NullCon – Goa, India – March 3rd-4th, 2017 Renaud Lifchitz (renaud.lifchitz@digitalsecurity.fr) Blockchain and security: bank and insurance applications

Outline Introduction to blockchain Blockchain advantages General use cases Use cases in banks Use cases in insurances Security concerns How to choose blockchain technology How to choose programming language Security best practices P. 2 Blockchain and security: bank and insurance applications - Digital Security

Speaker's bio French senior security engineer Main activities:  Penetration testing & security audits  Security research  Security trainings Significant security studies about: contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation https://speakerdeck.com/rlifchitz Blockchain and security: bank and insurance applications - Digital Security P. 3

About Digital Security Company founded in 2015 by a group of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems Blockchain and security: bank and insurance applications - Digital Security P. 4

Blockchain introduction

Blockchain Global and distributed registry (no single point of failure) Secure and reliable transmission of authenticated information Lots of use cases and advantages Fully customizable depending on business cases P. 6 Blockchain and security: bank and insurance applications - Digital Security Introduction

Blockchain - Advantages Scalability: it's easy to deploy nodes Resilience: tolerant to attacks (network, applicative, DoS, …) Data integrity & authenticity: authenticated and immutable data Decentralization: no SPoF (Single Point of Failure), no trusted third party Transaction speed compared to interbank networks (e.g.: SWIFT) P. 7 Blockchain and security: bank and insurance applications - Digital Security Introduction Trusted network

Smart contracts Automated, decentralized, conditional and safe execution of defined commitments (contracts) Read-only contracts as soon as they are deployed Tamper-proof execution Wide range of possible contracts Multi-party contracts dApp: decentralized web application connected to one or several contracts on a blockchain P. 8 Blockchain and security: bank and insurance applications - Digital Security Introduction

Smart contracts « State of the dApps », a public directory of Ethereum dApps: http://dapps.ethercasts.com/ P. 9 Blockchain and security: bank and insurance applications - Digital Security Introduction

Oracles Program acting as a gateway between a blockchain and the real world, or more generally the Web Execution prerequisites of a contract: current weather, stock market price, news, account balance... An oracle is a callable function from a smart contract P. 10 Blockchain and security: bank and insurance applications - Digital Security Introduction

A promising blockchain: Ethereum First version: July 2015 ~ 15 seconds per block Powerful (« Turing-complete ») smart contracts, unlike Bitcoin Mature oracle system: http://www.oraclize.it with provably honest security Excellent community support Rich documentation Most useful smart contracts currently Smart contract programming language: Solidity (strongly typed Javascript variant) P. 11 Blockchain and security: bank and insurance applications - Digital Security Introduction

Blockchain use cases

Why a blockchain? Or why you shouldn't use it everywhere... Cons:  Limited size and number of transactions per second (Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)  Energy cost Key factors of choice:  Lack of confidence between users  Concurrent writing by independent users  Benefits for users  Disintermediation Blockchain use cases P. 13 Blockchain and security: bank and insurance applications - Digital Security

General use cases Banking Insurance Notary Electronic voting Crowdfunding Conditional execution of transactions (smart contracts) Blockchain use cases P. 14 Blockchain and security: bank and insurance applications - Digital Security

General use cases Interests of FINTECH in blockchain Blockchain use cases P. 15 Blockchain and security: bank and insurance applications - Digital Security

General use cases Notary / Data anchoring / Proof of existence with timestamping: https://woleet.io Blockchain use cases P. 16 Blockchain and security: bank and insurance applications - Digital Security

Banks Blockchain use cases P. 17 Blockchain and security: bank and insurance applications - Digital Security Use cases

Banks Blockchain use cases P. 18 Blockchain and security: bank and insurance applications - Digital Security They already started to work with blockchain...

Banks Blockchain use cases P. 19 Blockchain and security: bank and insurance applications - Digital Security Use cases & examples

Banks Blockchain use cases P. 20 Blockchain and security: bank and insurance applications - Digital Security Blocked deposit with legal interest rates

Banks Token: Custom unit of value for which you want to control issuance, use and conversion ERP20 standard on Ethereum: https://github.com/ethereum/EIPs/issues/20 Use cases:  Electronic currency  Loyalty points (in retail)  Purchase vouchers & coupons  Proofs Blockchain use cases P. 21 Blockchain and security: bank and insurance applications - Digital Security A standard for token management?

Insurances Use cases: • Automatic payment of premiums • Automatic computation of risks by oracles and smart contracts • Unique loss declaration • Claim management • Easy payment of compensations Blockchain use cases P. 22 Blockchain and security: bank and insurance applications - Digital Security

Insurances Blockchain use cases P. 23 Blockchain and security: bank and insurance applications - Digital Security Use cases

Insurances Examples Flight delays: « Flight Delays Suck! »: https://fdd.etherisc.com/ Drought & flood: « Jamii Crop Insurance »: https://crop.etherisc.com/ Social insurance (in test): « Etherisc Social Insurance » https://govhack.etherisc.com/ Natural disasters swap risks and bonds (Allianz Risk Transfer AG & Nephila Capital Limited) Sidechains developments (Axa Strategic Ventures & Blockstream) Blockchain use cases P. 24 Blockchain and security: bank and insurance applications - Digital Security

Insurances Automatic compensation of flight delays: « Flight Delays Suck! » : https://fdd.etherisc.com/ Blockchain use cases P. 25 Blockchain and security: bank and insurance applications - Digital Security

Blockchain security

« The DAO » case (1/2) The DAO (Decentralized Autonomous Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain) More than $150 millions were collected (15% of all ethers at this time), a lot more than required! Blockchain security P. 27 Blockchain and security: bank and insurance applications - Digital Security

« The DAO » case (2/2) June 17th, 2016: robbery of one third of the funds using an implementation vulnerability with the recursive call of the contract « Hard Fork » to modify the contract and save the funds « Ethereum Classic » (ETC) appears: governance issues... Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution Blockchain security P. 28 Blockchain and security: bank and insurance applications - Digital Security

How to choose blockchain technology The blockchain Important criterions:  Maturity  Security  Interoperability (oracles and sidechains)  Support  Smart contract possibilities  Scaling (transaction max size, delay between blocks) Some blockchains: Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ... Blockchain security P. 29 Blockchain and security: bank and insurance applications - Digital Security

How to choose blockchain technology Smart contract programming language Imperative languages:  Common  Easier to write  Complex to verify using formal proofs Functional languages:  Unusual  Complex  Quite easy to verify using formal proofs (no side effect) Blockchain security P. 30 Blockchain and security: bank and insurance applications - Digital Security

Security best practices Functional best practices Simplicity, modularity, code reuse Unit testing & integration testing Economic incentives:  Limitation of amounts  Bug bounties (ex. : https://bountyfactory.io )  Prediction markets (ex. : https://gnosis.pm/ , https://augur.net/ ) Separation of conditions and actions in the code (« Condition-Oriented programming ») Blockchain security P. 31 Blockchain and security: bank and insurance applications - Digital Security

Security best practices Technical best practices Implementation of a « killswitch » in the smart contracts Pre & post-conditions in the functions Use of formal proofs Use of « mocks » in tests Use of test environments (frameworks, testnets…) Blockchain security P. 32 Blockchain and security: bank and insurance applications - Digital Security

Blockchain services

Our blockchain services Blockchain solutions Technical and legal risk analysis Blockchain trainings Smart contract & PoC development Smart contracts & cryptography audits For the best specific recommendations for your project, contact us!  P. 34 Blockchain and security: bank and insurance applications - Digital Security

Thanks! Questions? IT & IoT Security Contact: renaud.lifchitz@digitalsecurity.fr info@digitalsecurity.fr P. 35 Blockchain and security: bank and insurance applications - Digital Security Follow us on Twitter!: @iotcert