Blockchain, decentralized applications and security Renaud Lifchitz

Blockchain, decentralized applications and security - Renaud Lifchitz 2 Key problems with current Web applications

Blockchain, decentralized applications and security - Renaud Lifchitz 3 The current Web is obsolete ● The Web has been designed to be decentralized BUT… ● It’s more and more centralized: Google, Apple, Amazon, Microsoft, … ● That makes the spying easier ● A lot of DdoS attacks succeed ● A single server is not enough even to serve a single popular Youtube video ● Hosting changes → URLs are broken

Blockchain, decentralized applications and security - Renaud Lifchitz 4 Many security weak points ● DNS ● SSL/TLS certificates ● System security ● Network security ● Application security ● Passwords

Blockchain, decentralized applications and security - Renaud Lifchitz 5 Scalability issues ● Load balancing: – Is complex – Is costly – Depends on the web technologies involved ● Efficient DDoS protection is hard

Blockchain, decentralized applications and security - Renaud Lifchitz 6 Building a decentralized password hashes marketplace

Blockchain, decentralized applications and security - Renaud Lifchitz 7 A password marketplace? ● A common task for security auditors: assess the strength of password hashes ● A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers ● So the idea is to build a collaborative marketplace with incentives to help: – people submit their password hashes with given rewards – the one who solves a hash is given the corresponding reward

Blockchain, decentralized applications and security - Renaud Lifchitz 8 A fully decentralized application? (1/2) ● We need a fully decentralized application to avoid cheating, censorship, DDoS, downtime… ● Several parts should be decentralized: – web back-end (core logic/app) – web front-end (storage of HTML/JS/CSS) – domain name (storage and resolver)

Blockchain, decentralized applications and security - Renaud Lifchitz 9 A fully decentralized application? (2/2) ● I have chosen Ethereum technology with some beta components: – web back-end: Ethereum smart contract – web front-end: Ethereum Swarm – domain name: Ethereum Name Service (ENS)

Blockchain, decentralized applications and security - Renaud Lifchitz 10 Anti-cheat tricks ● For the submitter: – You pay the reward in advance and it is locked (no insolvency) ● For the solver: – You have to pay a small fee to submit an answer (no bruteforce) – Answer is verified by thousands of nodes (no corrupted server) ● For all users: – Decentralized application (no DoS/DDoS, downtime)

Blockchain, decentralized applications and security - Renaud Lifchitz 11 The Ethereum blockchain ● https://www.ethereum.org/ ● More than 22,000 online nodes!: https://www.ethernodes.org most secured/trustable blockchain nowadays  ● Average block/transaction time: 15 seconds ● Allows safe execution of logic through smart contracts ● Allow payments with its digital currency, ether (ETH): https://coinmarketcap.com/currencies/ethereum/ ● “Ethereum: the World Computer”: https://www.youtube.com/watch?v=j23HnORQXvs

Blockchain, decentralized applications and security - Renaud Lifchitz 12 Decentralized name service: Ethereum Name Service (ENS) ● An ENS entry can map a .eth name to: – an individual Ethereum account – a content hash for decentralized storage (Swarm or IPFS) ● ENS official web site: https://ens.domains/ ● Booking an entry: https://registrar.ens.domains/ ● ENS stats: https://ens.codetract.io/

Blockchain, decentralized applications and security - Renaud Lifchitz 13 Decentralized storage: Ethereum Swarm ● Peer-to-peer storage and serving solution ● DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistant and self-sustaining with incentives (soon) ● Swarm protocol: bzz:// ● Swarm official web site is stored using… Swarm and is also a Swarm gateway: – http://swarm-gateways.net/ redirects to http://swarm-gateways.net/bzz:/theswarm.eth/ – theswarm.eth resolves to 0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0 – http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/ ● Other examples: – Photo album: http://swarm-gateways.net/bzz:/photoalbum.eth/

Blockchain, decentralized applications and security - Renaud Lifchitz 14 Decentralized apps: smart contracts ● A smart contract is an application core ● Once deployed: – No one can modify the code or stop its execution – The code runs simultaneously on all the nodes ● Smart contract + web front-end = “dApp” ● Ethereum smart contracts main programming language: Solidity

Blockchain, decentralized applications and security - Renaud Lifchitz 15 Solidity basics ● High-level language, syntax similar to JavaScript ● Compiled to bytecode then deployed on the blockchain ● Designed to target the Ethereum Virtual Machine (EVM) ● Statically typed, supports inheritance, libraries, complex user- defined types... ● Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more! ● Official documentation: https://solidity.readthedocs.io/en/develop/

Blockchain, decentralized applications and security - Renaud Lifchitz 16 Solidity code example Sequestration of funds until 30th July 2020 (https://hodlethereum.com/deposit)

Blockchain, decentralized applications and security - Renaud Lifchitz 17 Developing & deploying the smart contract ● Contract can be written using Browser Solidity: https://ethereum.github.io/browser-solidity/ ● Contract can be tested using Truffle framework: http://truffleframework.com/ or Ethereum testnet (currently “Ropsten”) ● Contract can be deployed & used using: – Parity: https://parity.io/ – Mist: https://github.com/ethereum/mist/releases

Blockchain, decentralized applications and security - Renaud Lifchitz 18 Using the decentralized Web

Blockchain, decentralized applications and security - Renaud Lifchitz 19 What you may need (1/2) ● A node/gateway: – IPFS (or a public one: https://ipfs.infura.io ) – Swarm (or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ ) – Ethereum (or a public one: https://mainnet.infura.io/ )

Blockchain, decentralized applications and security - Renaud Lifchitz 20 What you may need (2/2) ● For dApps: – An Ethereum wallet with a small balance (typically 0.005 ETH) – A dApps compatible browser: ● Desktop: – Chrome plugins: “ENS Gateway” & “Metamask” – or Ethereum Mist or Parity ● Mobile: Cipher, Status or Trust – An entry point: URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)

Blockchain, decentralized applications and security - Renaud Lifchitz 21 (1/3) ENS Gateway

Blockchain, decentralized applications and security - Renaud Lifchitz 22 (2/3) Deploying a file/directory using IPFS

Blockchain, decentralized applications and security - Renaud Lifchitz 23 (3/3) Using the passwords marketplace bzz:/passwords.eth

Blockchain, decentralized applications and security - Renaud Lifchitz 24 A few words... ● Nice and usable proof-of-concept but: – Limited to SHA256 hashes for the moment: lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones  a solution would be to use a trusted oracle – Code is quite ugly, need some fixes before being published ● Use it, share it, and audit your passwords!

Blockchain, decentralized applications and security - Renaud Lifchitz 25 Things of interest ● One of my previous presentation about blockchains & security: https://tinyurl.com/blockchain-security ● A French article&interview about my password market: https://tinyurl.com/passwords-eth ● Security of light wallets (French MISC magazine, March 2018)

Blockchain, decentralized applications and security - Renaud Lifchitz 26 Thank you! Any questions? Ethereum: 0x0009Fd382E99dDD801736Ea4075a2eE5e4916B72 ENS: nono2357.eth Tips are welcome!  @nono2357