Blockchains are ruled almost entirely by cryptographic mechanisms. These mechanisms mostly involve digital signatures & PKI, hashes, and key derivation.
In permissioned blockchains, the network effect is significantly lesser than in public networks. Besides permissioned blockchains do not use proof-of-work such as in the Bitcoin network or proof-of-stake such as found in Ethereum network and as such do not have the strong and inherent security behind these mechanisms.
By nature, permissioned networks are heavily dependent on cryptographic operations being done in a secure and safe way when used for financial institutions. They require banking-grade HSMs.
In what follows, we will present an overview of the key roles of HSMs in permissioned blockchains for banking & payment services.
Cryptographic Protocols Involved with Blockchains
There are no norms defining blockchains. Therefore, any blockchain implementation is free to pick up cryptographic algorithms that they want and for what they need.
Blockchains may use hash algorithms such as SHA-256 for the blockchain network. For example, Dagger-Hashimoto is used for the Ethereum network and ECDSA is used for Ripple-based networks. Additional hash algorithms include:
- X11
- X13
- CryptoNight hash
- Scrypt hash
- NXT
- BLAKE256
Here we list the hashes and cipher suites supported by major permissioned blockchains frameworks:
|
Framework |
Hashing |
Signature scheme |
|
R3 Corda |
|
|
|
Hyperledger Fabric |
|
|
|
Hyperledger Sawtooth |
|
|
|
Quorum |
|
|
|
Multichain |
|
|
There are many other permissioned frameworks, including HydraChain, OpenChain, and BigchainDB. Most are based on existing frameworks like Bitcoin or Ethereum. Many of the permissioned blockchain networks are crypto-agile and/or post-quantum proof.
Role of HSMs in Permissioned Blockchains
Permissioned blockchains incorporate the identity authentication, access control, and authorization features for the nodes for the participation in the blockchain network. Cryptographic keys are utilized for the identities of nodes. These cryptographic keys are securely managed through HSMs. Typically, blockchains incorporate the HSM as a service by which a single HSM or a cluster holds the cryptographic keys of various blockchain nodes. These keys should be managed in separate and secure HSM partitions with designated roles for each partition. In some scenarios, PKI-based digital certificates are also used to ensure the trust between the blockchain nodes.
By design, HSMs are perfectly suited for the needs of a permissioned blockchain.
Permissioned blockchain consensus is vulnerable to cryptographic attacks. Therefore, PKI operations should ideally be performed in HSMs. In general, the key pair generation in blockchains is essential, and such keys should not be handled directly by their end-users. Instead, they should be generated and securely stored in HSMs or in key management servers.
Hashing and specifically, keyed hashing operations, are an integral part of the blockchain system. They also need secure random generation functions that should also be achieved with an HSM.
Why Are These Standards Important for Compliance and Auditability?
HSMs are a vital part of any security infrastructure that is under the mandate of securely managing cryptographic keys. The HSMs considered for incorporation must be FIPS 140-2 level validated and Common Criteria certified. If PKI-based digital certificates are being used in the permissioned blockchain, they must comply with the latest X.509 v3 standard. When a permissioned blockchain is employed in a banking/financial services department, the PCI PTS HSM version 3.0 certification is mandatory for legal obligations and compliance.
Conclusion
In preventing and mitigating malicious attacks, the implementation of strong authentication and cryptographic mechanisms is a critical requirement for protecting permissioned blockchains. Since the permissioned blockchain incorporates the identities of blockchain nodes, the need for HSMs is critical.
It would be in the best interest of banks and payment services providers to use HSMs and secure key management systems to perform the cryptographic operations needed for blockchain operations.
References and Further Reading
- Learn more about Utimaco's HSMs for blockchains
- More articles on permissioned blockchains on our blog (2018 - today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
- More articles on eIDAS (2018 - today) on our blog, by Gaurav Sharma, David McNeal and more
- More articles on HSMs (2018 - today)on our blog, by Terry Anton, Dawn M. Turner and more
Blog post by Martin Rupp, Priyank Kumar and Ulrich Scholten
