Discover PerformanceHP Software's community for IT leaders // September 2014
Bitcoin and IT security
HP Security Research digs into the cryptocurrency and looks at how IT security is vital to its value.
By John Park, HP Security Research
HP Security Research’s John Park recently looked at cryptocurrency Bitcoin, tackling questions about the technology and its potential vulnerabilities. In this edited excerpt from his recent HPSR Security Briefing, he examines what it is and how it works.
There isn’t clear consensus yet about what Bitcoin is—currency, property, or just bits of data. In fact, it’s a leading form of cryptocurrency, a term that entered the Oxford Dictionaries Online just this spring. (“Bitcoin” was added last summer.) A cryptocurrency uses encryption techniques to generate funds and regulate their transfer.
Of course, it’s never simple to define bleeding-edge technologies. Cases can be made for thinking of Bitcoin as a currency, a foreign currency in need of exchange, an instrument of barter, a form of digital property, or even a commodity. Bitcoin has similarities to all those media of exchange, but is in truth a little bit of everything.
That aspect of Bitcoin adds complexity to understanding what it is and how to secure it. A medium of financial exchange is useless if an attacker can interfere with how it stores value. To secure Bitcoin, we need to know where the value is held in the Bitcoin system.
Bitcoin under the hood
The word “Bitcoin” describes the system, community, protocol, data, and unit of money:
- Bitcoin, in its largest sense, is the system of users and machines and data. Data, which is virtual, defies any legal jurisdiction. Users and machines, on the other hand, have to follow the rules of the nation in which they reside.
- Bitcoin, in a more specific sense, is the data—the “block chain” that contains all the transaction records. That is the core of Bitcoin, and as long as the records are maintained, the Bitcoin system can live on.
- Bitcoin, in a theoretical sense, is the protocol. It is the rule set of how bits should be encrypted, and how data should be moving on the Internet.
- Finally, “bitcoin” (lower-case B) is the unit of numeration; one might speak of five bitcoins, or five hundred. It’s usually abbreviated “BTC.”
The balance of this article will primarily discuss Bitcoin’s system and protocol: how the system is constructed and which security measures and principles have been applied to ensure that pure data, without any collateral guarantee, can serve as a trustworthy currency. We’ll conduct the examination through the familiar security triad of integrity, availability, and confidentiality.
Bitcoin security: Integrity
Bitcoin adheres to some basic integrity-related premises:
- There is a limited supply of bitcoins (currently 21 million BTC).
- It’s easy to verify that the bitcoins that I have are real, and it is difficult to create counterfeit bitcoins.
- My bitcoins cannot be taken from me without my permission.
These are all integrity issues that the Bitcoin system solves by being totally open, and in the process providing traceability and non-repudiation. Everyone can see the bitcoins in circulation and the release schedule for future bitcoins, so there’s no fear that unauthorized bitcoins will be created. And your bitcoins cannot be stolen because transfer requires the owner to use a private key to sign a “transfer slip.” That’s all end users need to know—the bitcoin supply is limited, and can’t be taken without authorization.
Bitcoin security: Availability
For Bitcoin to be used as a currency—a basic utility—it has to be available all the time. Because the designers built on peer-to-peer protocols, Bitcoin exists everywhere and nowhere, and it is always available somewhere. No physical server can be a single point of failure.
The concept of availability for peer-to-peer networks isn’t about a server maintaining 99.999% uptime but, rather, is measured by how close the local copy is to the master copy. If there is a big gap in the Internet connection, the local copy might become outdated from the master copy, but since it’s simply data, it would always be available somewhere in some form.
Since Bitcoin is decentralized, it is less susceptible to distributed denial-of-service (DDoS) attacks. DDoS attacks focus massive traffic to one vulnerable spot. With peer-to-peer networks, there is no single server to which attackers can send focused traffic. Thus, availability is baked into the system.
Bitcoin security: Confidentiality
Finally, Bitcoin’s system is interesting because it locks down some information completely, and makes other information completely public. Every Bitcoin transaction record is open to all. That would be hard to imagine in traditional banking, but Bitcoin adheres to the Net’s philosophy that everything should be open unless there is great harm in making it open.
Yet Bitcoin’s system designers protect privacy at the end points of transactions. This is very similar to how the Internet is architected, in that encryption is taken care of at the end points, while the transit layer is built to be open. Though Bitcoin lays bare the transactions themselves, it keeps confidential the identities of the people or entities owning the accounts at either end of the transaction. There is no verification process to create an account: you simply generate a private key and create an account number. This crypto-based account creation allows the Bitcoin system to create accounts anonymously without a centralized authority.
That’s the theory. In current practice, buying or selling bitcoins is not totally anonymous, since governments require most Bitcoin exchanges to provide real-world identification when someone cashes out from the system. Designed to prevent money laundering, this measure is applied to many exchange systems, not only Bitcoin.
For example, a Bitcoin ATM was recently set up near where I live. It requires government-issued ID, takes a photo of my face and palm print, and does phone verification via SMS. So, even though confidentiality is maintained within the Bitcoin system, when it touches the real world, it is not 100% confidential—for now.
For a look inside a Bitcoin ATM, and a discussion of how attackers and defenders see Bitcoin’s vulnerabilities, read Park’s HPSR Security Briefing (.pdf).
John Park is a senior security researcher with HP Security Research. His work focuses on mobile malware, machine learning, cryptography, and physical security. He holds a BS in Electrical Engineering and Computer Science and a BA in Cognitive Science from UC-Berkeley. In his spare time, he enjoys competitive data mining.
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.