Defining – And Breaking – Blockchain Protection

While there are numerous books, deep technical whitepapers and advanced math that can explain blockchain to even the most advanced audience, simplification is always better in security.  To this end, the concept of blockchain is actually not new as it focuses on the same underlying issue – how to secure a transaction between two independent parties.  The most common solution, and the oldest, is what many people know as HTTPS (SSL/TLS) wherein two parties submit a certificate to an independent, trusted, authority (called a Certificate Authority or CA) and that trusted node verifies both sides and aids in sharing a secret both parties can use to encrypt their transaction. Blockchain, in essence, is the democratization of this process as that single trusted CA node is replaced by peer nodes on either side of which the majority must validate the identity of the two parties involved in a transaction.  That transaction then follows the same principles of obtaining a shared secret and then encrypting their transaction.  Unlike SSL/TLS, blockchain then requires the secure storage of the pertinent components of that transaction in a ledger (the actual blockchain) which is distributed amongst all of the peer nodes and those two parties. If this sounds like a lot for a single transaction, it is and we are completely ignoring the incredible amount of math that is required to not just authenticate the two parties but each peer node AND the blockchain database.  Then there is crazy math involved in storing the transaction securely…it is incredibly complex, resource-intensive and, yes… It has already been hacked – a LOT. The problem is that blockchain is just too complex with too many moving pieces.  If any one piece is not configured perfectly, if one decimal if off or one algorithm not exactly correct, the entire scheme falls apart.  For anybody in security, these words are massive red flags and hacked cryptocurrency was inevitable.

Two Distinct Systems

In order to fix blockchain protection, it is important to understand that there are really two discrete parts to any given transaction – the actors and the actual transaction.  While terms such as “the cloud”, “virtualization” and such make people think of Star Trek, the reality is that every “party” and “node” has to run off of a device.  Sure that device can be a container or virtual but, at the end of the day, devices are always involved. So why not separately lockdown devices, ensure they are authenticated and then run transactions? By independently, and continuously, authenticating devices in local systems, the math is significantly reduced, the complexity eliminated and the resultant attack plane becomes more manageable.  In this environment, all of the devices are known to one another and the core encryption of a given transaction becomes trivial as those devices can maintain secure communication lines irrespective of any single transaction. By separating out the identity of these parties from individual transactions, blockchain is purified and becomes the secure storage of transaction artifacts without everything else getting in the way.  The math surrounding secure storage is extremely strong and not prone to being hacked.  Using this path eliminates all of the hassle…and hacks…