Blockchain has really been a buzzword for the past few years, and many people still don’t understand what it is. It’s not voodoo, and it’s not the answer to all of our problems.
There are good uses of Blockchain and bad uses. One of the good uses that I just learned about is to protect human identities—usernames and passwords. This is good news, but it also highlights the fact that, while we’re devoting significant resources to protect human identities, we’re still not doing enough to protect the identities of machines. I’ll discuss that in more detail later.
But before I move on, let me write briefly about good applications for Blockchain: in particular, the way it’s used for Bitcoin and many other cryptocurrencies. It makes sure that people’s transactions for buying, selling, and spending the currency are trustworthy and secure. Blockchain isn’t a magic wand. Blockchain is a way to chain a lot of data in blocks, in a decentralized manner. Blockchain binds each transaction or other such ledger data to the other transactions through encryption. A transaction record is only made when it’s cryptographically compatible with the other data on the ledger. And Blockchains are on millions of devices worldwide. Many copies of the Blockchains that Bitcoin uses could go offline, and the system would still work with its built-in redundancy. Plus, that redundancy makes everything more efficient.
All of that goodness has led to some pretty exciting new applications based on Blockchain technology, such as protecting human identities. Enter Tide.
The Tide Foundation isn’t about laundry detergent or surfing. They’re a non-profit organization that’s working on an opensource framework for protecting personally identifiable information. That’s something we really need, and their proposal for using Blockchain technology could make user logins a lot more secure. Passwords are a notoriously problematic form of authentication. People forget their passwords, or they get sloppy and choose memorable passwords which are a lot weaker, and those often get reused, too. Data breaches expose passwords all the time, and cracking applications work quickly on passwords that are less than 30 characters. Password managers solve some of these problems, and I use one myself. But then I cross my fingers and hope my password manager doesn’t get breached, because then none of my passwords would be safe.
Tide’s Blockchain-based authentication system uses their technique which they call splintering. A detailed description of splintering is featured in a report by Tide’s José Luis Lobo, Yuval Hertzog, and Michael Loewy:
“The technique is intended to improve security without placing any further burden on an end-user, however, it is also complementary to existing secondary security techniques, such as Second Factor Authentication.
In pursuit of this objective, a technique named ‘Splintering’ was developed. At a high level, it involves reducing the size of any password fragments shared with ORKs (‘Orchestrated Recluder of Keys’) and spreads them across additional ORKs. This in order to achieve a level of fragmentation where conceptually, any individual ORK’s fragment is so common that the number of potential false positive matches to password alternatives renders a dictionary attack impractical...
If, rather than storing a full password hash on each ORK, only the first 16 bits (i.e. a 16 bit ‘Splinter’) is stored, then only that Splinter is available for comparison and we begin to see collisions, where the Splinter could potentially apply to numerous passwords. For example, a Splinter of ‘8d96’ could apply to both ‘123456’ and ‘linked92’. When an attacker attempts to employ a dictionary attack on these Splinters the result is no longer 100% certain, since different passwords share the same Splinters. If we reduce the size of the Splinter even further to 8 bits, the number of false positives becomes even greater.”
The Tide Foundation has put splintering through some thorough tests. They used a sample of 60 million user records from a publicly reported data breach. According to their research, splintering is 140,000 times more secure than conventional protections against a dictionary attack on passwords. In May, Tide offered a Bitcoin (worth around $10,000 USD, depending on the day) to whoever could crack single username and password combination encrypted and splintered using their technique. More than 6.5 million attempts were made, and none were successful. This sounds very promising!
I’m glad we’re making headway when it comes to better securing user identities. Unfortunately, it’s easy to overlook the vulnerability of machine identities. Machine identities are vital to securing everything from shopping on the web, to banking both online and offline, to assuring that cloud-driven applications aren’t tampered with. And many of the machines that need machine identities for security also govern encryption. Including the encryption of those user identities!
In March 2018, Venafi commissioned Forrester Consulting to examine the importance of managing and protecting machine identities in enterprises today, and to explore how prepared companies are to implement those protections. The study surveyed 350 IT and security decision makers across the US, UK, France, Germany, and Australia. From the Executive Summary:
“Ninety-six percent of companies agree that effective protection of machine and human identities is critical to the long-term security and viability of their companies, but 80% struggle with the delivery of important machine identity protection capabilities.
Seventy percent of companies are tracking less than half of potential machine identities, leaving them vulnerable to a wide range of security risks.”
That last statistic about the large number of machine identities that go untracked is the one that worries me the most. Let’s take the ingenuity that was applied to inventing a Blockchain technique to secure user identities and apply it to improving the security of machine identities. It doesn’t even have to involve Blockchain.