TC307 SG3 - SECURITY & PRIVACY

Transcription

1 TC307 SG3 - SECURITY & PRIVACY

2 6 layers of security 1. Cryptography 2. Blockchain protocol 3. Application 4. Privacy mechanisms 5. Implementation 6. Operation Security issues

3 Cryptography Lots of understanding since the Romans Hash functions (ISO/IEC 10118) Digital Signature (ISO/IEC 14888) Timestamping (ISO/IEC 18014) Verification of Cryptographic Protocols (ISO/IEC 29128) Entity authentication (ISO/IEC 9798) Non-repudiation (ISO/IEC 13888) Random bit generation (18031) Anonymous entity authentication (20009) Anonymous digital signatures (20008) 1. Cryptography

4 Blockchain protocol Proof-of-Work / Proof-of-Stake / Proof-of-Authority Main challenge currently Investigations towards Bitcoin protocol number of attacks Two properties: Persistence Liveliness 2. Blockchain protocol 1. Cryptography

5 Application protocol Smart contracts Earlier we had strong coupling between the blockchain and the application Smart contracts decouples them how to create security standardization for smart contracts? 3. Application 2. Blockchain 1. Cryptography

6 Privacy mechanisms ISO/IEC Identity Assurance Framework ISO/IEC 27017, ISO/IEC ISO/IEC JTC SC32 4. Privacy mechanisms 3. Application 2. Blockchain 1. Cryptography

7 Implementation ISO/IEC Implementation 4. Privacy mechanisms 3. Application 2. Blockchain 1. Cryptography

8 Operations 6. Operations ISMS (ISO/IEC 27000) DE BSI 100 Series EE ISKE ES MAGERIT Version 3 US SP Implementation 4. Privacy mechanisms 3. Application 2. Blockchain 1. Cryptography

9 Missing areas mostly in tech? Zero-knowledge proofs Ring singatures

10 Proposal Technical Report Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Security of DLT systems 4.1. Examples of existing DLT systems and analysis of their security requirements 4.2. General security requirements for DLT systems 5. Security of Blockchain systems / 6 layer model 5.1. The usage of cryptographic mechanisms in blockchain systems 5.2. Security of backbone protocols Security properties of backbone protocols Proof-of-work Description Existing attacks Security properties and requirements Proof-of-Stake Proof-of-Space Proof-of-authority 5.3 Security of Application Protocol 5.4.Security of Privacy mechanisms 5.5. Security of Implementation 5.6 Security of Operation 6. Legal security of Blockchain/DLT systems Annex A: List of related standards Bibliography

11 Privacy freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual / ISO Privacy Protection The major impact on Blockchain & DLT systems is in terms of the Protection of Personally Identifiable Information (PII)

12 ISO/IEC Privacy impact assessment If a Blockchain & DLT system does contain PII and/or if the privacy impact assessment underlines any major risk relating to personal data information protection, then considerations for privacy and personal data apply and the privacy principles of ISO/IEC need to be considered. It is clear that the characteristics of Blockchain & DLT systems do not sit well with the consequences of the privacy principles and this can lead to legal and regulatory issues in many jurisdictions, since the privacy principles are often enshrined in laws and regulations.

13 Blockchain is different Blockchain & DLT differentiate from other ICT systems with respect to the privacy principles The systems are fundamentally distributed where control and access to the information is typically also distributed amongst different individuals and/or organizations. The information held in the ledger is immutable i.e. the intention is that each transaction recorded in the ledger is final and cannot be changed. Storage of PII In the ledger itself or in an off-ledger datastore

14 Proposal Technical Report or include in the Security Technical Report Due diligence privacy issues should be taken into account at all the stages of the DLT system's life cycle from design to decommissioning; Context analysis (including legal, technical, business, societal); Risk analysis and risk-based decision-making; High-level privacy principles tailored to blockchain/dlt Organizational framework: The features of ISO management systems including appropriate control sets, monitoring and continuous improvement, collecting proof of good faith conduct; Catalog of major risks and of major opportunities using Blockchain. Catalog of major privacy-enhancing approaches and controls.

15