Consensus algorithms, the computer protocols that ensure decentralized systems like Bitcoin agree on data values, despite the fact that there are no central authorities, are probably the single most critical component that makes blockchain technology viable.
These algorithms are what blockchain advocates point to when highlighting the security, transparency and efficiency advantages of decentralization. And as the world adopts them more widely, some of our greatest cybersecurity challenges may fade into the past.
The Problems With 1Password and LastPass
Applications like LastPass and 1Password are the preferred platforms for consumer privacy. But there is one paradox that makes them arguably inferior to decentralized systems that leverage consensus algorithms: They still require a “master password” to obtain access.
According to “Have I Been Pwned,” a website that tracks large-scale data breaches, over 5 billion user accounts have been compromised in documented hacks. In 2018 alone, the world felt what it was like to be victimized by poor cyber hygienics on a grand scale.
In helping to recognize some of the flaws the mainstream cybersecurity space is facing, Distributed.com spoke with the experts at DLA Piper, a global law firm, for some guidance.
“The issue of data integrity is rarely discussed,” Mark Radcliffe, a partner at DLA Piper, told Distributed.com. But blockchain technology can help to “detect and deter the unauthorized and undetected tampering of the data.”
Even before this year’s Equifax and Facebook data breaches, the general public had lost trust in those who are charged with monitoring and protecting our most sensitive information. Generally, for the average user who is concerned with maintaining password privacy, password managers like LastPass or 1Password are available.
Yet, regardless of the software or coding behind these password managers, there is still a human component that is required. Consequently, the margin of error is higher than that of a self-running or autonomous type of program.
Generally, one of the major drawbacks with password managers of this nature is the manner in which information is stored. Located on one server, these services store information, while decreasing the very security of it, by making all of it potentially available for the taking.
LastPass stores passwords on its remote servers. While encrypted with 256-bit encryption (a highly-secure and widely-used data/file encryption technique that uses a 256-bit key to encrypt and then decrypt files), the server has demonstrated instances of its vulnerability over the years, which has been addressed with updated patches for Google Chrome, Mozilla Firefox and Microsoft Edge.
Similarly, 1Password stores its password data locally and only copies it to the cloud for syncing across multiple devices. While encrypted with 256-bit encryption, it adds a third-party intermediary (the cloud), charging it with data maintenance and storage.
Yet, when it comes to personally identifiable information (“PII”) or other highly sensitive information such as birthdates, addresses and social security numbers, this information should not be left in any particular person(s) or institution(s) hands, let alone a single server.
By injecting blockchain technology into these existing systems while utilizing “consensus algorithms,” these concerns can be significantly minimized.
What Are Consensus Algorithms?
Behind every cryptocurrency, there is a “consensus algorithm.” Generally speaking, a “consensus” is an agreement between two or more individuals. In the case of cryptocurrencies, the definition for consensus is similar in that it refers to an agreement about the status of a given cryptocurrency network, such as a recent transaction. This process is used to agree on how the network runs, while simultaneously protecting against potential issues of collusion or malicious actions designed to compromise that network.
One of the primary purposes of these systems is to prevent “double spending.” Common consensus is crucial for ensuring that a decentralized system can function smoothly, as it facilitates network-wide agreements without a central entity dictating the network’s direction. Without a consensus, cryptocurrency networks wouldn’t be able to agree on anything, creating an ultimate freeze on any or all transactions being conducted.
The first and most common example of a consensus algorithm is the proof-of-work (PoW) algorithm. Before Satoshi Nakamoto, the pseudonymous programmer behind Bitcoin, PoW was theorized back in 1993 but was not officially coined until 1999. Until the 2008 publication of Nakamoto’s white paper, the concept had little immediate relevance to the computer science industry.
Limitations on Consensus Algorithms in the Mainstream
While a consensus system can address the issues of double spending, trust and integrity of a blockchain network, none seem to really address the issue of cybersecurity on a grand scale.
In our traditional finance system, we don’t need such a system because we rely on the banks and institutions to emphasize and share with us the status of our customer agreement — in order for a transaction to process, the bank confirms that there is a certain amount in our account, before debiting said amount.
However, with cryptocurrencies, there is no such intermediary providing that guidance. Therefore, the networks themselves need to have a way to securely create its own consensus across a group of decentralized computers/networks.
But, there is still the potential, most commonly with PoW systems, to be subject to certain threats, such as a 51 percent attack.
With PoW, a large amount of computing is required to mine cryptocurrency. As such, the costs of energy required to successfully implement the system are astronomical. This could make or break a business, depending on its size and cash flow. For those focused on preserving the environment, this is a huge concern as, overall, this type of energy consumption is most unfriendly.
Radcliffe told Distributed.com that one of the biggest threats in the security space today is government agencies depending upon the blockchain but failing to properly protect the system from cyberattacks like DDoS attacks and consensus attacks, and ultimately losing control over the distributed ledger entirely.
“However, these problems must be compared with the existing systems which are subject to fraud and tampering,” Radcliffe emphasized.
Enter ‘Public Key Infrastructure’
The “public key infrastructure” (PKI) is the set of hardware, software, policies, processes and procedures that are required for creating, managing, distributing, utilizing, storing and revoking digital certificates and public keys. This allows the use of certain technologies, like digital signatures and encryption, across large user bases.
Currently, the technology is utilized to help secure the electronic transfer of information in e-commerce, online banking and confidential communications. This way, passwords and human errors are highly reduced to help provide a high-end security system.
Yet, despite its prevalence, PKI is not fully optimized for withstanding cybersecurity attacks. So, by adding a blockchain twist to it and looking at “distributed PKIs,” we can look at providing secure information to the public.
“When you combine blockchain technology with ‘hashes,’ or digital fingerprints of data and documents, the company can create a tamper-proof chain-of-custody,” Radcliffe told us. “Any interested (and authorized party) can compare the fingerprint of the original data with a fingerprint of the current data and confirm that they match, otherwise the data is suspect.”
Deborah Meshulam, a partner at DLA Piper, agreed and believes that a critical bug could expose the risks that technology should ultimately be minimizing.
“Implementing blockchain consensus mechanisms can also prevent the modification of data stored on the blockchain,” she said. “Full encryption of data blocks can also be applied to data with private keys to decrypt the data, although, as we’ve seen, keys can be stolen.”
Creating a Distributed PKI
To dive deeper into how blockchain technology can be combined with PKI and potentially improve the world of cybersecurity, Distributed.com spoke with REMME, a startup which created its own authentication system, addressing these very issues, as identified by DLA Piper and security advocates. Its proprietary consensus algorithm, “proof of service,” is designed for storing a certificate’s hash, state (whether valid or revoked), public key and expiration date. The algorithm controls the interactions of nodes and enforces a fair system for confirming blocks and allocating rewards. It replaces the traditional access approach based on passwords with digital certificates.
In the system, REMME utilizes different PKI standards and protocols, as well as blockchain technology, to protect the entire channel from attack and to help companies address the problems associated with access security failings.
The company said that one major feature of its algorithm is that its system is programmed to make a pseudo-random selection of masternodes that sign a block in the blockchain. Based on the concept of “committees” that are re-elected for signing each block, the system chooses “members” based on the initial stake and quality of the masternode work.
The algorithm then controls the way in which the nodes interact with the network, creating a fair and transparent system, free of any centralized effect.
Cybersecurity is, of course, a complicated issue that will only become more difficult to solve as more of our world is made digital. But as blockchain technology grows in popularity, it is poised to play a central role in how our world protects its data as more of it is digitally available. A distributed PKI is just one example of how the central component of blockchains, consensus algorithms, will inspire the future’s cybersecurity efforts.