Bitcoin/Namecoin/*coin: On Bitcoin like protocols and their relation to other IT-Security issues

Transcription

1 : On Bitcoin like protocols and their relation to other IT-Security issues Aljosha Judmayer

2 SBA Research Area 1 (GRC): Governance, Risk and Compliance P1.1: Risk Management and Analysis P1.2: Secure BP Modeling, Simulation and Verification P1.3: Computer Security Incident Response Team P1.4: Awareness and E-Learning Area 2 (DSP): Data Security and Privacy P2.1: Privacy Enhancing Technologies P2.2: Enterprise Rights Management P2.3: Digital Preservation Area 3 (SCA): Secure Coding and Code Analysis P3.1: Malware Detection and Botnet Economics P3.2: Systems and Software Security P3.3: Digital Forensics Area 4 (HNS): Hardware and Network Security P4.1: Hardware Security and Differential Fault Analysis P4.2: Pervasive Computing P4.3: Network Security of the Future Internet

3 Agenda History of Cryptocurrencies Bitcoin The security concept Bitcoin Generalizing the concept of Bitcoin Namecoin Technical concept of Bitcoin 3

4 History of Cryptocurrencies 4

5 History of Cryptocurrencies Cryptocurrency medium for the exchange of currency units that relies on cryptography to control the decentralized creation and management of such units [1] Concept ecash invented by David Chaum 1983 Blind signatures [2] Mix networks (=> onion routing Tor) [3] [1] [2] Chaum, D. (1983). "Blind signatures for untraceable payments". Advances in Cryptology Proceedings 82 (3) [3] Chaum, D. (1981). "Untraceable electronic mail, return addresses, and digital pseudonyms". Communications of the ACM 24 (2) 5

6 History of Cryptocurrencies Chaum, D. Security without Identification: Transaction Systems to Make Big Brother Obsolete (1985) roots of the Cypherpunk movement achieve privacy and security through proactive use of cryptography [1] named after mailinglist (1993) US crypto (export) law, cryptowars Auxiliary Military Technology [1] 6

7 History of Cryptocurrencies some Cypherpunks... [*] 7

8 History of Cryptocurrencies some Cypherpunks... [*] 8

9 History of Cryptocurrencies some Cypherpunks... [*] 9

10 History of Cryptocurrencies some Cypherpunks... [*] 10

11 History of Cryptocurrencies some Cypherpunks... [*] 11

12 History of Cryptocurrencies... Adam Back, RSA 3 lines of Perl, non-exportable T-shirt #!/bin/perl sp0777i<x+d*lmla^*ln%0]dsxx++lmln/dsm0<j]dsj $/=unpack('h*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lk[d2%sa2/d0$^ixp" dc`;s/\w//g;$_=pack('h*',/((..)*)$/) hashcash (1997) proof-of-work (PoW) Hal Finney, PGP reusable PoW (24) 12

13 Bitcoin 13

14 29 by Satoshi Nakamoto (pseudonym) Bitcoin: A Peer-to-Peer Electronic Cash System [1] +source code first user, created genesis block $ strings -n 20.bitcoin/blocks/blk0.dat EThe Times 03/Jan/29 Chancellor on brink of second bailout for banks [1] 14

15 Currency shortcut BTC 1 BTC =~ $347 USD 1 BTC = $ USD (all-time high) Market Capitalization $4,682,667,529 USD [1] 15

16 [1] 16

17 [1] 17

18 How do bitcoins look like? 18

19 How do bitcoins look like? hex dump of genesis block A0 B0 C0 D0 E0 F B A 6C 73 6F 2A F3 8A 76 1E F C 8F 5E 45 6E F1 E A 54 2F 20 6F 62 A6 EA E5 2B 3B 7F F 6E F 1E 6B A3 C8 AB E 64 6E C1 F1 ED 1B 5F FF B 41 B7 DE 12 1D FD C3 49 FF B6 DE 5F 7A 88 FF FF FF 67 5C 49 5C AC 7B 8A FF FF 6D FF 8A D6 F D E 6C FF FD A8 BC 4D B2 32 1D B 6F FF B0 28 3F F7 7A 3A 1D FF 20 6E FE E0 4C BA C7 9F AC FF F EF 0B 2C B8 2B F D 3E AA 7C 1D 2F 6C A6 C ; íýz{.²zç,> gv.a.è.㈚q2:ÿ ª K.^J)«_Iÿÿ ÿÿÿÿm.ÿÿ....ethe Times 03/ Jan/29 Chancel lor on brink of second bailout f or banksÿÿÿÿ..ò. *...CA.gŠý þuh'.gñ q0.\ö (à9. ybàê.aþ Iö¼?Lï8Ä óu.å.á.þ\8m º..W ŠLp+kñ._... 19

20 Security concept of Bitcoin 20

21 {crypto,recap} Cryptographic hash function A hash function takes a message of arbitrary but finite size and outputs a fixed size hash (a.k.a. digest) four properties (1) easy to compute the hash of any given message 21

22 {crypto,recap} Cryptographic hash function (2) infeasible* to generate a message that has a given hash (a.k.a one-way or hard to invert) Pre-image resistance: (Hashcash/Bitcoin rely on this) [*] Not in polynomial time. Not in reach of adversary as long as the security of the message is important 22

23 {crypto,recap} Cryptographic hash function (3) infeasible to modify a message without changing the resulting hash Second pre-image resistance: (Hashcash/Bitcoin rely on this) 23

24 {crypto,recap} Cryptographic hash function (4) infeasible to find two different messages with the same hash Collision resistance: 24

25 Proof-of-work 512 bits input = 2^ bit hash = 2^256 Worst case to invert a hash function, perform attack on pre-image property: 26

26 Proof-of-work 512 bits input 256 bit hash 224 bits 256 bit hash 32 bits 0xFF...FF - 0x 2^224 solutions 27

27 Proof-of-work Partial pre-image attack connect proof-of-work to purpose service string, random value, nonce, is incremented for brute force search to start at random point Hashcash: $ echo -n "1:52:380119:calvin@comics.net:::9B7605E92F0DAE" sha1sum 0756af69e2ffbdb cd71 [1] 30

28 Proof-of-work Partial pre-image attack connect proof-of-work to purpose service string, random value, nonce, is incremented for brute force search to start at random point service string nonce Hashcash: $ echo -n "1:52:380119:calvin@comics.net:::9B7605E92F0DAE" sha1sum 0756af69e2ffbdb cd71 [1] hash 31

29 {crypto,recap} Asymmetric Cryptography every participant has a keypair Bob Alice 32

30 {crypto,recap} Asymmetric Cryptography every participant has a keypair Bob Alice 33

31 {crypto,recap} Asymmetric Cryptography send encrypted message Bob Alice 34

32 {crypto,recap} Asymmetric Cryptography send encrypted message Bob Alice 35

33 {crypto,recap} Asymmetric Cryptography send signed message Bob Alice 36

34 {crypto,recap} Asymmetric Cryptography send signed message Bob Alice 37

35 Bitcoin distinguishes Transactions (tx) transfer currency units can be created by everyone who owns currency units Blocks (b) contain inputs outputs contains number of transactions are created by miners chained together to form a time line synchronize the network 38

36 Block Block header version 39

37 Block Block header version time 40

38 Block Block header version time target nonce 41

39 Block Block header version time target hashtx nonce tx 1 hashtx tx 2 tx 3 42

40 Block chain Block n - 1 Block header hashtx version hashprev version hashprev time target time target hashtx nonce hashtx nonce tx 1 tx 1 tx 2 tx 2 tx 3 Block n + 1 Block n 43

41 Block n - 1 Block header hashtx Mining & Block chain version hashprev version hashprev time target time target hashtx nonce hashtx nonce tx 1 (coinbase) tx 1 (coinbase) tx 2 tx 2 tx 3 Block n + 1 Block n 44

42 Block n - 1 Block header hashtx Mining & Block chain version hashprev version hashprev time target time target hashtx nonce hashtx nonce tx 1 (coinbase) tx 1 (coinbase) tx 2 tx 2 tx 3 Block n + 1 version in_count Block n 25 BTC input 1 out_count output 1 H(pk_A) 45

43 Tansaction, Alice => Bob tx version in_count input 1 out_count output 1 46

44 Tansaction, Alice => Bob Block header version hashprev time target hashtx nonce tx 1 hashtx tx 2 tx tx 3 version in_count input 1 out_count output 1 47

45 Tansaction, Alice => Bob Block header version hashprev time target hashtx nonce tx 1 hashtx tx 2 tx tx 3 version in_count version in_count input 1 H(pk_A) input 1 out_count output 1 input 2 out_count output 1 output 2 48

46 Tansaction, Alice => Bob Block header version hashprev time target hashtx nonce tx 1 hashtx tx 2 tx tx 3 version in_count version in_count input 1 H(pk_A) out_count input 1 input 2 out_count output 1 output 2 output 1 sig(sk_a,tx) pk_a H(pk_B) 49

47 Tansaction, Alice => Bob Block header version hashprev version hashprev time target time target hashtx nonce hashtx nonce hashtx tx 1 tx 1 tx 2 tx 2 tx 3 version in_count version in_count input 1 H(pk_A) out_count input 1 input 2 out_count output 1 output 2 output 1 sig(sk_a,tx) pk_a H(pk_B) 50

48 Mining & Block chain There is no hard limit of 21 Million bitcoins! Only a software limit half all blocks (~all 4 years) Era 1: 50 BTC Era 2: 50/2 = 25 BTC Era 3: 25/2 = 12.5 BTC... Era 33: 0.01 Satoshi Theoretical max int64_t (2^64) ~80 times more 51

49 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks 52

50 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 53

51 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 54

52 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 55

53 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 56

54 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 57

55 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 58

56 Mining & Block chain It is possible that a confirmed transaction in a valid block gets reverted! There are block chain forks genesis 59

57 Double spending Successful double spending attack Attacker Block 60

58 Double spending Successful double spending attack Attacker Block 61

59 Double spending Successful double spending attack Attacker Block 62

60 Double spending Successful double spending attack Attacker Block 63

61 Double spending Successful double spending attack Attacker Block 64

62 Attack success probability 65

63 Attack success probability 66

64 Attack success probability 67

65 Hashrate distribution 27% [1] 68

66 Cryptocurrency based on... Proof-of-Work (SHA256 hash function) Asymmetric Cryptography (ECDSA) block chain Can we reuse the concept of a block chain in other contexts? 69

67 Generalizing the concept of Bitcoin 70

68 Block chain registration process register a id-value pair in a block chain Hello by Alice 71

69 Block chain registration process register a id-value pair in a block chain what is the problem here? Hello by Alice 72

70 Block chain registration process register a id-value pair in a block chain Attacker Block Hello by Hello by Alice 73

71 Block chain registration process register a id-value pair in a block chain Attacker Block Hello by Hello by Alice 74

72 Block chain registration process register a id-value pair in a block chain e7fa8 by Alice... 75

73 Block chain registration process register a id-value pair in a block chain e7fa8 by Alice... Hello by Alice 76

74 Block chain registration process register a id-value pair in a block chain e7fa8 by Alice... Hello by Alice... 77

75 Block chain registration process register a id-value pair in a block chain Hello by e7fa8 by Alice Hello by Alice 78

76 Namecoin 79

77 Currency shortcut NMC 1 NMC =~ $ 0.91 USD Market capitalization $9,207,844 USD 80

78 [1] 81

79 Register a domain $./namecoind name_new d/coinan [ "fe5d...466", "7df9..."] $./namecoind name_firstupdate d/coinan 7df9... fe5d '{"ip":" ", "map": {"*": {"ip":" "}}}' 82

80 Conclusion Decentralized id-value store DNS HTTPS certs, GPG keys,... Authenticated Twitter Fingerprinting service... Block chain size? ASIC mining? Power consumption? 85

81 EOF Aljosha Judmayer Researcher SBA Research ggmbh Favoritenstraße 16, 1040 Wien ajudmayer@sba-research.org

82 bitcoin101.png Bitcoin_Logo_Horizontal_Dark-48px.png spending-bitcoins.jpg Chaum.jpg cypher.gif pictures of cypherpunks uk-front2.jpg Proof_of_Work_challenge_response.svg Namecoin_Logo.png namecoin-vs-bitcoin.png bitcoin+mining.jpg Namecoin.png dogecoin.png dogecoin_money.png dogecoin_wow.png 87