Blockchain Security: Choosing a Platform Is Only the First Step

by Carlo GutierrezApril 20, 2017
Multiple speakers from IBM InterConnect 2017 focused on the need to achieve blockchain security from hardware to the application level. Here are the highlights.

Security threats everywhere

Since last year, there have been several discussions surrounding blockchain technology—ranging from adoption predictions to requirements from the financial industry. There was also increased interest and investment in the development of the technology with the inception of the Hyperledger Project in December 2015.

With both financial and non-financial institutions adopting distributed ledgers and with the release of Hyperledger Fabric v1.0, keeping blockchain networks secure is the next step.

IBM Blockchain Hyperledger Fabric InterConnect Security ThreatsSource

The figures are self-explanatory. For instance, Ethereum lost millions due to a hack last year. At the same time, according to a an IBM X-Force report, 60% of attacks are from internal threats.

It’s hard to disagree with Constellation Research’s Steve Wilson, who states that “confidentiality is not trivial.” At IBM InterConnect 2017, he presented the idea of “Blockchain 3.0,” describing it as the next generation of the distributed ledger model, which will require more security than ever.


“What does Blockchain 3.0 look like? It seems like people and processes are in the mix again. It’s not like the original public blockchain where we pretend people and processes don’t matter.” —Steve Wilson, Constellation Research


A secure business network with Hyperledger

Improving on current blockchain technology, IBM wants a blockchain that is “open, trusted, and for business.” This is realized by collaborating on Hyperledger Fabric v1.0—an open-sourced private, permissioned blockchain technology.

According to IBM’s Jerry Cuomo, Hyperledger Fabric v1.0 is built on a trust model that is democratic with permissions and consensus, tamper-proof, and is auditable to better emulate how real businesses interacts. Transactions within this model would proceed as follows:

  1. Participants are issued a cryptographic membership card which represents their identity within the blockchain network.
  2. This membership card grants you access to see transactions in the ledger that pertain to you and only you.
  3. Auditors may be granted membership that allows them to see a little more of the ledger to ensure that transactions are in compliance.
  4. Trust is further built through the process of consensus. Transactions are first proposed to members of the network. These transactions are then voted on through the process of consensus.
  5. When the majority agree, consensus is reached. Then and only then, will the transaction be committed to the ledger and it cannot be erased.

IBM InterConnect Blockchain Hyperledger Fabric Jerry Cuomo

“Hyperledger Fabric v1.0 is capable of transacting at rates way over 1,000 transactions per second.” —Jerry Cuomo, IBM

Jerry also introduced Hyperledger Fabric Composer, a new tool that “allows business users and developers to speak the same language, thereby accelerate the creation of busineses solutions from days to minutes.”

IBM Blockchain Hyperledger Fabric Composer Playground

With Hyperledger-based platforms and Fabric Composer, blockchain creation and management has been simplified, as users can:

  • Rapidly develop a blockchain solution
  • Find and govern blockchain networks
  • Operate those networks with security and do it all at scale
  • Analyze into those networks by peering in to gain additional insight


A reference architecture for secure blockchain

However, according to other speakers at IBM InterConnect, “choosing a fabric is just the first decision,” and more efforts are needed to secure the blockchain network. To explain this in detail, IBM’s Paul DiMarzio presented a typical architecture for a blockchain stack.

IBM Blockchain Hyperledger Fabric InterConnect Security Architecture 1

In this configuration, the hardware and firmware are physically secured, but everything else in the software level is vulnerable to attacks.

IBM Blockchain Hyperledger Fabric InterConnect Security Architecture 2

To achieve the same level of security at the hardware level, IBM adds several layers of security to slowly push up that protection to the very top of the stack. In this step, PR/SM virtualization technology is used to protect different partitions in the system.

IBM Blockchain Hyperledger Fabric InterConnect Security Architecture 3

Next is building Secure Service Containers into the virtualization layer now extends security up to the very top of the stack. (Read the next section for more on Secure Service Containers.)

“By building Secure Service Containers, we can entirely encapsulate a blockchain network and make it such that anybody even at the highest level of credentials can disrupt it.” —Paul DiMarzio, IBM

IBM Blockchain Hyperledger Fabric InterConnect Security Architecture 4

Finally, through the use of tamper-responsive hardware security modules, the system is protected from certificates theft. Attempts to steal the keys will cause them to self-destruct.


Relying on Secure Service Containers

To secure the blockchain network itself, IBM makes use of Secure Service Containers. IBM’s Paul DiMarzio details how it protects blockchain software, chain code, and data:

  • Root users and system administrators cannot access blockchain contents.
  • Malware cannot self install in the container.
  • Encryption keys are protected.

IBM Blockchain Hyperledger Fabric InterConnect Secure Service Containers v2Source

“It’s a trusted environment, because it’s encrypted and signed in firmware so that we know if it’s been tampered with,” explained Paul. “You can’t inject malware. You can’t inject changes without the system knowing and stopping it. Once it’s running, operators have no access to it.”

Secure Service Containers ensure that:

  • No system admin access. Once the appliance image is built, OS access (SSH) it not possible.
  • Only remote APIs are available.
  • Memory access is disabled.
  • Disks are encrypted.
  • Debug data (dumps) is encrypted.

IBM Blockchain Hyperledger Fabric InterConnect Security Paul DiMarzio

“It’s the ability to effectively put an impenetrable blockbox around any system, any application from the virtualization software all the way up to the application.” —Paul DiMarzio, IBM


Blockchain securing diamonds

Leanne Kemp told the story of Everledger and how it was able to develop a trusted platform to protect the diamond industry from threats such as fraud, document tampering, synthetic stones, conflict stones, black markets, and double financing.

IBM Blockchain Hyperledger Fabric InterConnect Security Everledger stats

All of these issues were rooted on a lack of visibility and provenance along the supply chain. This was underpinned by a paper-based certification system that was vulnerable to tampering.

Using Hyperledger-based IBM Blockchain on LinuxOne, Everledger built a platform that brought greater transparency to the open market places and global supply chain by ensuring that the authenticity of the asset is secured and stored among all industry participants. “We integrated the supply chain onto the same digital network creating a single version of the truth for all parties involved in the diamond trade,” said Leanne. “We shared records visible across the industry participants.”

IBM Blockchain Hyperledger Fabric InterConnect Security Everledger

“The blockchain is re-imagining the world’s luxury goods supply chain. —Leanne Kemp, Everledger

With blockchain, Everledger is able to set meta data to identify diamonds, essentially creating a digital thumbprint for each stone. This information is then used to create immutable certificates that identify individual diamonds in the market and can be used by participants on a supply chain to form provenance and verify authenticity.

Leanne is hopeful that the success Everledger has found with blockchain will eventually expand beyond diamonds and onto other luxury goods.


Related reading

About the speakers

leanne kemp, everledger bio
Leanne Kemp is the founder and CEO of Everledger, a digital global ledger that tracks and protects items of value. With a wealth of successful startup companies under her belt, Leanne is pushing boundaries in protecting the global market of diamonds and luxury items. Utilizing her extensive background in emerging technologies, business, jewelry, and insurance, Leanne and Everledger are working towards creating global transparency and an ethical trade platform by constructing a digital and encrypted global certification system that assists in the reduction of fraud, black markets, and trafficking.


jerry cuomo, ibm bio
Jerry Cuomo is an IBM Fellow and newly appointed Vice President of Blockchain Technologies. In his new role, Jerry is leading the creation of an emerging business unit to define IBM’s blockchain strategy, offerings, and customer engagement approach. In 2016, IBM Blockchain was open for business, with the creation and open-source contributions to the new Linux Hyperledger Project, the introduction of IBM Blockchain Cloud Services, and the new Blockchain Garages to be opened in NYC, London, Japan, and Singapore.


Paul DiMarzio, IBM bio
Paul DiMarzio is Consulting Software Engineer at IBM. He has over 30 years of experience with IBM focused on bringing new emerging technologies to the mainframe. Paul is currently responsible for developing and executing IBM’s worldwide z Systems big data and analytics portfolio marketing strategy, including the role of z Systems in IBM’s cognitive and Internet of Things businesses. He is also currently working on z Systems blockchain marketing strategy.


Steve Wilson, Constellation Research bio
Steve Wilson is a researcher, innovator, analyst, and R&D leader in digital identity and privacy. As Vice President and Principal Analyst at San Francisco-based Constellation Research, he leads the firm’s work in digital safety, privacy, and blockchain technologies. A 20-year veteran in cybersecurity, Wilson is one of the world’s most original thinkers in digital identity. Steve has been awarded nine patents, and is currently undertaking a PhD on the evolution of identity ecosystems.