Security Analysis: Libra lacks the basic components of encryption key security

Steven Sprague is one of the main evangelists in the field of trusted computing technology applications. Steven served as president and chief executive of Wave Systems Corp. for 14 years before moving on to the board.

Key-2114046_1280

Image source: pixabay

Recently, Facebook launched the cryptocurrency project Libra, with the goal of “changing the global economy”.

This is a lofty goal. However, after reviewing the technical documentation describing the ecosystem in the Libra protocol and its plans, I believe that the company missed the basic components of user security:

  1. Protection private key
  2. User consent certificate
  3. Decentralized compliance
  4. Global privacy

As a technology leader, our job is to provide a vision and architecture that integrates true protection and evidence into the consumer experience; provides a new model for provable compliance, reducing costs and laying the foundation for global automation .

"Internet of Money" must support a primary goal of ensuring that all transactions on the Libra network are purposeful, intentional and compatible. I envision that in the future, the quality of intentional records for online transactions is as good as the quality of physical store purchases.

The currency Internet should be cross-border, open, and global. It should contain transactions from everyone and everything. To achieve this goal, you will need to build a community or community around the required compliance and control. Proving that these controls are appropriate should be that each instruction is sent to a part of a chain and is always recorded in the math of the blockchain. Then, those who need to know can be provided with evidence to prove their compliance.

The new model of consumer compliance should work like today's doctor's prescription. A trusted third party analyzes my child's real-time health data and provides the school with a compliance result that proves that my child is sick from illness. If the school uses the same size as the Internet, they will be able to access children's medical data directly in real time and use artificial intelligence to determine if your child should stay at home. The decentralized model of the slip allows the global market to thrive with built-in privacy.

I believe that the permission bar on the blockchain is a hash of the list of controls that are executed before an instruction is sent to the chain. This list is a Merkle tree of controls, ensuring that each step can be proved by hashed evidence. The power of the Merkle tree simplifies the evidence to a few bytes and is easy to package in a transaction.

This list can then be safely shared with the recipient or those who need to know the complete evidence of the required controls.

Global currency, group-based compliance

Regardless of whether Libra can successfully fulfill its mission of “money internet,” cryptocurrencies represent the ability to have a borderless currency that can rely on compliance based on real-time transactions. In the end, there may be only a few global currencies with unalterable transactions. However, there will be countless different levels of groups built around compliance issues, building global cross-border business virtual networks, and conducting secure and provable businesses in specific markets.

The privacy and auditability of business networks is very important, and the “money internet” needs to provide an open platform to meet the needs of everyone. Using intelligent instructions to provide provable evidence of identity, compliance, and control provides a flexible, scalable model.

Evidence of compliance can be shared securely.

Decentralized control is in the hands of private key owners, providing multiple independent services to meet market and regulatory needs. By separating identity control and compliance, it provides the market with the choices and competition needed to drive innovation. It then lays the foundation for automated and artificial intelligence-based systems to provide monitoring and evidence-based compliance, reducing the need for any real personally identifiable information or data leakage. Governments and regulators will retain the authority required to enforce rules and reporting requirements.

Who really controls your key?

In cryptocurrencies, we sometimes get lost. To make the service easier to use, we put the user's key on a server or other centralized storage system to provide an easier experience.

However, in the spirit of innovation, I believe that we must abandon the old form of customer protection in order to thoroughly reform an extremely outdated system.

Storing keys locally and giving any consumer the opportunity to back up, restore, and maintain keys with multiple devices is the first step toward progress.

What impressed me in Libra's proposal was that the storage private key was not redundant. Our job is to minimize the risk of the supply chain. To maximize user protection, the private key should be stored and used in a way that minimizes the impact of security subsystem failures.

I believe that consumers will need to have multiple redundancy protections for their private keys.

For example, Rivetz worked with Telefonica to develop a CLIP program that defines and promotes a method of cryptographically combining multiple hardware elements to provide a separate supply chain for protection that is used to collaboratively protect consumer privacy. key.

Call for security

The future is decentralized, and the technology of blockchain will bring "money internet." "Secure devices and trusted computing will provide users with the protection, compliance, control, privacy and freedom needed for the digital future. The private compliance community will provide digital evidence as needed.

As an industry, I hope that we can unite and provide true consumer protection for every digital citizen. Huge security is intangible and we can provide a simpler and safer experience for everyone.