The SOTER Project is delighted to communicate the release of the first version of our whitepaper on blockchain security. In this document, we outline security concepts relating specifically to this technology in relation to the aims of the project. The second version of this deliverable will be released in January 2021.
SOTER foresees the implementation of blockchain technology as part of the technological resources to increase cybersecurity in the finance sector. There is a clear commitment from the European Commission towards blockchain application, due to its reduction in costs and increase in trust, traceability, and security. However, as for any disruptive and emerging technology, blockchain should be applied ethically and responsibly, and preceding research must be done.
One of the goals of the project is to develop a digital onboarding platform for the financial industry. Here, a blockchain network is needed to provide immutability, privacy, and integrity of data but also interoperability. Integrity and immutability assurance will contribute to comply with liability policies that might be required by other sectors like insurance.
The first version of this whitepaper provides a framework to establish the risks and security considerations for this blockchain network, which will be categorized through a top to bottom layered approach. It includes Business, Governance, Data, Application and Infrastructure layers. The Governance layer also covers data access, network membership, consensus protocols, and identification processes issues.
Furthermore, the document provides recommendations for the SOTER project, including on GDPR issues. The desired characteristics are presented in an analogue layered model, covering the abovementioned five layers. Technical and legal teams will discuss these recommendations and, where necessary, take them into account in the implementation of the project.
The onboarding platform will rely on the Alastria network, a Spanish multi-sectorial consortium which provides an Ethereum-based blockchain and an identity model built over it. In SOTER’s whitepaper, we performed a brief security analysis of the Alastria network to assess if it meets the initial requirements of the project.
Alastria is an evolving network which is still under development. It started as a test net built over the Quorum network, which is a specific blockchain implementation, but work is already underway to start a second network over Hyperledger Besu. Both blockchain implementations will be analyzed in terms of available consensus protocols and data privacy mechanisms. Throughout the course of the project, we will gain knowledge of the Alastria network and a deeper and detailed analysis will be done in the second version of the whitepaper.
SOTER will ensure that all the components of the onboarding platform are aligned with the European regulation, especially with the ones concerned with data protection (GDPR) and identification issues (eiDAS). Blockchain plays a key role in ensuring GDPR compliance, but it is necessary to perform detailed research about how and which data is stored. This needs to be discussed in detail because affirming whether a piece of information is personal data or may not always be straightforward.
Article 4 of the GDPR states that personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier”. From that, it is not easy to affirm if a public key, a digital signature or the hash of some information is personal data. Data protection bodies are publishing guidelines about this, but there is not a common understanding yet. Besides, blockchain will allow us to manage users’ identities in different environments, providing interoperability between the agents of the platform. It will also save costs due to the fact that the onboarding processes will be required only once. Privacy features should be considered, but also the identity model proposed must be compliant with eIDAS regulation. All these issues will be covered in the two versions of this whitepaper.
The blockchain implementation should be aware of the different standardization initiatives that experts are working on. In terms of digital identities, the European Commission is promoting the concept of Self-Sovereign Identity. This means a decentralized paradigm, which can be achieved shifting most of the capabilities to a user’s hands, using decentralized methods and cryptographic algorithms. There are also working groups in the World Wide Web Consortium (W3C) who are developing specifications to establish how the information of the users is exchanged (Verifiable Credentials Data Model) and how the Identifiers can be published (Decentralized Identifiers). The identity model of the project built over blockchain must be aligned with these specifications.
As any IT infrastructure component, a blockchain could have security weaknesses that compromise the whole platform. It must be audited on an iterative basis to detect these weaknesses and it is necessary to perform analysis such penetration tests and vulnerability scans. A blockchain is a complex environment, which includes cryptographic keys, networks, pieces of software, an exposed API or communication ports, and all they should be considered in cybersecurity management. SOTER’s whitepaper contains some guidelines about these issues and points out the issues that must be handled in the next stages of the platform development.
Author: José Manuel Panizo Plaza, Fábrica Nacional de Moneda y Timbre