In this post, we get insights from Ashok Misra, CISSP, Founder at Alina Consultants. He will present in Vancouver on “How Blockchain Technology Offers Improvements to Payment Security“
How does your experience with constructing e-commerce systems inform your insight into payment security?
It is impossible to separate ecommerce credit card functional architecture from security. The design of any ecommerce payment system needs to be constructed keeping security in mind. This is because the information being protected i.e. the PAN is submitted to parties (merchants) authorized to issue payments. Also PANs have rather low entropy. Furthermore, authentication information for PANs is also submitted to merchants in the clear. They are forbidden to store critical authentication information, however the data does pass through their systems.
Thus merchants’ payment systems are a critical attack surface for credit cards breaches.
Years and years of designing ecommerce systems has taught me that security cannot be an afterthought that can be plugged in after a system is designed.
Secure systems need to be built by keeping security in mind at the beginning of the design cycle and throughout the development cycle.
Also, my experience with secure ecommerce systems has taught me that secure ecommerce systems are not just a matter of deploying secure primitives and algorithms, implementation of secure architecture is equally important.
In a larger sense my experience leads me to appreciate that payments security is a non-trivial and highly specialized multi subject discipline that requires a deep study and a constant update of one’s knowledge.
How do you see cryptocurrency’s role within the payment security space?
Cryptocurrency forces us to reexamine traditional ideas of security and trust.
Thus far we have had to rely on centralized architecture and trusted entities to achieve privacy, trust and security. However, in contrast Bitcoin achieves security in a decentralized manner through emergent network properties. In fact, Bitcoin has provided the first solution for the ‘Byzantine General’ problem, a distributed architecture problem that had until recently been deemed unsolvable by computer scientists.
Cryptocurrency eliminates the need for trust wherein we expect parties to operate in line with their stated intent. Trust in cryptocurrencies is achieved not based upon the belief that parties will honour their obligations, but on the strength of underlying algorithms and on network properties. These protocols, by design result in maleficent activity to be less rewarding than honest activity.
Bitcoin challenges orthodox notions of achieving security. The more one studies its technical underpinnings, the more convinced one will be about its far reaching potential, both as a currency and as a protocol.
Indeed, the underlying architecture for a cryptocurrency such as bitcoin could be used as the backbone for payment security and this is the basis of my talk at this year’s meeting.
Can you describe the relationship between bitcoin and blockchain technology?
The blockchain is a distributed, living and tamper proof ledger in which bitcoin transactions are recorded. bitcoin transactions are merely the transfer of certain units of the currency from one party to another. Every node in the network can maintain its own copy of the ledger. The protocol for writing transactions to this ledger is governed by open source software (released under the terms of the MIT license). The protocol uses well established, public security primitives and data structures such as SHA256 hashes, Elliptic Curve Asymmetric Cryptography and Merkle trees. Transactions are grouped into blocks and the blocks themselves are linked to subsequent blocks. The underlying data structure (the Merkle tree) makes it impossible to modify transactions that have already been written. This protocol is referred to as ‘Bitcoin’ (note the use of the uppercase ‘B’ in Bitcoin).
The cryptocurrency bitcoin (note the lowercase ‘b’ in bitcoin) is an application built on the top of the blockchain. This application allows for the use of ‘bitcoin’ as a monetary instrument. ‘bitcoin’ embodies all the properties of money i.e. it retains its value due to its scarcity, it is fungible, transactions are non repudiable, transfers are not reversible and authenticity can be trivially verified. The largest unit for the currency is a bitcoin known as the symbol ‘BTC’ and the smallest fraction that can be exchanged is a ‘Satoshi’ which is one hundred millionth of a BTC. Unlike sovereign government issued fiat currency, ‘bitcoin’ is a currency without a central issuing authority. ‘bitcoins’ are created as a financial reward for solving a mathematical puzzle related to stamping the blockchain ledger with new transactions. Entities who earn the reward for stamping the ledger are termed as ‘miners’. This is analogous to mining for a precious metal such as Gold. Solving the puzzle requires a humongous amount of mathematical effort using purpose built hardware. The difficulty of the puzzle adjusts dynamically based upon certain conditions. The solution to the puzzle is easy to verify but impossible to falsify.
The owner of any number of units of the currency may transfer them to another individual in exchange for services or commodities. ‘bitcoin’ is a deflationary currency. The number of bitcoins that can be injected into the economy through mining will asymptotically cap the money supply to an upper bound of twenty one million BTC.
How do you think the payment security space has changed over the last year?
Payment security has been keeping up reactively with the landscape of new threat vectors, deprecation of unsafe ciphers and changes in attack surface due to the introduction of new payment method implementations. The last year was no exception. For example we have seen recently that SSL 3.0 is insecure as the block ciphers it uses are vulnerable to the POODLE attack. The DSS was quick to state its posture on SSL / TLS.
What is the main point that you hope attendees to your session will come away with?
I hope attendees to my session will be convinced that Crypto currencies are not merely an academic foray for a currency built on a distributed ledger.
Cryptocurrency is currently being accepted by several well-known merchants and its use is growing.
Bitcoin challenges orthodox notions of privacy, trust and security. The more one studies its technical underpinnings, the more convinced one will be about its far reaching potential, both as a currency and as a protocol.