Can data privacy stop the next big crypto heist? • The register
The theft of billions of dollars in cryptocurrency in recent months could have been prevented, and confidential data processing is key to the security solution.
Confidential data management aims to isolate sensitive data without exposing it to the rest of the system, where it would be more vulnerable to intruders. It does this by processing encrypted data in memory using hardware-based secure enclaves.
“Number of events in this area – just a few months ago the Ronin bridge attack for example,” says Fireblock co-founder and CTO Idan Ofrat, referring to the $600 million blockchain bridge heist where an attacker used hacked private keys to fake withdrawals and steal funds.
Ofrat’s company focuses on digital asset infrastructure for banks, cryptocurrency exchanges, NFT marketplaces and other organizations looking to build blockchain-based products.
The Ronin hack “was the largest cryptocurrency attack ever, and to exploit it, the attacker was able to control one wallet and sign two transactions,” Ofrat continues. “If they had used confidential data processing, they probably wouldn’t have gotten to that stage.”
“When you think about digital asset security, the first thing you need to do is protect the private key of the wallet,” says Ofrat The register.
This is where confidential data processing comes into play. There are alternative technologies, such as cryptographic hardware security modules (HSM) and other key management systems, but in the digital resource area these are not secure enough, Ofrat believes.
Private key security
For example: wrongdoers can compromise the wallet software and instruct the HSM to sign malicious transactions, he explains. “This is where confidential computing is much more powerful because it allows you to protect the entire flow including the generation of the transaction, the policies you want to apply to that transaction and who approves it, and then also protect the private key itself.”
Fireblocks uses confidential computing for multiparty computation for private key security. The specific implementation is based on the concept of threshold signatures, which distribute the generation of key shares across multiple parties and require a “threshold” of those shares (say five of the eight total shares) to sign the blockchain transaction.
“Key management products like HSMs don’t support the algorithm you need for multiparty computation,” adds Ofrat. “So for us to be able to both protect the key, but also use multiparty computation to split the key into multiple parts, the only way to do that is confidential computing.”
All the major cloud providers have their own flavor of confidential computing, and at their respective conferences last month both Microsoft and Google added services to their confidential computing portfolios.
Choose your taste
Google, which first introduced its confidential virtual machines in 2020, announced Confidential Space, which allows organizations multiparty computing, last month. This, according to Google Cloud Security VP and GM Sunil Potti, will allow organizations to collaborate without exposing sensitive data to the partners or the cloud provider.
For example, banks can work together to identify fraud or money laundering activity without disclosing private customer information – breaking data protection laws in the process. Likewise, healthcare organizations can share MRI images or collaborate on diagnosis without disclosing patient information, Potti said at the event.
Meanwhile, Microsoft also announced the general availability of its confidential virtual machine nodes in Azure Kubernetes Service in October. Redmond first demonstrated confidential computing at its Ignite conference in 2017, and Azure is considered the most mature provider of the still-evolving technology.
Amazon calls its confidential data product AWS Nitro Enclaves – but as any cloud customer with data spread across multiple environments quickly discovers, the providers’ services don’t always play nice with each other. This applies to confidential computer technologies, which have created a market for companies such as Anjuna Security.
Or use cloud-agnostic software
Anjuna developed confidential computing software that allows enterprises to run their workloads on any hardware and in any cloud provider’s secure enclaves without having to rewrite or otherwise modify the application. This makes it very easy to secure sensitive data, says Anjuna CEO and co-founder Ayal Yogev The register.
He compares the company’s cloud-agnostic software for confidential data processing to the easy transition to HTTPS to protect websites. “We make it super easy to use.”
Anjuna’s clients include the Israeli Ministry of Defense, banks and other financial services firms, and digital asset managers.
While Fireblocks started using Azure Confidential Computing when the service was available in preview, and the core is built on Intel SGX for secure enclaves, “we want to give customers options, like AWS Nitro or GCP,” Ofrat says. “Customers can choose whichever cloud partner they want, and Anjuna supports them all.”
Will it go mainstream?
A recent Cloud Security Alliance survey [PDF]commissioned by Anjuna, found that 27 percent of respondents currently use confidential data processing and 55 percent plan to do so within the next two years.
Ofrat says he expects confidential computing to become more mainstream across cloud environments in the next three to five years.
“This will support Web3 use cases, but also government and healthcare use cases around privacy,” he adds.
The benefits of data privacy even extend to protecting against ransomware and IP theft, Ofrat tells us, noting the rumored Disney movie heist where crooks allegedly threatened to release movie clips unless the studio paid a ransom.
“They could take this simple technology and encrypt movies before they’re out,” he says. “The technology can be very useful.”
And keeping stolen cryptocurrency out of the crooks’ hands wouldn’t be too bad either. ®