Ricardo Schiller - April 8, 2019
Information security is paramount.
In today’s organizations information is distributed and replicated by various computer systems, each with different levels of security, all of which being subject to hacking or social engineering attacks. In many cases, security flaws lie outside computer systems, where human aspects such as ignorance, neglect, apathy, disinterest, and deceit are at the root of the problem. Attacks may be aimed at information theft, denials of service, and destruction or disguised alteration of data.
In this sense, the need arises to define information security policies, which conceptually follow the CIA triad (“Confidentiality”, “Integrity”, and “Availability”), where confidentiality determines the rules of access to information; integrity determines the validity and authenticity of the information; and availability determines the access to information. These policies go through all layers of the organization, instituting processes and practices that promote and maintain security. But organizations tend to lose heart in fulfilling them, because they require knowledge and willingness, need time and dedication, impose continuous monitoring, and constitute a substantial cost. The situation has gotten so serious that, according to Privacy Rights Clearinghouse, more than 10 billion records have been compromised since 2005. And these are only the ones that have been noticed and made public.
In contrast, there is a publicly accessible system that has withstood all kinds of attacks since its inception. This system is called Bitcoin. With billions of dollars in Bitcoins stored inside its blockchain, with open access and made accessible to anyone, there has been no attack to date that has compromised the system. It’s the peculiar characteristics of the Bitcoin blockchain that exhibit new security qualities in a somewhat counterintuitive way.
Although there are many current projects using blockchain technology, none focuses on generic database services. This is the focus of our project, this is the concept of BlockBase. Its purpose is to enable data storage services that comply with the CIA triad, thus providing a unique system for data security. It is a distributed system, which provides database management and operation services, which in turn are stored on a blockchain infrastructure. This means that what is stored on the blockchain are typical database operations such as creating databases, defining tables, defining table columns, and adding, updating, and removing records from tables.
In these terms, BlockBase meets the following requirements:
BlockBase promotes the confidentiality of data by encrypting it in advance by default. It is only through specific configuration that a given information field may remain unencrypted. System administrators and the system itself are incapable of reading the encrypted data.
It provides different levels of access to data through the use of multiple cryptographic layers stacked on top of each other, starting from the bottom – at the record level – to the top – at the database level. It also facilitates an easy search and retrieval of data without disclosure of information.
BlockBase records all changes to the structure of data and to the data itself and enforces digitally signing of changes, assuring their authenticity and non-repudiation. BlockBase allows an unlimited number of users of different nature and purpose, without compromising the integrity of their data.
BlockBase is scalable and resilient to technical faults, natural disasters, human errors, and hacking attacks. It allows for an unlimited number of users of a distinct nature and purpose, without compromising their availability.
Bootstrapping a new digital currency is extremely difficult and prone to failure. Therefore, we decided not to create a new blockchain but to resort to an existing blockchain with smart contracts capabilities, and to create a mechanism of sidechains that are synchronized with the main blockchain. One smart contract spawns one sidechain, which is set to store all the information corresponding to one database. These sidechains have specific configurations, e.g. block times, block rewards, number of miners, finite duration, upfront stake, etc. If the sidechain proves no longer necessary, the sidechain may be completely deleted, just as long as all the accounting is stored on the main chain. With this approach, we permit greater system scalability.
Participation and Consensus
For this system to work there must be three participating entities. The first one is the main blockchain infrastructure and its network, which provides the smart contracts platform for the system. The second is the service requester, who needs a database stored with security levels much higher than the traditional ones, and that is willing to pay for it. The third is the service providers, who decide to participate in providing the service, obliging to an SLA ensured by a stake they should loose in case they don’t meet the SLA.
Published by Ricardo Schiller