.
Viewers can find more information and lab exercises about this topic on the official CAE website for University of Hawaii Maui College at http://maui.hawaii.edu/cybersecurity
Agenda
• Overview of Technologies• Bitcoin • Ethereum• Blockchain• Smart Contracts
• Security Issues and Concerns• Q&A
5/16/19 CAE Tech Talk – May 16, 2019 3
5/16/19 CAE Tech Talk – May 16, 2019 4
5/16/19 CAE Tech Talk – May 16, 2019 5
5/16/19 CAE Tech Talk – May 16, 2019 6
5/16/19 CAE Tech Talk – May 16, 2019 7
Currencies - Online Transactions
• Physical cash• Non-traceable (well, mostly!)• Secure (mostly)• Low inflation
• Fiat Currency – legal tender whose value is backed by a government• Note that since 1971, the US$ has no backing with gold!• Cryptocurrencies are not fiat currencies!
• Physical currencies can’t be used online directly ØElectronic credit or debit transactions
uBank sees all transactionsuMerchants can track/profile customersuCryptocurrencies are not associated with any bank or regulatory agency!
CAE Tech Talk – May 16, 20195/16/19 8
Bitcoin
• A distributed, decentralized digital currency system• Released by Satoshi Nakamoto 2008 • Effectively a bank run by an ad hoc network• Digital checks• A distributed transaction log
CAE Tech Talk – May 16, 20195/16/19 9
Size of the Bitcoin Economy• Number of Bitcoins in circulation ~17.68 million (May 6, 2019)• Total number of Bitcoins generated cannot exceed 21 million.
• Around 3.3 million left to be mined!• Average price of a Bitcoin:
• $7,055 on May 12, 2019• $6,396 on May 10, 2019• $5,689 on May 6, 2019• $4,110 on February 23, 2019• $3,729 on Dec 29, 2018• $8,522 on May 15, 2018• $7,149 on April 8, 2018• $18,000 on December, 2017• $3,867 on September 25, 2017; • $2,350 on June 27, 2017
¨ Price has been very unstable and speculative.
• Currently, 244,157 tx/day or ~170 tx/minute.(In contrast, Visa transaction 200,000 per minute!)
5/16/19 CAE Tech Talk – May 16, 2019 10
11
Source: https://www.blockchain.com/charts
5/16/19 CAE Tech Talk – May 16, 2019
Source (May 6, 2019): https://www.blockchain.com/charts
5/16/19 CAE Tech Talk – May 16, 2019 12
5/16/19 CAE Tech Talk – May 16, 2019 13
Source (May 12, 2019): https://coinmarketcap.com/
Bitcoin Transactions
Public key 0xa8fc93875a972ea
Signature 0xa87g14632d452cd
Public key 0xc7b2f68...
CAE Tech Talk – May 16, 20195/16/19 14
5/16/19 CAE Tech Talk – May 16, 2019 15
Bitcoin Network
• Each P2P node runs the following algorithm:• New transactions are broadcast to all nodes.• Each node (miners) collects new transactions into a block.• Each node works on finding a proof-of-work for its block. (Hard to do.
Probabilistic. The one to finish early will probably win.)• When a node finds a proof-of-work, it broadcasts the block to all nodes.• Nodes accept the block only if all transactions in it are valid (digital signature
checking) and not already spent (check all the transactions).• Nodes express their acceptance by working on creating the next block in the
chain, using the hash of the accepted block as the previous hash.
CAE Tech Talk – May 16, 20195/16/19 16
5/16/19 CAE Tech Talk – May 16, 2019 17
5/16/19 CAE Tech Talk – May 16, 2019 18
Source (May 12, 2019): www.coinbase.com/price/ethereum
Privacy Implications
• No anonymity, only pseudonymity• All transactions remain on the block chain– indefinitely! • Retroactive data mining• Target used data mining on customer purchases to identify pregnant women
and target ads at them (NYT 2012), ended up informing a woman’s father that his teenage daughter was pregnant • Imagine what credit card companies could do with the data
CAE Tech Talk – May 16, 20195/16/19 19
All nodes could be miners
Blockchain Process… Decentralization
No central nodes …. All the nodes are not connected to each other
2/27/19 SIGCSE 2019 Blockchain Workshop #108 - Module 2 12
How Blockchain WorksHere are five basic principles underlying the technology.
1. Distributed Database• Each party on a blockchain has access to the entire database and its complete
history. • No single party controls the data or the information. Every party can verify the
records of its transaction partners directly, without an intermediary.
2. Peer-to-Peer Transmission• Communication occurs directly between peers instead of through a central
node. • Each node stores and forwards information to all other nodes.
5/16/19 CAE Tech Talk – May 16, 2019 20
3. Transparency with Pseudonymity• Every transaction and its associated value are visible to anyone with access to
the system. ( public key)• Each node, or user, on a blockchain has a unique 30-plus-character
alphanumeric address that identifies it. (private key)• Users can choose to remain anonymous or provide proof of their identity to
others. (signatures) Transactions occur between blockchain addresses.
4. Irreversibility of Records• Once a transaction is entered in the database and the accounts are updated,
the records cannot be altered, because they’re linked to every transaction record that came before them (hence the term “chain”).
• Various computational algorithms and approaches are deployed to ensure that the recording on the database is permanent, chronologically ordered, and available to all others on the network.
5/16/19 CAE Tech Talk – May 16, 2019 21
5. Computational Logic• The digital nature of the ledger means that blockchain transactions can be tied
to computational logic and in essence programmed. • users can set up algorithms and rules that automatically trigger transactions
between nodes.
• Data Security• Keys• Signatures• Hashing
• Redundancy• Improved workflow
5/16/19 CAE Tech Talk – May 16, 2019 22
5/16/19 CAE Tech Talk – May 16, 2019 232/27/19 SIGCSE 2019 Blockchain Workshop #108 - Module 2 7
5/16/19 CAE Tech Talk – May 16, 2019 24
Bitcoin: Challenges
• Creation of a virtual coin/note• How is it created in the first place?• How do you prevent inflation? (What prevents anyone from creating lots of coins?)
• Validation• Is the coin legit? (proof-of-work)• How do you prevent a coin from double-spending?
• Buyer and Seller protection in online transactions• Buyer pays, but the seller doesn’t deliver• Seller delivers, buyer pays, but the buyer makes a claim.
• Trust on third-parties• Rely on “proof of work” instead of trust• Verifiable by everyone – blockchain is visible to all• No central bank or clearing house
255/16/19 CAE Tech Talk – May 16, 2019
Bitcoin Economics
¨ Rate limiting on the creation of a new block¨ Adapt to the “network’s capacity”¨ A block created every 10 minutes (six blocks every hour)
¨ How? Difficulty is adjusted every two weeks to keep the rate fixed as capacity/computing power increases
¨ N new Bitcoins per each new block: credited to the miner à incentives for miners¨ N was 50 initially. In 2013, N=25¨ Since 2016 N = 12.5, next half is June 2020 for N = 6.25. ¨ Halved every 210,000 blocks (every four years)¨ Thus, the total number of Bitcoins will not exceed 21 million. (After this miner takes a fee)
CAE Tech Talk – May 16, 20195/16/19 26
Security Issues…
• Authentication à Public Key Crypto: Digital Signatures• Am I paying the right person? Not some other impersonator?
• Integrity à Digital Signatures and Cryptographic Hash• Is the coin double-spent? • Can an attacker reverse or change transactions?
• Availabilityà Broadcast messages to the P2P network• Can I make a transaction anytime I want?
• Confidentialityà Pseudonymity• Are my transactions private? Anonymous?
CAE Tech Talk – May 16, 20195/16/19 27
Security Issues…
• 51% Vulnerability• Distributed consensus mechanism fails if a single miner has 51% hashing power• 51% attack can reverse transactions and initiate double spending attack• Disrupt the ordering of transactions into the next block• Slow down the confirmation of valid transactions
• Private Keys and Wallets• Private keys can be stored in an Exchange, Computer, Phone or External Device• Convenience of storing private keys on an Exchange also introduces risks!• Private keys can get lost or stolen from personal computers or phone wallets• In May 2018, Bitcoin Exchange Binance lost $44 Million from a “hot” wallet
5/16/19 CAE Tech Talk – May 16, 2019 28
Security Issues…
• Bitcoin is a favorite choice for criminal activity• Ransomware
• Numerous cases – CTB-Locker (2014), WannaCry (2017) etc.• Hackers prefer payments in Bitcoins to an anonymous wallet• Many exchanges do not follow Know-Your-Customer Rules to withdraw from wallet!
• Underground Market• Favorite currency for illegal markets such as Silk Road
• Money laundering• Not very popular, as Bitcoins are available all over the world and open to public• Cryptocurrencies such and Monero claim to be secure, private and untraceable! • Wallets such as Dark Wallet emphasize privacy and stealth payments
5/16/19 CAE Tech Talk – May 16, 2019 29
Security Issues…
• Smart Contracts have several vulnerabilities• The order of transactions is important in a blockchain
• If two transactions invoke the same smart contract, the order could be impacted• Every block has a timestamp
• If an attacker modifies the timestamp, this will impact the trigger condition in contract• Exception handling with smart contracts may lead to improper execution• Reentrancy vulnerability – attackers can change the intermediate state• Under-optimized smart contracts• Under-priced smart contracts
5/16/19 CAE Tech Talk – May 16, 2019 30
Security Issues
• Attack Cases• Selfish Mining Attack• DAO Attack• BGP Hijacking Attack• Eclipse Attack• Liveness Attack• Balance Attack
5/16/19 CAE Tech Talk – May 16, 2019 31
Questions? Comments? Feedback?
5/16/19 CAE Tech Talk – May 16, 2019 32
• Debasis Bhattacharya, JD, DBA –Asst. Professor, UH Maui College, HI
• Mario Canul – Student, UH Maui College, HI
• Saxon Knight – Student, UH Maui College, HI
• http://maui.hawaii.edu/cybersecurity
References - Cryptocurrencies
5/16/19 CAE Tech Talk – May 16, 2019 33
• Cryptocurrencies and underlying blockchain technology • https://bitcoin.org/bitcoin.pdf – Original Paper by Satoshi Nakamoto, 10/28• www.bitcoin.org – Original cryptocurrency, over 10 years old!• www.ZeroCoin.org - Extend Bitcoin to make it private• www.Litecoin.org - Open Source P2P Internet Currency• www.Ethereum.org – Created a Virtual Machine for any Token• www.Hyperledger.org - Blockchains for Business • www.ripple.com - Ripple Crytpcurrency (XRP) – Rising star for global tx• www.getmonero.org – Monero Cryptocurrency (XMR) – Popular for security• www.coinbase.com – Popular Exchange to buy cryptocurrency• www.blockexplorer.com – Bitcoin Block Explorer• www.blockchain.info – Great source for all sorts of crypto info
References – Ethereum and Blockchain
• Byzantine Generals Problem – Lamport, Shostak, Pease, 1982• www.Ethereum.org – Ethereum Project – founded by Vitalik Buterin in 2013• https://gavwood.com/paper.pdf - Ethereum paper by Gavin Wood• Ethereum White Paper and Smart Contracts – by Vitalik Buterin in Nov 2013• XRP Ledger Consensus Protocol – Chase and MacBrough, 2018• www.hyperledger.org – The Linux Foundation Project – Hyperledger• https://anders.com/blockchain/ - Blockchain Demo• https://www.ibm.com/blockchain - IBM Blockchain• https://aws.amazon.com/blockchain/ - Amazon AWS Blockchain• https://azure.microsoft.com/en-us/solutions/blockchain/ - MS Azure Blockchain5/16/19 CAE Tech Talk – May 16, 2019 34
References – Smart Contracts and Dapps
• Ethereum Overview and Tutorial – Josh Quintal Truffle, 2017• Solidity Tutorial to Smart Contracts – Intro to Smart Contracts• Installing the Solidity Compiler - Using npm/NodeJS, Docker etc.• Code Examples in Solidity – Voting, Blind Auction, Safe Purchase etc.• Solidity Style Guide – Solidity v0.5.4• Ethereum Command Line tools (CLI) – Geth and Eth from Ethereum Network• Ethereum Greeter Smart Contract – Sample tutorial from Ethereum• Truffle Suite Download – Download the Truffle Software• Ganache Suite Download – Download the Ganache Software• Setting up a Pet Shop Dapp – Truffle Tutorial• Building React Native Dapps – Truffle Tutorial with Drizzle v1.3+
5/16/19 CAE Tech Talk – May 16, 2019 35