Blockchain,decentralized applications
and security
Renaud Lifchitz
Econocom Digital [email protected]
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
2
Key problems with currentWeb applications
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
3
The current Web is obsolete
● The Web has been designed to be decentralized
BUT…
● It’s more and more centralized: Google, Apple, Amazon, Microsoft, …
● That makes the spying easier
● A lot of DdoS attacks succeed
● A single server is not enough even to serve a single popular Youtube video
● Hosting changes → URLs are broken
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
4
Many security weak points
● DNS
● SSL/TLS certificates
● System security
● Network security
● Application security
● Passwords
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
5
Scalability issues
● Load balancing:
– Is complex
– Is costly
– Depends on the web technologies involved
● Efficient DDoS protection is hard
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
6
Building a decentralizedpassword hashes marketplace
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
7
A password marketplace?
● A common task for security auditors:assess the strength of password hashes
● A test on a single CPU/GPU for a few hours is usually not enough compared to motivated attackers
● So the idea is to build a collaborative marketplace with incentives to help:
– people submit their password hashes with given rewards
– the one who solves a hash is given the corresponding reward
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
8
A fully decentralized application? (1/2)
● We need a fully decentralizedapplication to avoid cheating,censorship, DDoS, downtime…
● Several parts should be decentralized:– web back-end (core logic/app)
– web front-end (storage of HTML/JS/CSS)
– domain name (storage and resolver)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
9
A fully decentralized application? (2/2)
● I have chosen Ethereumtechnology with some betacomponents:
– web back-end: Ethereum smart contract
– web front-end: Ethereum Swarm
– domain name: Ethereum Name Service (ENS)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
10
Anti-cheat tricks
● For the submitter:– You pay the reward in advance and it is locked
(no insolvency)
● For the solver:– You have to pay a small fee to submit an answer
(no bruteforce)
– Answer is verified by thousands of nodes(no corrupted server)
● For all users:– Decentralized application (no DoS/DDoS, downtime)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
11
The Ethereum blockchain
● https://www.ethereum.org/ ● More than 22,000 online nodes!:
https://www.ethernodes.org
most secured/trustable blockchain nowadays
● Average block/transaction time: 15 seconds● Allows safe execution of logic through smart contracts● Allow payments with its digital currency, ether (ETH):
https://coinmarketcap.com/currencies/ethereum/ ● “Ethereum: the World Computer”:
https://www.youtube.com/watch?v=j23HnORQXvs
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
12
Decentralized name service:Ethereum Name Service (ENS)
● An ENS entry can map a .ethname to:– an individual Ethereum account
– a content hash for decentralized storage(Swarm or IPFS)
● ENS official web site: https://ens.domains/ ● Booking an entry: https://registrar.ens.domains/ ● ENS stats: https://ens.codetract.io/
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
13
Decentralized storage: Ethereum Swarm● Peer-to-peer storage and serving solution
● DDOS-resistant, zero-downtime, fault-tolerant, censorship-resistantand self-sustaining with incentives (soon)
● Swarm protocol: bzz://
● Swarm official web site is stored using… Swarm and is also a Swarm gateway:
– http://swarm-gateways.net/ redirects tohttp://swarm-gateways.net/bzz:/theswarm.eth/
– theswarm.eth resolves to0x9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0
– http://swarm-gateways.net/bzz:/9b34db0158bad197cb28b374c79cd4090d5d75e197d0f118a8fc23835f3a22e0/
● Other examples:
– Photo album:http://swarm-gateways.net/bzz:/photoalbum.eth/
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
14
Decentralized apps: smart contracts
● A smart contract is an application core
● Once deployed:– No one can modify the code or stop
its execution
– The code runs simultaneously on allthe nodes
● Smart contract + web front-end = “dApp”
● Ethereum smart contracts main programming language: Solidity
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
15
Solidity basics
● High-level language, syntax similar to JavaScript
● Compiled to bytecode then deployed on the blockchain
● Designed to target the Ethereum Virtual Machine (EVM)
● Statically typed, supports inheritance, libraries, complex user-defined types...
● Ability to create contracts for voting, crowdfunding, blind auctions, multi-signature wallets and more!
● Official documentation:https://solidity.readthedocs.io/en/develop/
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
16
Solidity code example
Sequestration of funds until 30th July 2020(https://hodlethereum.com/deposit)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
17
Developing & deployingthe smart contract
● Contract can be written usingBrowser Solidity:https://ethereum.github.io/browser-solidity/
● Contract can be tested using Truffle framework:http://truffleframework.com/
or Ethereum testnet (currently “Ropsten”)
● Contract can be deployed & used using:– Parity: https://parity.io/
– Mist: https://github.com/ethereum/mist/releases
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
18
Using the decentralized Web
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
19
What you may need(1/2)
● A node/gateway:
– IPFS(or a public one: https://ipfs.infura.io )
– Swarm(or a public one: http://swarm-gateways.net/bzz:/passwords.eth/ )
– Ethereum(or a public one: https://mainnet.infura.io/ )
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
20
What you may need(2/2)
● For dApps:
– An Ethereum wallet with a small balance(typically 0.005 ETH)
– A dApps compatible browser:● Desktop:
– Chrome plugins: “ENS Gateway” & “Metamask”– or Ethereum Mist or Parity
● Mobile: Cipher, Status or Trust
– An entry point:URL or https://www.stateofthedapps.com/ (~ 1200 projects listed!)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
21
(1/3) ENS Gateway
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
22
(2/3) Deploying a file/directoryusing IPFS
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
23
(3/3) Using the passwords marketplace
bzz:/passwords.eth
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
24
A few words...
● Nice and usable proof-of-concept but:– Limited to SHA256 hashes for the moment:
lack of other interesting hash functions in the EVM, and high transaction fees to develop new ones
a solution would be to use a trusted oracle
– Code is quite ugly, need some fixes before being published
● Use it, share it, and audit your passwords!
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
25
Things of interest
● One of my previous presentation about blockchains & security:https://tinyurl.com/blockchain-security
● A French article&interview about my password market:https://tinyurl.com/passwords-eth
● Security of light wallets(French MISC magazine, March 2018)
March 29, 2018 - Blockchain, decentralized applications and security - Renaud Lifchitz
26
Thank you!
Any questions?
Ethereum: 0x0009Fd382E99dDD801736Ea4075a2eE5e4916B72ENS: nono2357.eth
Tips are welcome!
@nono2357