Blockchain and security: bank and insurance applications

Blockchain and security: bank and insurance applications

This talk will only focus on practical and concrete financial uses of the blockchain, with a focus on all security issues that can occur. Thus, we will discuss its advantages and applications in the bank and insurance areas, speaking about use cases, presentations of current projects, the use of oracles to interact with the real world, and with concrete and live demonstrations of smart contracts using economic indicators. We will talk in detail about the security fundamentals with an analysis of blockchain issues and risks, a review of « The DAO » security flaw (the largest-ever crowdsourced fundraising : 150 million dollars), the importance of the blockchain technology and of the programming langage for the « smart contracts », as well as good technical and functional security practices to guarantee a good enough level of trust in the technology.

9b368ee76aa2b65a870563d4829a4d5e?s=128

Renaud Lifchitz

March 03, 2017
Tweet

Transcript

  1. NullCon – Goa, India – March 3rd-4th, 2017 Renaud Lifchitz

    (renaud.lifchitz@digitalsecurity.fr) Blockchain and security: bank and insurance applications
  2. Outline Introduction to blockchain Blockchain advantages General use cases Use

    cases in banks Use cases in insurances Security concerns How to choose blockchain technology How to choose programming language Security best practices P. 2 Blockchain and security: bank and insurance applications - Digital Security
  3. Speaker's bio French senior security engineer Main activities:  Penetration

    testing & security audits  Security research  Security trainings Significant security studies about: contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation https://speakerdeck.com/rlifchitz Blockchain and security: bank and insurance applications - Digital Security P. 3
  4. About Digital Security Company founded in 2015 by a group

    of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems Blockchain and security: bank and insurance applications - Digital Security P. 4
  5. Blockchain introduction

  6. Blockchain Global and distributed registry (no single point of failure)

    Secure and reliable transmission of authenticated information Lots of use cases and advantages Fully customizable depending on business cases P. 6 Blockchain and security: bank and insurance applications - Digital Security Introduction
  7. Blockchain - Advantages Scalability: it's easy to deploy nodes Resilience:

    tolerant to attacks (network, applicative, DoS, …) Data integrity & authenticity: authenticated and immutable data Decentralization: no SPoF (Single Point of Failure), no trusted third party Transaction speed compared to interbank networks (e.g.: SWIFT) P. 7 Blockchain and security: bank and insurance applications - Digital Security Introduction Trusted network
  8. Smart contracts Automated, decentralized, conditional and safe execution of defined

    commitments (contracts) Read-only contracts as soon as they are deployed Tamper-proof execution Wide range of possible contracts Multi-party contracts dApp: decentralized web application connected to one or several contracts on a blockchain P. 8 Blockchain and security: bank and insurance applications - Digital Security Introduction
  9. Smart contracts « State of the dApps », a public

    directory of Ethereum dApps: http://dapps.ethercasts.com/ P. 9 Blockchain and security: bank and insurance applications - Digital Security Introduction
  10. Oracles Program acting as a gateway between a blockchain and

    the real world, or more generally the Web Execution prerequisites of a contract: current weather, stock market price, news, account balance... An oracle is a callable function from a smart contract P. 10 Blockchain and security: bank and insurance applications - Digital Security Introduction
  11. A promising blockchain: Ethereum First version: July 2015 ~ 15

    seconds per block Powerful (« Turing-complete ») smart contracts, unlike Bitcoin Mature oracle system: http://www.oraclize.it with provably honest security Excellent community support Rich documentation Most useful smart contracts currently Smart contract programming language: Solidity (strongly typed Javascript variant) P. 11 Blockchain and security: bank and insurance applications - Digital Security Introduction
  12. Blockchain use cases

  13. Why a blockchain? Or why you shouldn't use it everywhere...

    Cons:  Limited size and number of transactions per second (Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)  Energy cost Key factors of choice:  Lack of confidence between users  Concurrent writing by independent users  Benefits for users  Disintermediation Blockchain use cases P. 13 Blockchain and security: bank and insurance applications - Digital Security
  14. General use cases Banking Insurance Notary Electronic voting Crowdfunding Conditional

    execution of transactions (smart contracts) Blockchain use cases P. 14 Blockchain and security: bank and insurance applications - Digital Security
  15. General use cases Interests of FINTECH in blockchain Blockchain use

    cases P. 15 Blockchain and security: bank and insurance applications - Digital Security
  16. General use cases Notary / Data anchoring / Proof of

    existence with timestamping: https://woleet.io Blockchain use cases P. 16 Blockchain and security: bank and insurance applications - Digital Security
  17. Banks Blockchain use cases P. 17 Blockchain and security: bank

    and insurance applications - Digital Security Use cases
  18. Banks Blockchain use cases P. 18 Blockchain and security: bank

    and insurance applications - Digital Security They already started to work with blockchain...
  19. Banks Blockchain use cases P. 19 Blockchain and security: bank

    and insurance applications - Digital Security Use cases & examples
  20. Banks Blockchain use cases P. 20 Blockchain and security: bank

    and insurance applications - Digital Security Blocked deposit with legal interest rates
  21. Banks Token: Custom unit of value for which you want

    to control issuance, use and conversion ERP20 standard on Ethereum: https://github.com/ethereum/EIPs/issues/20 Use cases:  Electronic currency  Loyalty points (in retail)  Purchase vouchers & coupons  Proofs Blockchain use cases P. 21 Blockchain and security: bank and insurance applications - Digital Security A standard for token management?
  22. Insurances Use cases: • Automatic payment of premiums • Automatic

    computation of risks by oracles and smart contracts • Unique loss declaration • Claim management • Easy payment of compensations Blockchain use cases P. 22 Blockchain and security: bank and insurance applications - Digital Security
  23. Insurances Blockchain use cases P. 23 Blockchain and security: bank

    and insurance applications - Digital Security Use cases
  24. Insurances Examples Flight delays: « Flight Delays Suck! »: https://fdd.etherisc.com/

    Drought & flood: « Jamii Crop Insurance »: https://crop.etherisc.com/ Social insurance (in test): « Etherisc Social Insurance » https://govhack.etherisc.com/ Natural disasters swap risks and bonds (Allianz Risk Transfer AG & Nephila Capital Limited) Sidechains developments (Axa Strategic Ventures & Blockstream) Blockchain use cases P. 24 Blockchain and security: bank and insurance applications - Digital Security
  25. Insurances Automatic compensation of flight delays: « Flight Delays Suck!

    » : https://fdd.etherisc.com/ Blockchain use cases P. 25 Blockchain and security: bank and insurance applications - Digital Security
  26. Blockchain security

  27. « The DAO » case (1/2) The DAO (Decentralized Autonomous

    Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain) More than $150 millions were collected (15% of all ethers at this time), a lot more than required! Blockchain security P. 27 Blockchain and security: bank and insurance applications - Digital Security
  28. « The DAO » case (2/2) June 17th, 2016: robbery

    of one third of the funds using an implementation vulnerability with the recursive call of the contract « Hard Fork » to modify the contract and save the funds « Ethereum Classic » (ETC) appears: governance issues... Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution Blockchain security P. 28 Blockchain and security: bank and insurance applications - Digital Security
  29. How to choose blockchain technology The blockchain Important criterions: 

    Maturity  Security  Interoperability (oracles and sidechains)  Support  Smart contract possibilities  Scaling (transaction max size, delay between blocks) Some blockchains: Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ... Blockchain security P. 29 Blockchain and security: bank and insurance applications - Digital Security
  30. How to choose blockchain technology Smart contract programming language Imperative

    languages:  Common  Easier to write  Complex to verify using formal proofs Functional languages:  Unusual  Complex  Quite easy to verify using formal proofs (no side effect) Blockchain security P. 30 Blockchain and security: bank and insurance applications - Digital Security
  31. Security best practices Functional best practices Simplicity, modularity, code reuse

    Unit testing & integration testing Economic incentives:  Limitation of amounts  Bug bounties (ex. : https://bountyfactory.io )  Prediction markets (ex. : https://gnosis.pm/ , https://augur.net/ ) Separation of conditions and actions in the code (« Condition-Oriented programming ») Blockchain security P. 31 Blockchain and security: bank and insurance applications - Digital Security
  32. Security best practices Technical best practices Implementation of a «

    killswitch » in the smart contracts Pre & post-conditions in the functions Use of formal proofs Use of « mocks » in tests Use of test environments (frameworks, testnets…) Blockchain security P. 32 Blockchain and security: bank and insurance applications - Digital Security
  33. Blockchain services

  34. Our blockchain services Blockchain solutions Technical and legal risk analysis

    Blockchain trainings Smart contract & PoC development Smart contracts & cryptography audits For the best specific recommendations for your project, contact us!  P. 34 Blockchain and security: bank and insurance applications - Digital Security
  35. Thanks! Questions? IT & IoT Security Contact: renaud.lifchitz@digitalsecurity.fr info@digitalsecurity.fr P.

    35 Blockchain and security: bank and insurance applications - Digital Security Follow us on Twitter!: @iotcert