Slide 1

Slide 1 text

NullCon – Goa, India – March 3rd-4th, 2017 Renaud Lifchitz ([email protected]) Blockchain and security: bank and insurance applications

Slide 2

Slide 2 text

Outline Introduction to blockchain Blockchain advantages General use cases Use cases in banks Use cases in insurances Security concerns How to choose blockchain technology How to choose programming language Security best practices P. 2 Blockchain and security: bank and insurance applications - Digital Security

Slide 3

Slide 3 text

Speaker's bio French senior security engineer Main activities:  Penetration testing & security audits  Security research  Security trainings Significant security studies about: contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation https://speakerdeck.com/rlifchitz Blockchain and security: bank and insurance applications - Digital Security P. 3

Slide 4

Slide 4 text

About Digital Security Company founded in 2015 by a group of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems Blockchain and security: bank and insurance applications - Digital Security P. 4

Slide 5

Slide 5 text

Blockchain introduction

Slide 6

Slide 6 text

Blockchain Global and distributed registry (no single point of failure) Secure and reliable transmission of authenticated information Lots of use cases and advantages Fully customizable depending on business cases P. 6 Blockchain and security: bank and insurance applications - Digital Security Introduction

Slide 7

Slide 7 text

Blockchain - Advantages Scalability: it's easy to deploy nodes Resilience: tolerant to attacks (network, applicative, DoS, …) Data integrity & authenticity: authenticated and immutable data Decentralization: no SPoF (Single Point of Failure), no trusted third party Transaction speed compared to interbank networks (e.g.: SWIFT) P. 7 Blockchain and security: bank and insurance applications - Digital Security Introduction Trusted network

Slide 8

Slide 8 text

Smart contracts Automated, decentralized, conditional and safe execution of defined commitments (contracts) Read-only contracts as soon as they are deployed Tamper-proof execution Wide range of possible contracts Multi-party contracts dApp: decentralized web application connected to one or several contracts on a blockchain P. 8 Blockchain and security: bank and insurance applications - Digital Security Introduction

Slide 9

Slide 9 text

Smart contracts « State of the dApps », a public directory of Ethereum dApps: http://dapps.ethercasts.com/ P. 9 Blockchain and security: bank and insurance applications - Digital Security Introduction

Slide 10

Slide 10 text

Oracles Program acting as a gateway between a blockchain and the real world, or more generally the Web Execution prerequisites of a contract: current weather, stock market price, news, account balance... An oracle is a callable function from a smart contract P. 10 Blockchain and security: bank and insurance applications - Digital Security Introduction

Slide 11

Slide 11 text

A promising blockchain: Ethereum First version: July 2015 ~ 15 seconds per block Powerful (« Turing-complete ») smart contracts, unlike Bitcoin Mature oracle system: http://www.oraclize.it with provably honest security Excellent community support Rich documentation Most useful smart contracts currently Smart contract programming language: Solidity (strongly typed Javascript variant) P. 11 Blockchain and security: bank and insurance applications - Digital Security Introduction

Slide 12

Slide 12 text

Blockchain use cases

Slide 13

Slide 13 text

Why a blockchain? Or why you shouldn't use it everywhere... Cons:  Limited size and number of transactions per second (Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)  Energy cost Key factors of choice:  Lack of confidence between users  Concurrent writing by independent users  Benefits for users  Disintermediation Blockchain use cases P. 13 Blockchain and security: bank and insurance applications - Digital Security

Slide 14

Slide 14 text

General use cases Banking Insurance Notary Electronic voting Crowdfunding Conditional execution of transactions (smart contracts) Blockchain use cases P. 14 Blockchain and security: bank and insurance applications - Digital Security

Slide 15

Slide 15 text

General use cases Interests of FINTECH in blockchain Blockchain use cases P. 15 Blockchain and security: bank and insurance applications - Digital Security

Slide 16

Slide 16 text

General use cases Notary / Data anchoring / Proof of existence with timestamping: https://woleet.io Blockchain use cases P. 16 Blockchain and security: bank and insurance applications - Digital Security

Slide 17

Slide 17 text

Banks Blockchain use cases P. 17 Blockchain and security: bank and insurance applications - Digital Security Use cases

Slide 18

Slide 18 text

Banks Blockchain use cases P. 18 Blockchain and security: bank and insurance applications - Digital Security They already started to work with blockchain...

Slide 19

Slide 19 text

Banks Blockchain use cases P. 19 Blockchain and security: bank and insurance applications - Digital Security Use cases & examples

Slide 20

Slide 20 text

Banks Blockchain use cases P. 20 Blockchain and security: bank and insurance applications - Digital Security Blocked deposit with legal interest rates

Slide 21

Slide 21 text

Banks Token: Custom unit of value for which you want to control issuance, use and conversion ERP20 standard on Ethereum: https://github.com/ethereum/EIPs/issues/20 Use cases:  Electronic currency  Loyalty points (in retail)  Purchase vouchers & coupons  Proofs Blockchain use cases P. 21 Blockchain and security: bank and insurance applications - Digital Security A standard for token management?

Slide 22

Slide 22 text

Insurances Use cases: • Automatic payment of premiums • Automatic computation of risks by oracles and smart contracts • Unique loss declaration • Claim management • Easy payment of compensations Blockchain use cases P. 22 Blockchain and security: bank and insurance applications - Digital Security

Slide 23

Slide 23 text

Insurances Blockchain use cases P. 23 Blockchain and security: bank and insurance applications - Digital Security Use cases

Slide 24

Slide 24 text

Insurances Examples Flight delays: « Flight Delays Suck! »: https://fdd.etherisc.com/ Drought & flood: « Jamii Crop Insurance »: https://crop.etherisc.com/ Social insurance (in test): « Etherisc Social Insurance » https://govhack.etherisc.com/ Natural disasters swap risks and bonds (Allianz Risk Transfer AG & Nephila Capital Limited) Sidechains developments (Axa Strategic Ventures & Blockstream) Blockchain use cases P. 24 Blockchain and security: bank and insurance applications - Digital Security

Slide 25

Slide 25 text

Insurances Automatic compensation of flight delays: « Flight Delays Suck! » : https://fdd.etherisc.com/ Blockchain use cases P. 25 Blockchain and security: bank and insurance applications - Digital Security

Slide 26

Slide 26 text

Blockchain security

Slide 27

Slide 27 text

« The DAO » case (1/2) The DAO (Decentralized Autonomous Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain) More than $150 millions were collected (15% of all ethers at this time), a lot more than required! Blockchain security P. 27 Blockchain and security: bank and insurance applications - Digital Security

Slide 28

Slide 28 text

« The DAO » case (2/2) June 17th, 2016: robbery of one third of the funds using an implementation vulnerability with the recursive call of the contract « Hard Fork » to modify the contract and save the funds « Ethereum Classic » (ETC) appears: governance issues... Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution Blockchain security P. 28 Blockchain and security: bank and insurance applications - Digital Security

Slide 29

Slide 29 text

How to choose blockchain technology The blockchain Important criterions:  Maturity  Security  Interoperability (oracles and sidechains)  Support  Smart contract possibilities  Scaling (transaction max size, delay between blocks) Some blockchains: Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ... Blockchain security P. 29 Blockchain and security: bank and insurance applications - Digital Security

Slide 30

Slide 30 text

How to choose blockchain technology Smart contract programming language Imperative languages:  Common  Easier to write  Complex to verify using formal proofs Functional languages:  Unusual  Complex  Quite easy to verify using formal proofs (no side effect) Blockchain security P. 30 Blockchain and security: bank and insurance applications - Digital Security

Slide 31

Slide 31 text

Security best practices Functional best practices Simplicity, modularity, code reuse Unit testing & integration testing Economic incentives:  Limitation of amounts  Bug bounties (ex. : https://bountyfactory.io )  Prediction markets (ex. : https://gnosis.pm/ , https://augur.net/ ) Separation of conditions and actions in the code (« Condition-Oriented programming ») Blockchain security P. 31 Blockchain and security: bank and insurance applications - Digital Security

Slide 32

Slide 32 text

Security best practices Technical best practices Implementation of a « killswitch » in the smart contracts Pre & post-conditions in the functions Use of formal proofs Use of « mocks » in tests Use of test environments (frameworks, testnets…) Blockchain security P. 32 Blockchain and security: bank and insurance applications - Digital Security

Slide 33

Slide 33 text

Blockchain services

Slide 34

Slide 34 text

Our blockchain services Blockchain solutions Technical and legal risk analysis Blockchain trainings Smart contract & PoC development Smart contracts & cryptography audits For the best specific recommendations for your project, contact us!  P. 34 Blockchain and security: bank and insurance applications - Digital Security

Slide 35

Slide 35 text

Thanks! Questions? IT & IoT Security Contact: [email protected] [email protected] P. 35 Blockchain and security: bank and insurance applications - Digital Security Follow us on Twitter!: @iotcert