by Raghu Kotha, CTO Cryptyk
Before we begin to understand the security risks associated with private and public blockchains, let us first define what a blockchain is: a ledger of transactions arranged in groups (batches) called blocks. These blocks use cryptographic validation to link themselves together. Simply put, each block references the previous block by a hashing function, which forms a linked chain, hence the name "blockchain".
Blockchains can be visualized as databases with sets of validations that are not stored in central locations nor managed by groups of admins. They are peer to peer networks that exist on multiple nodes (computers) simultaneously in such a way that any interested party can maintain a copy. They are distributed and redundant by nature.
Blockchains can be categorized into two groups:
Public blockchains, including Bitcoin, Ethereum, and most altcoins, are designed to be accessible by anyone with a computer and internet access. They are designed to eliminate a need for intermediaries in any exchange of asset value scenario. Redundancy makes public blockchains slow and resource intensive because of the computational power that is needed to maintain the distributed ledger, but in turn makes them more secure. Public blockchains are most appropriate when a network needs to be decentralized.
Private blockchains partially reintroduce the intermediary. Nodes in a private blockchain network require invitations and must be validated by either the starter of the network or by a set of rules put in place by the starter of the network.
Businesses which set up private blockchains, generally set up a permissioned network. This restricts access to the network for certain transactions. Participants need to obtain an invitation or permission to join. The access control mechanism may vary such that: existing participants could decide future entrants, a regulatory authority could issue licenses for participation, or a consortium could make the decisions. Once an entity has joined the network, it will play a role in maintaining the blockchain in a decentralized manner.
Due to their restrictive nature, private blockchains are sometimes referred to as permissioned blockchains.
Anyone is able to aggregate and publish a group of transactions, provided they can solve a difficult cryptographic puzzle to prove an investment of computing power. The process by which a network of nodes confirms the records of previously verified transactions, and by which it verifies new transactions, is known as a consensus protocol. In the public blockchain system, all users follow an algorithm that verifies transactions by committing software and hardware resources to solving a problem by brute force (i.e., by solving the cryptographic puzzle). The user who finds the solution first is rewarded, and each new solution, along with the transactions that were used to verify it, forms the basis for the next puzzle.
A proof of work is a piece of data which was difficult to produce so as to satisfy certain requirements. The Production of a proof of work is a random process with low probability, so it requires a lot of trial and error on average before a valid proof of work is generated. Bitcoin uses the Hashcash proof of work.
Now that we are familiar with key blockchain terminology, let us explore the risks associated with public and private blockchains.
While the risks of building a financial market or other infrastructure on a public blockchain may restrict certain companies pause, private blockchains offer a degree of control over both participant behavior and the transaction verification process. The use of a blockchain-based system is a signal of the transparency and usability of that system, which are bolstered by the early consideration of the system’s security. Just as a business will decide which of its systems are better hosted on a more secure private intranet or on the internet, but will likely use both, systems requiring fast transactions, the possibility of transaction reversal, and central control over transaction verification will be better suited for private blockchains, while those that benefit from widespread participation, transparency, and third-party verification will flourish on a public blockchain.
Apart from public blockchain and private block chain there is one more blockchain called consortium blockchain. It is a blockchain where the consensus process is controlled by a pre-selected set of nodes; for example, one might imagine a consortium of 15 financial institutions, each of which operates a node and of which 10 must sign every block in order for the block to be valid. The right to read the blockchain may be public, or restricted to the participants, and there are also hybrid routes such as the root hashes of the blocks being public together with an API that allows members of the public to make a limited number of queries and get back cryptographic proofs of some parts of the blockchain state. These blockchains may be considered “partially decentralized”. This kind of blockchain have risks based on how it is implemented.
Raghu started his career as a systems programmer building CAD systems, mathematical packages, and compilers / interpreters and designing IDS systems. He received the achievement award from Bell Labs for his work on configuration management tools. Raghu has had opportunities to work in senior roles in many aspects of Information Technology including Application Development, Information Management, and Enterprise Architecture. Over the past 13 years, he has been involved in Pen testing, malware analysis, malware creation, Security Operations/Architecture, Machine Learning, Blockchains and Security Governance. After holding the Head of Information Security position at a California bank, Raghu is currently working as a CTO for Cryptyk a Blockchain based Distributed Enterprise Storage Company.
Education: Bachelor of Engineering in Computer Science, Masters in Computer Science and Information Management.
Certifications: CISSP, ISSAP, ITIL V3, CCSK, Paloalto ICM & ATS, SANS App Security, CMNA, FireEye SE, McAfee Operations Solutions Certification.