Blockchain and security: bank and insurance applications

Transcript

1. NullCon – Goa, India – March 3rd-4th, 2017 Renaud Lifchitz

   ([email protected]) Blockchain and security: bank and insurance applications

2. Outline Introduction to blockchain Blockchain advantages General use cases Use

   cases in banks Use cases in insurances Security concerns How to choose blockchain technology How to choose programming language Security best practices P. 2 Blockchain and security: bank and insurance applications - Digital Security

3. Speaker's bio French senior security engineer Main activities:  Penetration

   testing & security audits  Security research  Security trainings Significant security studies about: contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation https://speakerdeck.com/rlifchitz Blockchain and security: bank and insurance applications - Digital Security P. 3

4. About Digital Security Company founded in 2015 by a group

   of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems Blockchain and security: bank and insurance applications - Digital Security P. 4

5. Blockchain introduction

6. Blockchain Global and distributed registry (no single point of failure)

   Secure and reliable transmission of authenticated information Lots of use cases and advantages Fully customizable depending on business cases P. 6 Blockchain and security: bank and insurance applications - Digital Security Introduction

7. Blockchain - Advantages Scalability: it's easy to deploy nodes Resilience:

   tolerant to attacks (network, applicative, DoS, …) Data integrity & authenticity: authenticated and immutable data Decentralization: no SPoF (Single Point of Failure), no trusted third party Transaction speed compared to interbank networks (e.g.: SWIFT) P. 7 Blockchain and security: bank and insurance applications - Digital Security Introduction Trusted network

8. Smart contracts Automated, decentralized, conditional and safe execution of defined

   commitments (contracts) Read-only contracts as soon as they are deployed Tamper-proof execution Wide range of possible contracts Multi-party contracts dApp: decentralized web application connected to one or several contracts on a blockchain P. 8 Blockchain and security: bank and insurance applications - Digital Security Introduction

9. Smart contracts « State of the dApps », a public

   directory of Ethereum dApps: http://dapps.ethercasts.com/ P. 9 Blockchain and security: bank and insurance applications - Digital Security Introduction

10. Oracles Program acting as a gateway between a blockchain and

    the real world, or more generally the Web Execution prerequisites of a contract: current weather, stock market price, news, account balance... An oracle is a callable function from a smart contract P. 10 Blockchain and security: bank and insurance applications - Digital Security Introduction

11. A promising blockchain: Ethereum First version: July 2015 ~ 15

    seconds per block Powerful (« Turing-complete ») smart contracts, unlike Bitcoin Mature oracle system: http://www.oraclize.it with provably honest security Excellent community support Rich documentation Most useful smart contracts currently Smart contract programming language: Solidity (strongly typed Javascript variant) P. 11 Blockchain and security: bank and insurance applications - Digital Security Introduction

12. Blockchain use cases

13. Why a blockchain? Or why you shouldn't use it everywhere...

    Cons:  Limited size and number of transactions per second (Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)  Energy cost Key factors of choice:  Lack of confidence between users  Concurrent writing by independent users  Benefits for users  Disintermediation Blockchain use cases P. 13 Blockchain and security: bank and insurance applications - Digital Security

14. General use cases Banking Insurance Notary Electronic voting Crowdfunding Conditional

    execution of transactions (smart contracts) Blockchain use cases P. 14 Blockchain and security: bank and insurance applications - Digital Security

15. General use cases Interests of FINTECH in blockchain Blockchain use

    cases P. 15 Blockchain and security: bank and insurance applications - Digital Security

16. General use cases Notary / Data anchoring / Proof of

    existence with timestamping: https://woleet.io Blockchain use cases P. 16 Blockchain and security: bank and insurance applications - Digital Security

17. Banks Blockchain use cases P. 17 Blockchain and security: bank

    and insurance applications - Digital Security Use cases

18. Banks Blockchain use cases P. 18 Blockchain and security: bank

    and insurance applications - Digital Security They already started to work with blockchain...

19. Banks Blockchain use cases P. 19 Blockchain and security: bank

    and insurance applications - Digital Security Use cases & examples

20. Banks Blockchain use cases P. 20 Blockchain and security: bank

    and insurance applications - Digital Security Blocked deposit with legal interest rates

21. Banks Token: Custom unit of value for which you want

    to control issuance, use and conversion ERP20 standard on Ethereum: https://github.com/ethereum/EIPs/issues/20 Use cases:  Electronic currency  Loyalty points (in retail)  Purchase vouchers & coupons  Proofs Blockchain use cases P. 21 Blockchain and security: bank and insurance applications - Digital Security A standard for token management?

22. Insurances Use cases: • Automatic payment of premiums • Automatic

    computation of risks by oracles and smart contracts • Unique loss declaration • Claim management • Easy payment of compensations Blockchain use cases P. 22 Blockchain and security: bank and insurance applications - Digital Security

23. Insurances Blockchain use cases P. 23 Blockchain and security: bank

    and insurance applications - Digital Security Use cases

24. Insurances Examples Flight delays: « Flight Delays Suck! »: https://fdd.etherisc.com/

    Drought & flood: « Jamii Crop Insurance »: https://crop.etherisc.com/ Social insurance (in test): « Etherisc Social Insurance » https://govhack.etherisc.com/ Natural disasters swap risks and bonds (Allianz Risk Transfer AG & Nephila Capital Limited) Sidechains developments (Axa Strategic Ventures & Blockstream) Blockchain use cases P. 24 Blockchain and security: bank and insurance applications - Digital Security

25. Insurances Automatic compensation of flight delays: « Flight Delays Suck!

    » : https://fdd.etherisc.com/ Blockchain use cases P. 25 Blockchain and security: bank and insurance applications - Digital Security

26. Blockchain security

27. « The DAO » case (1/2) The DAO (Decentralized Autonomous

    Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain) More than $150 millions were collected (15% of all ethers at this time), a lot more than required! Blockchain security P. 27 Blockchain and security: bank and insurance applications - Digital Security

28. « The DAO » case (2/2) June 17th, 2016: robbery

    of one third of the funds using an implementation vulnerability with the recursive call of the contract « Hard Fork » to modify the contract and save the funds « Ethereum Classic » (ETC) appears: governance issues... Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution Blockchain security P. 28 Blockchain and security: bank and insurance applications - Digital Security

29. How to choose blockchain technology The blockchain Important criterions: 

    Maturity  Security  Interoperability (oracles and sidechains)  Support  Smart contract possibilities  Scaling (transaction max size, delay between blocks) Some blockchains: Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ... Blockchain security P. 29 Blockchain and security: bank and insurance applications - Digital Security

30. How to choose blockchain technology Smart contract programming language Imperative

    languages:  Common  Easier to write  Complex to verify using formal proofs Functional languages:  Unusual  Complex  Quite easy to verify using formal proofs (no side effect) Blockchain security P. 30 Blockchain and security: bank and insurance applications - Digital Security

31. Security best practices Functional best practices Simplicity, modularity, code reuse

    Unit testing & integration testing Economic incentives:  Limitation of amounts  Bug bounties (ex. : https://bountyfactory.io )  Prediction markets (ex. : https://gnosis.pm/ , https://augur.net/ ) Separation of conditions and actions in the code (« Condition-Oriented programming ») Blockchain security P. 31 Blockchain and security: bank and insurance applications - Digital Security

32. Security best practices Technical best practices Implementation of a «

    killswitch » in the smart contracts Pre & post-conditions in the functions Use of formal proofs Use of « mocks » in tests Use of test environments (frameworks, testnets…) Blockchain security P. 32 Blockchain and security: bank and insurance applications - Digital Security

33. Blockchain services

34. Our blockchain services Blockchain solutions Technical and legal risk analysis

    Blockchain trainings Smart contract & PoC development Smart contracts & cryptography audits For the best specific recommendations for your project, contact us!  P. 34 Blockchain and security: bank and insurance applications - Digital Security

35. Thanks! Questions? IT & IoT Security Contact: [email protected] [email protected] P.

    35 Blockchain and security: bank and insurance applications - Digital Security Follow us on Twitter!: @iotcert