Analysis: Is the blockchain really as safe as we think?

Source: Medium

Translation: First Class (First.VIP)_Saline

"An article in the MIT Science and Technology Review, "The blockchain that was once known as unbreakable block is now being hacked," has exemplified that blockchains have been successfully attacked by hackers. Blockchain technology has become easier for people to use, and security will likely become a key issue in blockchain landing. Leading companies that frequently deal with blockchain should pay more attention. The more blockchains are used in different business areas. More, there will be more people trying to discover their vulnerabilities and use them."

(Note: Today, writing an article about the blockchain is really impossible. Because the predictions you make are likely to be relentlessly overturned in a few years. So this article will not make any predictions, nor will it Comment on the future of blockchain technology. This article only discusses some basic security issues related to blockchain.)

Before discussing why blockchains are not as secure as everyone thinks, let's first outline some of the concepts and mechanisms underlying this technology.

Security through obfuscation and encryption

When protecting anything (especially information), people usually use both fuzzy and encrypted methods to achieve security.

In everyday life, people are usually most familiar with the concept of ambiguity. This concept includes hiding information and not knowing it except those who need to know it. For example, hiding a plain text password file in a remote folder on your computer makes it difficult for others to find out that they can access your computer. But this approach to security through hiding is not so often used. The reason is simple: secrets always have a way to be discovered.

Encryption, on the other hand, exposes the location of the information, but the data is encrypted and only accessible to those who have the decryption key.

One of the earliest use cases of encryption can be traced back to the Roman era, when the ancient Romans used letter shifting to send military information. For example, if the letter shift number is set to 3, the word "hello" can be represented by "khoor" (first class note: in the alphabet, the three letters after h are k, and the last three letters of e are h, and so on). Therefore, after the important message is encoded as such, it can be safely sent to the messenger who does not know the n value. Even if the messenger was intercepted halfway, the enemy got the message and didn't know how to crack it. It seems easy to crack this code today, but in ancient times, this method was the pinnacle of encryption technology at the time. But today's encryption functions are much more complicated, and people can use a variety of clever methods to generate almost unbreakable code.

The blockchain uses a certain information encryption method, the hash function (described below). Encrypted data blocks are recorded in the blockchain, and only those with the correct key can access the various blocks in the chain.

Randomness

Randomness is a very important aspect of all cryptographic functions, including hashes. Encryption functions rely heavily on random data generation. Randomly generated data or seeds are created by computers without relying on anyone. This makes the encryption function more difficult to crack because the random seed must be known to decrypt the hash.

Randomly generated data in the computer provides support for the blockchain. To make the data more secure, a random string is appended to the block data, which is then added to the public ledger. On the surface, this method seems to be very good. Using a random string generator seems to be impeccable, greatly reducing the chances of blockchain being hacked.

However, since these random data are generated by computers, this raises a problem, they are not really random. Machines are not as random as humans. Instead, the computer uses formulas to generate "random" data. They follow a formula that produces a uniformly distributed random string, which in our opinion seems to be a random value. But in reality, randomness is just an illusion of us. No matter how perfect this formula is, the random values ​​produced by the formula will never be truly random. Mathematical functions can only produce calculated values.

This fact is not a good omen for the blockchain. Random vulnerabilities are well known in the hacker community and have been used multiple times to launch attacks.

So how can we achieve true randomness? Can we naturally generate random values ​​instead of mathematical formulas? I dare say that even in nature, nothing is truly random. Anything, even seemingly random collisions between subatomic particles, is predictable (but it requires physicists and philosophers to delve into it).

Hash

The working principle of Hash is not mentioned here. Users who don't know much about the hash function can go to the Wikipedia search to view it. It is outlined in great order.

The blockchain encrypts the block by heavily using hashes, and the encrypted block is added to the public ledger. Before a block is added to a block, it must go through the following process:

1. Use the hash function to encrypt the data in the new block.

2. Add random data (string) to the encrypted block of step 1.

3. Re-hash the merged data of step 2.

4. Compare the hash value of step 3 with the difficulty level. If it does not meet the criteria, change the random string in step 2 and repeat the above steps.

5. When the final hash value is met (including difficulty), the block will be added to the chain and to the public ledger.

Although these steps are very safe, there are usually two problems with hashing: conflict and brute force.

The hash function conflicts because it always produces a fixed-length output. A 256-bit hash function always produces an output of 256 characters in length. Therefore, the encrypted information is eventually 256 characters in length. Whether it is a hash calculation of the word "hello" or a hash calculation of the entire encyclopedia, the resulting hash values ​​are different, but the length is 256 characters.

Therefore, a hash function conflict refers to two or more strings mapped to the same 256 hash value. Although there are many permutations and combinations of 256-bit strings (or any other finite-length string), there are still cases (although limited) that map to the same hash value. In addition, the number of texts is infinite, you can distinguish it from other text by adding an "a" at the end of the string. Therefore, each string passing through the hash function has an infinite number of conflicts with other strings. This means that you don't even need to know the original string, just find one from the myriad of strings that have the same hash output as the original string, and you can crack the encryption or create a security hole.

In addition, it is common to use brute force to crack hashes, especially if the string is short. If you have a cryptographic hash of length n characters and a pre-filled dictionary that covers all hashes of length n characters, then you can easily crack the cryptographic hash. Or you can start with a string of length 1, count to n, and compare the output to the encrypted value. If the results match, you can know the value of the original string. By running a powerful computer for a long time, you can pre-populate a large hash with n characters.

An article in the MIT Science and Technology Review, which has been hailed as an unbreakable blockchain, is now being hacked. It has been proven that blockchains have been successfully attacked by hackers. Therefore, I believe that as blockchain technology becomes easier for people to use, security will likely become a key issue in the blockchain landing, and those leading companies that frequently deal with blockchain should pay more attention. The more blockchains are applied in different business areas, the more people will find their vulnerabilities and exploit them.

No matter how secure the blockchain looks, it can't stop hackers. Nothing can stop hackers. This is because some of the concepts that the technology is based on and built are not as secure as most people think. As mentioned above, both hash and random string generators have drawbacks.

Although the random string generator lacks true randomness, and the hash function may conflict and brute force, these may sound a little far-fetched now, but with the significant increase in computer power in the future, artificial intelligence is widely used, quantum computing. Leap development, as well as the decline in machine costs, if there are sufficient resources, cracking a blockchain is not a fantasy.

Like other cryptography-based technologies, the more popular it is, the more security holes it will find.