Does Blockchain Security need to be Completely Reworked?

in #blockchain8 years ago


Ever since The DAO was exploited people have begun questioning whether “Code is Law” is a practical philosophy. Today I want to challenge the notion that “Key is Law” or “Key is Identity”.

Everyone knows that if someone gets ahold of your private key, your funds will be gone without recourse. This means that property rights are defined by the ability of a person to maintain a secret.

Impossible to Secure Secrets

Maintaining secrets is practically impossible for the vast majority of the population. The only solution that has been reliable is to use multiple signatures from keys stored on different devices.

Normal people are not capable of, or do not want to be responsible for, securing secrets. It is too much stress. One wrong move and you are either locked out forever or your funds are compromised.

Securing Life, Liberty, and Property

My mission has been to find free market solutions for securing life, liberty and property. In this case, we need more robust solutions for securing cryptographic property.

Property is an abstract concept. It is the idea that something belongs to an individual, a social convention that facilitates trade and trust.

Private keys are an identity verification system. They provide strong evidence that a particular individual made a particular statement. But this evidence depends upon a secret being maintained. Not just any secret, a secret so long and complex that people cannot easily remember it. A secret so long that it impacts usability.

A system that replaces real identity with imperfect evidence is fundamentally broken. It will not get people justice. People will not feel secure. A better solution is needed.

Identity vs Evidence of Identity

Blockchains create a public record that tracks who owns what. Private keys are used to sign transactions so that everyone can validate all property transfers and eliminate any disputes over who owns what.

The problem is that private keys are not an identity. They are mere evidence. Disputes can still arise when two people both have access to the same private key.

It is tempting to say that Keys are identity, but this would be mistaking the map for the reality. This stance does not map to peoples intuitive sense of justice. It is an engineering cop-out designed to evade the hard problem of governance and dispute resolution.

Governance Occurs Anyway

We have seen with The DAO, Bitcoin, and Steem hard forks that in the event of a bug, exploit, or theft that the community can and will take action to get justice.

I have long been an advocate that ignoring a problem doesn’t make it go away. If you don’t provide a governance structure then an informal one will be created. If you are unable to achieve a workable governance model then progress will stall and people will leave.

Social Identity

On a social network we have a new kind of proof, social proof. We know who people are and generally know when someone was hacked.

Unlike money, posts and votes made by an attacker are often clearly out-of-character for someone. This makes it very obvious to everyone in the social network that an injustice has occurred.

Social Costs

When an account posting key is compromised everyone loses. All of a sudden someone’s feed can get filled with ads, their hard earned steem power (aka reputation) can be abused. They can vote up garbage, vote down good stuff, or simply flood the network causing congestion for other users.

New Solutions are Needed

The rules of Bitcoin and other crypto-currencies do not apply the same way to a social networking blockchain. It is a different market with different requirements. Here are some of the things that the network should be able to reach consensus on without requiring a hard fork.

  1. account theft and return to original owner
  2. posting authority theft and temporary censoring

Account Owner Theft

An account can only be stolen when the owner key changes. In many cases it is easy for the public to identify the real owner and in 99.9% of cases, accounts are not bought and sold. In fact, it is in the blockchains best interest to prevent accounts from being bought and sold and thereby enforcing the vesting period.

The following proposal assumes that account owners can “opt-out”. An account that opts out will assume full responsibility for the protection of the owner key. In other words, those who opt-out have no grounds to ask for a hard fork or other intervention in the event they are hacked.

For everyone else who prefers the security of the community we have a new proposed solution.

  1. for N days after every owner key change a dispute may be raised
  2. if a dispute is raised, witnesses can vote on whether or not to override the owner authority.
  3. to prevent abuse, raising a dispute costs a lot (say $1000).
  4. after N days no dispute may be raised and witnesses have no power to change owner authority.
  5. the account holder can specify how many days review can last.
  6. by specifying an infinite review period, witnesses can be used as a last-resort password recovery system.

Account Posting Theft

It is not reasonable to expect that posting keys will not be stolen, especially because they are often kept live and cached within a web browser. The entire network needs a means to silence spam spewing from compromised posting authorities.

We suggest that any account can temporarily disable the posting and voting of another account until that account logs in with their active or owner key. This is a kind of identity challenge that will prevent hackers from abusing the platform.

To prevent abuse and to compensate the individual for proving they have the active key, the challenger will have to transfer about $10 worth of STEEM to Steem Power in the challenged account. Accounts can be limited to one challenge per day to prevent excessive harassment.

Friends and Family Multi-Sig

The last level of security for an account is for people to add their friends and family as multi-sig co-signers on their owner authority. In this event an attacker would have to compromise the active keys of the majority of someones family before they could compromise their identity.

In fact, a properly functioning and secure blockchain would have every account “owned” by a group of other accounts. The larger the group and the more the account holder trusts the group, the more secure the identity.

Social Media is the key to Blockchain Security

Having a social platform is the best and easiest way to get all of your friends and family online and available to secure your account. Imagine Facebook friends on steroids. Your most trusted friends and family become the source of your identity and their collective word (active key) secures your identity and account.

Conclusion

Steemit is still a young platform, but it is building the foundation for a much more robust and secure financial platform than can be provided by private keys or primitive multi-sig alone.

Sort:  

Congrats, again the steemit platform is not just all about the fancy back-end tech but is considerate of users and usability... this is mass market and has to cater for PICNIC (problem in chair not in computer) errors

I thought that was PEBCAK (Problem exists between chair and keyboard) an Id10t error. :)

Both work, picnik sound like picnic and the ID10T's are even less likely to get it.

LOL - right. That make's sense. I love to chat with people that know these inside jokes... "Sorry sir let me help you with the I.D. ten T error!!"

A good article raising important points,and I agree on the main points.
But the big fee to raise a dispute is a horrible idea! That is really discriminating against poor people.Like myself.There is just no way I can find a 1000 dollars without begging from family and friends.

Very interesting post.

I really like your comparison of mistaking a map for reality. The complexities of proving identity have been around virtually as long as humans have walked the earth.

It's great that we're thinking and talking about these things. The concern I would have in a system like this is how does one prevent groups of malicious individuals from claiming the identity of another person? And also, how does one who's put the claim to their account in the hands of the family and friends who know them make sure that their accounts are also secure?

Unless I'm misunderstanding, an account would only be as secure as the accounts of their witnesses in a situation like this.

Great thoughts Dan! I have noticed a lot of discouraged posts lately concerning this or that issue. The truth is, the devs truly do care about this platform, they deeply care about working out the kinks and making this a successful, fair, and profitable place where valuable ideas are rewarded.

Life, Liberty, and Property.
Cheers

Agreed, we all get disheartened occasionally.

Unfortunately you are right, it is all in the back end. Bitcoin and these newer block chains have a very different back end allowing for much more in the way of hacking.

Yes! I love this discussion and your ideas make great sense. Thinking ahead, as usual.

my comment reposted somewhere else.

Thanks for addressing this Dan

We suggest that any account can temporarily disable the posting and voting of another account until that account logs in with their active or owner key. This is a kind of identity challenge that will prevent hackers from abusing the platform.

To be clear this means some kind of active key transaction?

To prevent abuse and to compensate the individual for proving they have the active key, the challenger will have to transfer about $10 worth of STEEM to Steem Power in the challenged account. Accounts can be limited to one challenge per day to prevent excessive harassment.

This is open to deep pockets, sybil attack, and could be used as a way of getting a targeted user to ferret out a powerful key at the wrong time. This idea could create more abuse than it solves.

You can get pretty good identity approximation with an offline HW device (trezor or such) which only you know pin of. To get hacked, you would need an attacker to take your device and force you to disclose pin, i.e. totally control you - for such an extreme case, definitely a third-party confirmation would be best.

In all other cases, HW auth is a quicker and more secure (no human involved making social engineering impossible) method.

I have to say that the more I read about Steem and what's happening behind closed doors the more I feel all the more confident that Steem is going to see the success we all feel in our gut in the near future. Welcome early steemers!

Classy post. cool