Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blockchain, decentralized applications and secu...

Blockchain, decentralized applications and security

Renaud Lifchitz

March 01, 2018
Tweet

More Decks by Renaud Lifchitz

Other Decks in Research

Transcript

  1. Blockchain, decentralized applications and security - Renaud Lifchitz 3 The

    current Web is obsolete • The Web has been designed to be decentralized BUT… • It’s more and more centralized: Google, Apple, Amazon, Microsoft, … • That makes the spying easier • A lot of DdoS attacks succeed • A single server is not enough even to serve a single popular Youtube video • Hosting changes → URLs are broken
  2. Blockchain, decentralized applications and security - Renaud Lifchitz 4 Many

    security weak points • DNS • SSL/TLS certificates • System security • Network security • Application security • Passwords
  3. Blockchain, decentralized applications and security - Renaud Lifchitz 5 Scalability

    issues • Load balancing: – Is complex – Is costly – Depends on the web technologies involved • Efficient DDoS protection is hard
  4. Blockchain, decentralized applications and security - Renaud Lifchitz 7 A

    password marketplace? • A common task for security auditors: assess the strength of password hashes • A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers • So the idea is to build a collaborative marketplace with incentives to help: – people submit their password hashes with given rewards – the one who solves a hash is given the corresponding reward
  5. Blockchain, decentralized applications and security - Renaud Lifchitz 8 A

    fully decentralized application? (1/2) • We need a fully decentralized application to avoid cheating, censorship, DDoS, downtime… • Several parts should be decentralized: – web back-end (core logic/app) – web front-end (storage of HTML/JS/CSS) – domain name (storage and resolver)
  6. Blockchain, decentralized applications and security - Renaud Lifchitz 9 A

    fully decentralized application? (2/2) • I have chosen Ethereum technology with some beta components: – web back-end: Ethereum smart contract – web front-end: Ethereum Swarm – domain name: Ethereum Name Service (ENS)
  7. Blockchain, decentralized applications and security - Renaud Lifchitz 10 Anti-cheat

    tricks • For the submitter: – You pay the reward in advance and it is locked (no insolvency) • For the solver: – You have to pay a small fee to submit an answer (no bruteforce) – Answer is verified by thousands of nodes (no corrupted server) • For all users: – Decentralized application (no DoS/DDoS, downtime)
  8. Blockchain, decentralized applications and security - Renaud Lifchitz 11 The

    Ethereum blockchain • https://www.ethereum.org/ • More than 22,000 online nodes!: https://www.ethernodes.org most secured/trustable blockchain nowadays  • Average block/transaction time: 15 seconds • Allows safe execution of logic through smart contracts • Allow payments with its digital currency, ether (ETH): https://coinmarketcap.com/currencies/ethereum/ • “Ethereum: the World Computer”: https://www.youtube.com/watch?v=j23HnORQXvs
  9. Blockchain, decentralized applications and security - Renaud Lifchitz 12 Decentralized

    name service: Ethereum Name Service (ENS) • An ENS entry can map a .eth name to: – an individual Ethereum account – a content hash for decentralized storage (Swarm or IPFS) • ENS official web site: https://ens.domains/ • Booking an entry: https://registrar.ens.domains/ • ENS stats: https://ens.codetract.io/
  10. Blockchain, decentralized applications and security - Renaud Lifchitz 13 Decentralized

    storage: Ethereum Swarm • Peer-to-peer storage and serving solution • DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistant and self-sustaining with incentives (soon) • Swarm protocol: bzz:// • Swarm official web site is stored using… Swarm and is also a Swarm gateway: – http://swarm-gateways.net/ redirects to http://swarm-gateways.net/bzz:/theswarm.eth/ – theswarm.eth resolves to 0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0 – http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/ • Other examples: – Photo album: http://swarm-gateways.net/bzz:/photoalbum.eth/
  11. Blockchain, decentralized applications and security - Renaud Lifchitz 14 Decentralized

    apps: smart contracts • A smart contract is an application core • Once deployed: – No one can modify the code or stop its execution – The code runs simultaneously on all the nodes • Smart contract + web front-end = “dApp” • Ethereum smart contracts main programming language: Solidity
  12. Blockchain, decentralized applications and security - Renaud Lifchitz 15 Solidity

    basics • High-level language, syntax similar to JavaScript • Compiled to bytecode then deployed on the blockchain • Designed to target the Ethereum Virtual Machine (EVM) • Statically typed, supports inheritance, libraries, complex user- defined types... • Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more! • Official documentation: https://solidity.readthedocs.io/en/develop/
  13. Blockchain, decentralized applications and security - Renaud Lifchitz 16 Solidity

    code example Sequestration of funds until 30th July 2020 (https://hodlethereum.com/deposit)
  14. Blockchain, decentralized applications and security - Renaud Lifchitz 17 Developing

    & deploying the smart contract • Contract can be written using Browser Solidity: https://ethereum.github.io/browser-solidity/ • Contract can be tested using Truffle framework: http://truffleframework.com/ or Ethereum testnet (currently “Ropsten”) • Contract can be deployed & used using: – Parity: https://parity.io/ – Mist: https://github.com/ethereum/mist/releases
  15. Blockchain, decentralized applications and security - Renaud Lifchitz 19 What

    you may need (1/2) • A node/gateway: – IPFS (or a public one: https://ipfs.infura.io ) – Swarm (or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ ) – Ethereum (or a public one: https://mainnet.infura.io/ )
  16. Blockchain, decentralized applications and security - Renaud Lifchitz 20 What

    you may need (2/2) • For dApps: – An Ethereum wallet with a small balance (typically 0.005 ETH) – A dApps compatible browser: • Desktop: – Chrome plugins: “ENS Gateway” & “Metamask” – or Ethereum Mist or Parity • Mobile: Cipher, Status or Trust – An entry point: URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)
  17. Blockchain, decentralized applications and security - Renaud Lifchitz 23 (3/3)

    Using the passwords marketplace bzz:/passwords.eth
  18. Blockchain, decentralized applications and security - Renaud Lifchitz 24 A

    few words... • Nice and usable proof-of-concept but: – Limited to SHA256 hashes for the moment: lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones  a solution would be to use a trusted oracle – Code is quite ugly, need some fixes before being published • Use it, share it, and audit your passwords!
  19. Blockchain, decentralized applications and security - Renaud Lifchitz 25 Things

    of interest • One of my previous presentation about blockchains & security: https://tinyurl.com/blockchain-security • A French article&interview about my password market: https://tinyurl.com/passwords-eth • Security of light wallets (French MISC magazine, March 2018)
  20. Blockchain, decentralized applications and security - Renaud Lifchitz 26 Thank

    you! Any questions? Ethereum: 0x0009Fd382E99dDD801736Ea4075a2eE5e4916B72 ENS: nono2357.eth Tips are welcome!  @nono2357