blockchain and security: bank and insurance applications renaud ... · p. 3 blockchain and...

NullCon – Goa, India – March 3rd-4th, 2017

Renaud Lifchitz ([email protected])Blockchain and security: bank and insurance applications

mailto:[email protected]

Outline

Introduction to blockchain

Blockchain advantages

General use cases

Use cases in banks

Use cases in insurances

Security concerns

How to choose blockchain technology

How to choose programming language

Security best practices

P. 2 Blockchain and security: bank and insurance applications - Digital Security

Speaker's bio

French senior security engineer

Main activities: Penetration testing & security audits

Security research

Security trainings

Significant security studies about:contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control and quantum computation

https://speakerdeck.com/rlifchitz

Blockchain and security: bank and insurance applications - Digital SecurityP. 3

https://speakerdeck.com/rlifchitz

About Digital Security

Company founded in 2015 by a groupof experts with the support of Econocom Group

Provides advanced services in security audit, consulting and support

Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects

Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service)

Has a laboratory for studying new technologies, protocols and specific operating systems

Blockchain and security: bank and insurance applications - Digital SecurityP. 4

Blockchain introduction

Blockchain

Global and distributed registry(no single point of failure)

Secure and reliable transmission of authenticated information

Lots of use cases and advantages

Fully customizable depending on business cases


Introduction

Blockchain -Advantages

Scalability: it's easy to deploy nodes

Resilience: tolerant to attacks(network, applicative, DoS, …)

Data integrity & authenticity:authenticated and immutable data

Decentralization: no SPoF (Single Point of Failure), no trusted third party

Transaction speed compared to interbank networks (e.g.: SWIFT)


Introduction

Trusted network

Smart contracts

Automated, decentralized, conditional and safe execution of defined commitments (contracts)

Read-only contracts as soon as they are deployed

Tamper-proof execution

Wide range of possible contracts

Multi-party contracts

dApp: decentralized web application connected to one or several contracts on a blockchain


Introduction

Smart contracts

« State of the dApps », a public directory of Ethereum dApps:http://dapps.ethercasts.com/


Introduction

http://dapps.ethercasts.com/

Oracles

Program acting as a gateway between a blockchain and the real world, or more generally the Web

Execution prerequisites of a contract: current weather, stock market price, news, account balance...

An oracle is a callable function from a smart contract


Introduction

A promising blockchain: Ethereum

First version: July 2015

~ 15 seconds per block

Powerful (« Turing-complete ») smart contracts, unlike Bitcoin

Mature oracle system: http://www.oraclize.itwith provably honest security

Excellent community support

Rich documentation

Most useful smart contracts currently

Smart contract programming language: Solidity(strongly typed Javascript variant)


Introduction

http://www.oraclize.it/

Blockchain use cases

Why a blockchain?Or why you shouldn't use it everywhere...

Cons: Limited size and number of transactions per second

(Bitcoin: ~3-7 transactions/s., Ethereum: ~7-15 transactions/s.)

Energy cost

Key factors of choice: Lack of confidence between users

Concurrent writing by independent users

Benefits for users

Disintermediation



General use cases

Banking

Insurance

Notary

Electronic voting

Crowdfunding

Conditional execution of transactions(smart contracts)



General use casesInterests of FINTECH in blockchain



General use cases

Notary / Data anchoring / Proof of existence with timestamping:

https://woleet.io



https://woleet.io/

Banks



Use cases

Banks



They already started to work with blockchain...

Banks



Use cases & examples

Banks



Blocked deposit with legal interest rates

Banks

Token: Custom unit of value for which you want to control issuance, use and conversion

ERP20 standard on Ethereum:https://github.com/ethereum/EIPs/issues/20

Use cases: Electronic currency

Loyalty points (in retail)

Purchase vouchers & coupons

Proofs



A standard for token management?

https://github.com/ethereum/EIPs/issues/20

Insurances

Use cases:

• Automatic payment of premiums

• Automatic computation of risks by oracles and smart contracts

• Unique loss declaration

• Claim management

• Easy payment of compensations



Insurances



Use cases

InsurancesExamples

Flight delays:« Flight Delays Suck! »: https://fdd.etherisc.com/

Drought & flood:« Jamii Crop Insurance »: https://crop.etherisc.com/

Social insurance (in test):« Etherisc Social Insurance » https://govhack.etherisc.com/

Natural disasters swap risks and bonds(Allianz Risk Transfer AG & Nephila Capital Limited)

Sidechains developments(Axa Strategic Ventures & Blockstream)



https://fdd.etherisc.com/

https://crop.etherisc.com/

https://govhack.etherisc.com/

Insurances

Automatic compensation of flight delays:

« Flight Delays Suck! » : https://fdd.etherisc.com/



https://fdd.etherisc.com/

Blockchain security

« The DAO » case (1/2)

The DAO (Decentralized Autonomous Organization) was a crowdfunding smart contract developed by Slock.it (electronic lock connected to the blockchain)

More than $150 millions were collected (15% of all ethers at this time), a lot more than required!

Blockchain security


« The DAO » case (2/2)June 17th, 2016: robbery of one third of the funds using an implementation vulnerability with the recursive call of the contract

« Hard Fork » to modify the contract and save the funds

« Ethereum Classic » (ETC) appears: governance issues...

Legal issues for companies contracting with a smart contract: the DAO.LINK (Swiss company) solution

Blockchain security


How to choose blockchain technologyThe blockchain

Important criterions:

Maturity

Security

Interoperability(oracles and sidechains)

Support

Smart contract possibilities

Scaling (transaction max size, delay between blocks)

Some blockchains:Bitcoin, Ethereum, Ripple, Byteball (DAG), Lisk, Tezos, ...

Blockchain security


How to choose blockchain technologySmart contract programming language

Imperative languages:

Common

Easier to write

Complex to verify using formal proofs

Functional languages:

Unusual

Complex

Quite easy to verify using formal proofs (no side effect)

Blockchain security


Security best practicesFunctional best practices

Simplicity, modularity, code reuse

Unit testing & integration testing

Economic incentives:

Limitation of amounts

Bug bounties(ex. : https://bountyfactory.io )

Prediction markets(ex. : https://gnosis.pm/ , https://augur.net/ )

Separation of conditions and actions in the code(« Condition-Oriented programming »)

Blockchain security


https://bountyfactory.io/

https://gnosis.pm/

https://augur.net/

Security best practicesTechnical best practices

Implementation of a « killswitch » in the smart contracts

Pre & post-conditions in the functions

Use of formal proofs

Use of « mocks » in tests

Use of test environments (frameworks, testnets…)

Blockchain security


Blockchain services

Our blockchain services

Blockchain solutions

Technical and legal risk analysis

Blockchain trainings

Smart contract & PoC development

Smart contracts & cryptography audits

For the best specific recommendations for your project,contact us!


Thanks!

Questions?IT & IoT Security

Contact:

[email protected]

[email protected]


Follow us on Twitter!: @iotcert



blockchain and security: bank and insurance applications renaud ... · p. 3 blockchain and...

Documents