Technology
Subhash Kak
Jan 12, 2017, 09:02 PM | Updated 09:02 PM IST
Save & read from anywhere!
Bookmark stories for easy access on any device or the Swarajya app.
In a digital society both information and identity are at risk if appropriate measures are not taken to counter persistent attacks by criminals and inimical state actors. The protection of data and identities is a continuing game between system administrators and the perpetrators in which the attacks have become more sophisticated whereas new technology is developed to rebuff the attacks.
The recent demonetisation of banknotes is intended to block the flow of counterfeit notes, dismantle the cash-centric black market and turn India into a digitised economy. This has made the need to have a long-term strategy for cybersecurity inevitable. As more of the population enters the formal economy, attacks on digital assets and identities will increase.
Cryptographic codes which secure digital assets may be difficult to break by brute force. But they can be bypassed by backdoors or accidental or deliberate compromise of the keys. A recent example of this was seen in the hacking of the DNC emails that some claim influenced the 2016 presidential election.
A new solution is emerging that can mitigate some of the cybersecurity concerns of today. Called blockchain technology (BT), it represents a new distributed approach to security that does not suffer from the weaknesses of centralized encryption-based protection of data. Originally invented in 2008 to create the peer-to-peer digital cash Bitcoin, the method aggregates transactions in blocks that are added to a chain of existing blocks using a hash signature in which anyone can add a block of transactions.
BT is being proposed not only for financial transactions but also for protecting critical infrastructure against cyber-attacks and reducing operational costs and tracking eligibility for social transactions, and for the value of its transparency and traceability. The Estonian government has experimented with a form of distributed ledger technology that allows citizens to verify the integrity of their records on government databases and makes it impossible for privileged insiders to perform illegal acts inside the government networks.
The business world has acknowledged the possibilities of using BT in assuring ownership and provenance for goods and intellectual property. A company called Everledger provides a distributed ledger that assures the identity of diamonds, from being mined and cut to being sold and insured.
IBM, Google, Microsoft, Amazon and other tech powerhouses have also developed blockchain applications. But this seemingly impulsive embrace of BT does not imply the resolution of trust problems with the technology.
BT-based distributed ledgers are inherently hard to attack because instead of a single database, there are multiple shared copies of the same database, so success is possible only through simultaneous attacks on all the copies. The technology is resilient to unauthorised change or malicious tampering, since the participants in the network will immediately spot a change to one part of the ledger.
Still, blockchains come with their own vulnerabilities. In the case of Bitcoin, the ledger has not been broken, though in principle it would be vulnerable if over 50 per cent of the users chose to subvert it. On the other hand, Bitcoin wallets that hold the currency have proved susceptible to theft and, therefore, the question of protecting assets by resilient methods remains.
BT suffers from a fundamental problem related to privacy as it provides integrity but less than perfect confidentiality. Traditional payments are visible only to transacting parties and financial institutions, whereas BT transactions are recorded in a publicly visible blockchain and under certain conditions this can new complications. This weakness may be addressed by the use of advanced cryptographic techniques.
The traditional approach to securing distributed systems such as BT usually defends against certain attacks such as interception and data modification. However, it does not eliminate the concerns and risks of all other security holes. We cannot assume that the attacker will attack the target which the system is prepared to defend. In open blockchain systems (as in bitcoin), network integrity may be compromised either by the addition of new servers or the operation of a denial-of-service attack on legitimate servers.
Distributed system users are not sure what kind of security threats they will face. The user has to trust the servers to maintain the privacy of the files and not to accidentally lose the stored data. One way to deal with the risk and potential failure of the distributed system is to include the adversary in the security framework. Traditionally, the idea of explicit security (for example by instituting firewalls) has been used but it is not effective in dealing with natural or man-made disasters.
On top of key distribution and information management, the privacy of the user needs to be maintained. However, this is in direct contradiction to authenticating and providing access control to users, because the servers or relay nodes need to know who the user is before allowing access to the data and secret keys. Privacy is important to many users as they do not want other entities to know what they are doing.
BT has the potential to help governments to collect taxes, deliver benefits, issue credentials, record land registries, assure the supply chain of goods and ensure the integrity of government records and services. The technology offers the potential to improve delivery of services in a variety of consumer areas. For consumers, it provides the potential to control access to personal records and to know who has accessed them. But applications using BT must be carefully designed so that the cost does not outweigh the benefits.
Subhash Kak is Regents professor of electrical and computer engineering at Oklahoma State University and a vedic scholar.