Blockchain,decentralized applications

and security

Renaud Lifchitz

Econocom Digital Securityrenaud.lifchitz@digital.security

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

2

Key problems with currentWeb applications

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

3

The current Web is obsolete

● The Web has been designed to be decentralized

BUT…

● It’s more and more centralized: Google, Apple, Amazon, Microsoft, …

● That makes the spying easier

● A lot of DdoS attacks succeed

● A single server is not enough even to serve a single popular Youtube video

● Hosting changes → URLs are broken

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

4

Many security weak points

● DNS

● SSL/TLS certificates

● System security

● Network security

● Application security

● Passwords

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

5

Scalability issues

● Load balancing:

– Is complex

– Is costly

– Depends on the web technologies involved

● Efficient DDoS protection is hard

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

6

Building a decentralizedpassword hashes marketplace

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

7

A password marketplace?

● A common task for security auditors:assess the strength of password hashes

● A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers

● So the idea is to build a collaborative marketplace with incentives to help:

– people submit their password hashes with given rewards

– the one who solves a hash is given the corresponding reward

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

8

A fully decentralized application? (1/2)

● We need a fully decentralizedapplication to avoid cheating,censorship, DDoS, downtime…

● Several parts should be decentralized:– web back-end (core logic/app)

– web front-end (storage of HTML/JS/CSS)

– domain name (storage and resolver)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

9

A fully decentralized application? (2/2)

● I have chosen Ethereumtechnology with some betacomponents:

– web back-end: Ethereum smart contract

– web front-end: Ethereum Swarm

– domain name: Ethereum Name Service (ENS)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

10

Anti-cheat tricks

● For the submitter:– You pay the reward in advance and it is locked

(no insolvency)

● For the solver:– You have to pay a small fee to submit an answer

(no bruteforce)

– Answer is verified by thousands of nodes(no corrupted server)

● For all users:– Decentralized application (no DoS/DDoS, downtime)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

11

The Ethereum blockchain

● https://www.ethereum.org/ ● More than 22,000 online nodes!:

https://www.ethernodes.org

most secured/trustable blockchain nowadays

● Average block/transaction time: 15 seconds● Allows safe execution of logic through smart contracts● Allow payments with its digital currency, ether (ETH):

https://coinmarketcap.com/currencies/ethereum/ ● “Ethereum: the World Computer”:

https://www.youtube.com/watch?v=j23HnORQXvs

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

12

Decentralized name service:Ethereum Name Service (ENS)

● An ENS entry can map a .ethname to:– an individual Ethereum account

– a content hash for decentralized storage(Swarm or IPFS)

● ENS official web site: https://ens.domains/ ● Booking an entry: https://registrar.ens.domains/ ● ENS stats: https://ens.codetract.io/

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

13

Decentralized storage: Ethereum Swarm● Peer-to-peer storage and serving solution

● DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistantand self-sustaining with incentives (soon)

● Swarm protocol: bzz://

● Swarm official web site is stored using… Swarm and is also a Swarm gateway:

– http://swarm-gateways.net/ redirects tohttp://swarm-gateways.net/bzz:/theswarm.eth/

– theswarm.eth resolves to0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0

– http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/

● Other examples:

– Photo album:http://swarm-gateways.net/bzz:/photoalbum.eth/

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

14

Decentralized apps: smart contracts

● A smart contract is an application core

● Once deployed:– No one can modify the code or stop

its execution

– The code runs simultaneously on allthe nodes

● Smart contract + web front-end = “dApp”

● Ethereum smart contracts main programming language: Solidity

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

15

Solidity basics

● High-level language, syntax similar to JavaScript

● Compiled to bytecode then deployed on the blockchain

● Designed to target the Ethereum Virtual Machine (EVM)

● Statically typed, supports inheritance, libraries, complex user-defined types...

● Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more!

● Official documentation:https://solidity.readthedocs.io/en/develop/

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

16

Solidity code example

Sequestration of funds until 30th July 2020(https://hodlethereum.com/deposit)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

17

Developing & deployingthe smart contract

● Contract can be written usingBrowser Solidity:https://ethereum.github.io/browser-solidity/

● Contract can be tested using Truffle framework:http://truffleframework.com/

or Ethereum testnet (currently “Ropsten”)

● Contract can be deployed & used using:– Parity: https://parity.io/

– Mist: https://github.com/ethereum/mist/releases

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

18

Using the decentralized Web

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

19

What you may need(1/2)

● A node/gateway:

– IPFS(or a public one: https://ipfs.infura.io )

– Swarm(or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ )

– Ethereum(or a public one: https://mainnet.infura.io/ )

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

20

What you may need(2/2)

● For dApps:

– An Ethereum wallet with a small balance(typically 0.005 ETH)

– A dApps compatible browser:● Desktop:

– Chrome plugins: “ENS Gateway” & “Metamask”– or Ethereum Mist or Parity

● Mobile: Cipher, Status or Trust

– An entry point:URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

21

(1/3) ENS Gateway

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

22

(2/3) Deploying a file/directoryusing IPFS

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

23

(3/3) Using the passwords marketplace

bzz:/passwords.eth

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

24

A few words...

● Nice and usable proof-of-concept but:– Limited to SHA256 hashes for the moment:

lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones

a solution would be to use a trusted oracle

– Code is quite ugly, need some fixes before being published

● Use it, share it, and audit your passwords!

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

25

Things of interest

● One of my previous presentation about blockchains & security:https://tinyurl.com/blockchain-security

● A French article&interview about my password market:https://tinyurl.com/passwords-eth

● Security of light wallets(French MISC magazine, March 2018)

March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz

26

Thank you!

Any questions?

Ethereum: 0x0009Fd382E99dDD801736Ea4075a2eE5e4916B72ENS: nono2357.eth

Tips are welcome!

@nono2357