Blockchain, decentralized applications and security

Transcript

1. Blockchain, decentralized applications and security Renaud Lifchitz

2. Blockchain, decentralized applications and security - Renaud Lifchitz 2 Key

   problems with current Web applications

3. Blockchain, decentralized applications and security - Renaud Lifchitz 3 The

   current Web is obsolete • The Web has been designed to be decentralized BUT… • It’s more and more centralized: Google, Apple, Amazon, Microsoft, … • That makes the spying easier • A lot of DdoS attacks succeed • A single server is not enough even to serve a single popular Youtube video • Hosting changes → URLs are broken

4. Blockchain, decentralized applications and security - Renaud Lifchitz 4 Many

   security weak points • DNS • SSL/TLS certificates • System security • Network security • Application security • Passwords

5. Blockchain, decentralized applications and security - Renaud Lifchitz 5 Scalability

   issues • Load balancing: – Is complex – Is costly – Depends on the web technologies involved • Efficient DDoS protection is hard

6. Blockchain, decentralized applications and security - Renaud Lifchitz 6 Building

   a decentralized password hashes marketplace

7. Blockchain, decentralized applications and security - Renaud Lifchitz 7 A

   password marketplace? • A common task for security auditors: assess the strength of password hashes • A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers • So the idea is to build a collaborative marketplace with incentives to help: – people submit their password hashes with given rewards – the one who solves a hash is given the corresponding reward

8. Blockchain, decentralized applications and security - Renaud Lifchitz 8 A

   fully decentralized application? (1/2) • We need a fully decentralized application to avoid cheating, censorship, DDoS, downtime… • Several parts should be decentralized: – web back-end (core logic/app) – web front-end (storage of HTML/JS/CSS) – domain name (storage and resolver)

9. Blockchain, decentralized applications and security - Renaud Lifchitz 9 A

   fully decentralized application? (2/2) • I have chosen Ethereum technology with some beta components: – web back-end: Ethereum smart contract – web front-end: Ethereum Swarm – domain name: Ethereum Name Service (ENS)

10. Blockchain, decentralized applications and security - Renaud Lifchitz 10 Anti-cheat

    tricks • For the submitter: – You pay the reward in advance and it is locked (no insolvency) • For the solver: – You have to pay a small fee to submit an answer (no bruteforce) – Answer is verified by thousands of nodes (no corrupted server) • For all users: – Decentralized application (no DoS/DDoS, downtime)

11. Blockchain, decentralized applications and security - Renaud Lifchitz 11 The

    Ethereum blockchain • https://www.ethereum.org/ • More than 22,000 online nodes!: https://www.ethernodes.org most secured/trustable blockchain nowadays  • Average block/transaction time: 15 seconds • Allows safe execution of logic through smart contracts • Allow payments with its digital currency, ether (ETH): https://coinmarketcap.com/currencies/ethereum/ • “Ethereum: the World Computer”: https://www.youtube.com/watch?v=j23HnORQXvs

12. Blockchain, decentralized applications and security - Renaud Lifchitz 12 Decentralized

    name service: Ethereum Name Service (ENS) • An ENS entry can map a .eth name to: – an individual Ethereum account – a content hash for decentralized storage (Swarm or IPFS) • ENS official web site: https://ens.domains/ • Booking an entry: https://registrar.ens.domains/ • ENS stats: https://ens.codetract.io/

13. Blockchain, decentralized applications and security - Renaud Lifchitz 13 Decentralized

    storage: Ethereum Swarm • Peer-to-peer storage and serving solution • DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistant and self-sustaining with incentives (soon) • Swarm protocol: bzz:// • Swarm official web site is stored using… Swarm and is also a Swarm gateway: – http://swarm-gateways.net/ redirects to http://swarm-gateways.net/bzz:/theswarm.eth/ – theswarm.eth resolves to 0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0 – http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/ • Other examples: – Photo album: http://swarm-gateways.net/bzz:/photoalbum.eth/

14. Blockchain, decentralized applications and security - Renaud Lifchitz 14 Decentralized

    apps: smart contracts • A smart contract is an application core • Once deployed: – No one can modify the code or stop its execution – The code runs simultaneously on all the nodes • Smart contract + web front-end = “dApp” • Ethereum smart contracts main programming language: Solidity

15. Blockchain, decentralized applications and security - Renaud Lifchitz 15 Solidity

    basics • High-level language, syntax similar to JavaScript • Compiled to bytecode then deployed on the blockchain • Designed to target the Ethereum Virtual Machine (EVM) • Statically typed, supports inheritance, libraries, complex user- defined types... • Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more! • Official documentation: https://solidity.readthedocs.io/en/develop/

16. Blockchain, decentralized applications and security - Renaud Lifchitz 16 Solidity

    code example Sequestration of funds until 30th July 2020 (https://hodlethereum.com/deposit)

17. Blockchain, decentralized applications and security - Renaud Lifchitz 17 Developing

    & deploying the smart contract • Contract can be written using Browser Solidity: https://ethereum.github.io/browser-solidity/ • Contract can be tested using Truffle framework: http://truffleframework.com/ or Ethereum testnet (currently “Ropsten”) • Contract can be deployed & used using: – Parity: https://parity.io/ – Mist: https://github.com/ethereum/mist/releases

18. Blockchain, decentralized applications and security - Renaud Lifchitz 18 Using

    the decentralized Web

19. Blockchain, decentralized applications and security - Renaud Lifchitz 19 What

    you may need (1/2) • A node/gateway: – IPFS (or a public one: https://ipfs.infura.io ) – Swarm (or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ ) – Ethereum (or a public one: https://mainnet.infura.io/ )

20. Blockchain, decentralized applications and security - Renaud Lifchitz 20 What

    you may need (2/2) • For dApps: – An Ethereum wallet with a small balance (typically 0.005 ETH) – A dApps compatible browser: • Desktop: – Chrome plugins: “ENS Gateway” & “Metamask” – or Ethereum Mist or Parity • Mobile: Cipher, Status or Trust – An entry point: URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)

21. Blockchain, decentralized applications and security - Renaud Lifchitz 21 (1/3)

    ENS Gateway

22. Blockchain, decentralized applications and security - Renaud Lifchitz 22 (2/3)

    Deploying a file/directory using IPFS

23. Blockchain, decentralized applications and security - Renaud Lifchitz 23 (3/3)

    Using the passwords marketplace bzz:/passwords.eth

24. Blockchain, decentralized applications and security - Renaud Lifchitz 24 A

    few words... • Nice and usable proof-of-concept but: – Limited to SHA256 hashes for the moment: lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones  a solution would be to use a trusted oracle – Code is quite ugly, need some fixes before being published • Use it, share it, and audit your passwords!

25. Blockchain, decentralized applications and security - Renaud Lifchitz 25 Things

    of interest • One of my previous presentation about blockchains & security: https://tinyurl.com/blockchain-security • A French article&interview about my password market: https://tinyurl.com/passwords-eth • Security of light wallets (French MISC magazine, March 2018)

26. Blockchain, decentralized applications and security - Renaud Lifchitz 26 Thank

    you! Any questions? Ethereum: 0x0009Fd382E99dDD801736Ea4075a2eE5e4916B72 ENS: nono2357.eth Tips are welcome!  @nono2357