BlockchainSecurity for Health Data: Promises, Risks, and Future Developments · BlockchainSecurity...
Transcript of BlockchainSecurity for Health Data: Promises, Risks, and Future Developments · BlockchainSecurity...
@brynosaurus
Blockchain Security for Health Data:Promises, Risks, and Future DevelopmentsBryan Ford, Associate Professor of Computer & Communications Sciences, EPFL
Where there’s data, there’s risk...
Interconnection compounds risk
Business
Partner A
Shared
Access
Partner B
Partner C “All of us!”“All of us!”
Cloud-based
Services
“You can
trust us!”
Data dependence compounds risk
OPM: 21.5 million sensitive
US government
personnel records
[Nextgov, 23-June-2015]
Data dependence compounds risk
Repeated hospital ransomware attacks
[Nextgov, 23-June-2015]
[WannaCry ransomware, May 2017]
RUAG Cyber-Espionage Case
RUAG: main weapon
manufacturer of Switzerland,
active notably in cyberdefense
(around 8,000 employees)
Case made public in May 2016
(infiltration started before Oct. 2014)
Total exfiltrated data: at least 23 GBytes
May-July 2017: Equifax Breach
One of three credit rating agencies in the US
● Exposed sensitive personal information about
143 million people (44% of US population)
The Fundamental Problem
In today’s IT systems, security is an afterthought
● Designs embody “weakest-link” security
Scaling to bigger systems → weaker security
● Greater chance of any “weak link” breaking
The DEDIS lab at EPFL: Mission
Design, build, and deploy secure privacy-preserving
Decentralized and Distributed Systems (DEDIS)
• Distributed: spread widely across the Internet & world
• Decentralized: independent partcipants, no central authority,
no single points of failure or compromise
Overarching theme: building decentralized systems
that distribute trust widely with strongest-link security
Weakest-Link
Security
Strongest-Link
Security
Turning Around the Security Game
Design IT systems so that making them bigger
makes their security increase instead of decrease
Weakest-link
security
Strongest-link
security
Scalable
Strongest-link
security
Decentralized Security Principles
Computer science theory, algorithms, crypto has
long known principles of decentralized security…
● Threshold cryptography,
Byzantine consensus
● Tolerate any one
(or several)
arbitrary failures
or compromises
Decentralized Security Principles
Computer science theory, algorithms, crypto has
long known principles of decentralized security…
● Threshold cryptography,
Byzantine consensus
● Tolerate any one
(or several)
arbitrary failures
or compromises
But never widely deployed, until…
Bitcoin (2008)
First successful decentralized cryptocurrency
Blockchain and eHealth: Outline
● What is a Blockchain?
● State-of-the-Art: Promise and Limitations
● Blockchain Research at EPFL
● Conclusion
Today’s Hot Decentralized Technology
(credit: Tony Arcieri)
How to track wealth
(or anything)?
Things
● Gold, beads, cash...
Ledgers
● Who owns what?
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Distributed Ledgers
Problem: we don't want to trust any designated,
centralized authority to maintain the ledger
Solution: “everyone” keeps a copy of the ledger!
– Everyone checks everyone else's changes to it
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Alice's copy
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Bob's copy
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Charlie's copy
Proof-of-Work in Public Blockchains
Public blockchains such as Bitcoin, Ethereum use
consensus by crypto-lottery
1) Miners print their own “lottery tickets”
by solving crypto-puzzle (proof-of-work)
2) Winner gets to add one block to blockchain;
typically gets reward: e.g., print new money
3) All miners gravitate to longest chain. Repeat.
Blockchain and eHealth: Outline
● What is a Blockchain?
● State-of-the-Art: Promise and Limitations
● Blockchain Research at EPFL
● Conclusion
Applications of Distributed Ledgers
Can represent a distributed electronic record of:
● Who owns how much currency? (Bitcoin)
● Who owns a name or a digital work of art?
● What are the terms of a contract? (Ethereum)
● When was a document written? (notaries)
But practical limitations currently constrain uses
● Slow, energy-inefficient, can’t keep secrets…
Broad Promise & Global Interest
Limitations of Today’s Blockchains
Public/permissionless (e.g., Bitcoin, Ethereum)
● Slow, weak consistency, low total throughput
● Limited privacy: leaky, can’t keep secrets
● User devices must be online, well-connected
● Mining is inefficient, insecure, re-centralizing
Private/permissioned (e.g., HyperLedger, R3, …)
● Weak security – single points of compromise
Dimensions of Information Security
We usually want three orthogonal properties:
1.Integrity: the system computes honestly,
remembers and results correctly
2.Availability: it’s there when you need it,
provides answers in reasonable amount of time
3.Privacy: it doesn’t leak confidential information
to anyone who isn’t supposed to have it
In general, blockchains tend to be
GOOD at #1, SO-SO at #2, and BAD at #3
The Blockchain Privacy Challenge
Blockchains protect the integrity of data by
giving everyone a copy for independent checking
● This works against privacy & confidentiality
● Current privacy provisions are leaky
● Solvable with proper use of encryption
– When combined, important to remember:
it’s the encryption, not the blockchain,
that protects privacy.
Drawbacks of Nakamoto Consensus
● Transaction delay
– Any transaction takes ~10 mins minimum in Bitcoin
● Weak consistency:
– You’re not really certain your
transaction is committed until
you wait ~1 hour or more
● Low throughput:
– Bitcoin: ~7 transactions/second
● Proof-of-work mining:
– Wastes huge amount of energy
Who Participates in Consensus?
Permissionless blockchains (Bitcoin, Ethereum):
“anyone” who invests in solving crypto-puzzles.
● Now practical only with ASICs and cheap power
● Re-centralization undermines trustworthiness
Environmental Costs
Proof-of-work = “scorched-earth” blockchains
● Tremendous energy waste,
now comparable to all of Ireland
●
Smart Contracts (e.g., Ethereum)
Insert arbitrary software into a blockchain
● Can programmatically supervise cryptocurrency
– e.g., automatically settle an insurance payment
(see AXA “fizzy” flight delay insurance)
Extremely powerful (and interesting), but risky
● One software bug → spectacular hacks
– DAO: $70M USD of
$150M USD contract
stolen in hours
(June 2016)
The “Universal Bug Bounty”
First successful hacker can steal a lot of money
Blockchain and eHealth: Outline
● What is a Blockchain?
● State-of-the-Art: Promise and Limitations
● Blockchain Research at EPFL
● Conclusion
DEDIS Blockchain Goals
Working to make tomorrow’s blockchains:
● Fast: responsive in seconds, not minutes/hours
● Scalable: support high transaction volumes
● Private: keeping confidential data secure
● Available: blockchain records usable offline
● Powerful: private analysis of encrypted data
DEDIS next-generation blockchain infrastructure
already available, in use by multiple partners
ByzCoin: Fast, Scalable Blockchains
DEDIS lab project presented in [USENIX Security ‘16]
● Permanent transacton commitment in seconds
● 700+ TPS demonstrated (100x Bitcoin, ~PayPal)
● Low-power verifcaton on light mobile devices
1 2 3
1 2 3 4 5
...
5-10 sec
BitcoinCothority
Miner
Witnesses
Key-Block
Micro-Block
depends on
6
Co-Signature
Horizontal “Scale-Out” Blockchains
OmniLedger: A Secure Scale-Out Ledger [preprint]
● Break large collective into smaller subgroups
● Builds on scalable bias-resistant randomness protocol
(IEEE S&P 2017)
● 6000 transactions/second: competitive with VISA
Transactions
Shard 1Shard 2
Shard 3
The Privacy Problem in Blockchains
In current blockchains, secrets (keys, passwords)
must be held “off-chain” by private parties
● Just a hash on-chain → document might be lost
● Encrypted on-chain → encrypted to whom?
– Decided at encryption, cannot be changed/revoked
Current blockchains
can’t manage secrets,
because they would
leak to all participants
● Weakest-link security again
DEDIS “Chain-Managed Secrets”
Allow blockchain to hold and manage secretsvia verifiable, transparent, dynamic access policies
– Example: decryption keys, access lists for documents
– Example: login credentials for access to services
● On-chain policies can determine how and when
secrets used, who should have access when
– Any access change immediately, atomically applied
– Tamper-proof log of all uses or attempted uses
● Can enforce data retention/deletion policies
Secure Digital Documents?
Significant interest in digital
degrees, awards, land titles, …
● Blockchain can provide a
hard-to-forge timestamp
But how do you verifya digital document?
● Current blockchains:
you must be online
● Doesn’t work if network down, too slow, costly
SkipChain: Traversable Blockchain
DEDIS work appearing in [USENIX Security ‘17]
● Enables offline or peer-to-peer cryptographic
verification and “time-travel” through all history
Time
Backward hash links, embedded in blocks at commit time
Collectively signed forward links, added later once target exists
B3
B2
B1
F1
F2
F3
Level
Chaniac: Secure Device Updates
(including Medical/IoT)
Medical devices increasingly networked, “IoT”
● Keeping their software up-to-date is critical
– Otherwise vulnerable to old threats: e.g., WannaCry
DEDIS “Chainiac” provides end-to-end secure
blockchain-based software distribution & update
UnLynx: Privacy-Conscious, Blockchain-Secured Medical Data Sharing
Functionality:• Allow queriers to query a set of
distributed databases
Requirements:• Data Providers data confidentiality• No single point of failure• Computation correctness• Privacy of data providers (DP) and
individuals storing their data in DPs
Threat model:• Queriers, servers may be compromised• Data providers honest-but-curious
SELECT AVG(cholesterol_rate)
FROM DP1, …, DPn
WHERE age in [40:50] AND ethnicity = Caucasian
GROUP BY gender
UnLynx: Security guarantees
Data are encrypted
during the whole
process.
Data are shufed to
break the link btw. DP
and data.
Oblivious noise additon on
query results ensures
diferental privacy.
Correctness of every
computaton can be
verifed with Zero-
Knowledge Proofs
(proof that the
computaton is correct
without disclosing the
secret values).
Entty misbehaving can
be identfed and
excluded.
As long as one of the
servers is honest, all
the other propertes
are guaranteed.
53
Blockchain and eHealth: Conclusion
● Blockchain technology holds great promise
– But current systems immature, many weaknesses
● EPFL is building next-generation blockchains
– Enhance performance, scalability, privacy,
availability, and powerful analysis capabilities
– Already applied to medical data applications