This is a guest posting by Michael Solomon PhD CISSP PMP CISM
Blockchain technology and cryptocurrency are often described as being secure at the core. But is this true? After seeing multiple security incidents with cryptocurrencies that resulted is large losses, is there really any such thing as a secure cryptocurrency?
Get TestRail FREE for 30 days!
Exploring How Cryptocurrency Works
Cryptocurrency is a form of digital currency that you can trade with other people and even use to pay for some goods and services. Since cryptocurrency isn’t legal tender, you can only use it to pay another person or business that chooses to accept it.
All cryptocurrency transactions are stored on a blockchain, a shared ledger that is immutable and synchronized among all nodes in the participating network. Check out the Blockgeeks guide for blockchain beginners if you want to learn more about the details.
The first step to get started in cryptocurrency is to establish a blockchain account. There are different ways to do this, but all approaches ultimately run software that generates a set of cryptographic keys. The software that creates these keys, and often helps you manage them, is called a cryptocurrency wallet. When you create a new account with a cryptocurrency wallet, the software generates a pair of public and private keys, also called asynchronous cryptography keys. These keys are related in that if you encrypt data with one of the keys, you decrypt it with the other one. The names of the keys indicate what you should do with them: Publish the public key anywhere you want, but keep the private key protected and secret.
Whenever you want to create a blockchain transaction, you first calculate a cryptographic hash of the transaction data, and then encrypt it with your private key. (A hash function takes a block of input and maps a unique, fixed-length number to that input. Any change to the input results in a different output.) Hash values are valuable to represent a document, a block of text or any data. The digital signature makes it possible for anyone to validate that the stated data owner actually owns that data.
To check any transaction, just decrypt the digital signature with the owner’s public key, then compare that value to a newly calculated hash of the transaction. If those two values match, voila! The transaction really came from the stated owner. That is how cryptocurrency ownership is validated. A valid owner of cryptocurrency can transfer some of that balance to any other account. A blockchain keeps a running record of cryptocurrency transfers, so the current balance of any account is right there for anyone to calculate.
Encountering the Security Problem
Just as you want to keep your real money safe, you also want to keep your cryptocurrency (and any other crypto assets) safe. You can define security at least two ways: Security means keeping your money, and security also means enforcing the CIA properties: confidentiality, integrity and availability.
You’ve already seen that digital signatures and the immutable property of blockchain give us data and transaction integrity. And since blockchain technology depends on the entire blockchain being shared among many nodes, it shouldn’t be easy to get any blockchain data you need from another node if one or more nodes are unavailable. So the only open issue seems to be confidentiality.
Confidentiality means ensuring that only authorized subjects can access protected data. Since data on blockchains are not normally encrypted, anyone can see it. When it comes to cryptocurrency security, it isn’t the actual transaction data that needs confidentiality. You already have some anonymity, since all blockchain transactions refer to addresses, not IDs of people. Because almost no one can find out which transactions belong to you, you probably don’t care that other people see the details of transactions from some blockchain address. (Yes, I’m oversimplifying here. Law enforcement and motivated hackers do have some ability to trace account activity back to a human, but it is hard.)
The real gem in securing cryptocurrency is your private key. That’s what you really need to secure. Once you lose the confidentiality of your private key, you lose the control of your cryptocurrency. Remember that all you really need to create and validate a transaction to transfer all your cryptocurrency to Joe Schmoe’s blockchain account is your private key. If Joe Schmoe gets your key, then he pretty much already has your crtpyocurrency.
Making Cryptocurrency Secure
The answer to securing your crypto assets is easy: Secure your private keys. The process to do that is easy, too. It just takes thought and some diligence.
You generate and store your private keys in a wallet. (I refer to multiple keys because each account has its own private key, and it is common to control multiple accounts.) So, how you pick and manage your wallet really dictates how secure your cryptocurrency really is.
This isn’t any different from real life. If you have a huge wad of cash, you don’t carry it where other people can see it and easily grab it. You’ll probably put it in a real wallet and hide it in your pocket. If you plan to be in an area with lots of people, you likely would put that wallet in a front pocket or even one that you can close and secure. The point is that you take care to avoid having your money stolen, depending on your environment.
Cryptographic wallets come in different flavors. You can use paper wallets, where you simply print your keys on a piece of paper, software wallets that store your keys either online or offline, or even hardware wallets, which are devices designed to store your keys securely. You have to balance security and convenience. An online software wallet is convenient but not very secure. A hardware wallet can be the most secure way to store your keys, but you sacrifice some convenience for that security. The goal is to choose an option that makes it as easy as possible for you to get your keys, but as hard as possible for anyone else to get them.
Of course, don’t just give your keys away to hackers. That sounds obvious, but hackers are getting very good at tricking users into providing all kinds of private information. Many hackers send out emails with malicious links in them. These phishing attacks try to get unsuspecting users to click on the links and then provide private information to what they think is a trusted party, but in reality, the links direct users to the hacker’s site and ask for information like user names, passwords and even private keys. People who are active in cryptocurrency trading are often the intended victims of target phishing attacks, called spear-phishing attacks. The best way to avoid these types of attacks is to stay informed and never follow links that someone sends to you. Always type in any address you want to follow in your web browser. That won’t protect you from all attacks, but it will make you far safer than the average user.
Another way to help protect your cryptocurrency is to do business with organizations that adhere to cryptocurrency security best practices. The CryptoCurrency Certification Consortium publishes and maintains the CryptoCurrency Security Standard (CCSS), which is a standard for how to securely manage cryptocurrency. Unfortunately, there aren’t too many organizations that have adopted this (or any other) cryptocurrency security standard. But it is interesting to read through the overview. CCSS defines 10 aspects of cryptocurrency security, and six of them deal directly with securing private keys. That should punctuate how closely key security is related to cryptocurrency security.
Securing cryptocurrency is mostly up to its owners. It is up to you to choose the best wallet and to conduct business with a trusted exchange. Although you don’t have much control of the security of the cryptocurrency tokens you use, it does make sense to use those with a proven track record for less risk. Stability takes diligence and effort. But it’s worth it.
Article written by Michael Solomon PhD CISSP PMP CISM, Professor of Information Systems Security and Information Technology at University of the Cumberlands.
Test Automation – Anywhere, Anytime