How blockchain can be used to improve security
At the heart of security in the financial industry is the good old centralized Public Key Infrastructure (PKI). Every central bank, financial market infrastructure (FMI), payment system, Banking-as-a-Service (BaaS) provider, embedded finance provider, even the way we all connect to secure websites goes through a centralized authority (CA) that effectively delivers the implemented PKI . PKI is essentially the cornerstone of security in the digital age.
For those of you unfamiliar with PKI, here’s a quick overview. A PKI provides a level of security on the premise that anyone can verify a digital signature from anyone else, provided you have the public key that corresponds to the private key used to create the digital signature. The two keys are cryptographically linked, so only the public key can verify what is created by the private key. With me so far?
On the web, the best example of this in action is sites that are securely hosted and provide HTTPS. Your browser relies on a small number of these Central Authorities (CAs) which effectively act as the root of trust on the internet. In a web browser, the owner of the private key is the owner of the website. They have given the CA the corresponding public key, which is signed by the CA’s own private key. The CA then issues a public key certificate, which is trusted as it is signed by the CA. Browsers effectively check this public key certificate every time you connect to a secure website.
In financial services, PKI is essential for securing connections, APIs, payment messages and more. However, PKI brings several security challenges in itself. For example, how were keys created? The processes behind the distribution of keys? How and who installed keys? How can you be sure that keys have not been shared? Who has access to keys? Even in sophisticated BaaS implementations, keys are often exchanged through a browser, meaning a human is involved in key exchange and setup. The result, there is significant risk, which suppliers try to reduce by adding complex processes. Far from perfect, and very far from the safe approach you would expect from a financial institution in the 21st century.
Top security experts understand the challenges and risks, and as a result, many central banks and FMIs around the world are looking to improve security. Most people look at implementing a “Y” security model, which can be seen as a form of Multi-Factor Authentication (MFA) for connectivity and APIs. To date (to my knowledge) only one financial services organization has implemented a true “Y” security model – and it achieved this via a DPKI (Decentralised Public Key Infrastructure) payment services solution.
‘Y’ security model
Anyone operating in financial services should strive for a “Y” security model. It’s something that should be looked at across all aspects of security, right up to an organization’s CISO. But what is it?
A “Y” security model is essentially two independent verification points used together to confirm authentication, similar to MFA. However, a “Y” security model, in its truest sense, would not have the same “issuer” of keys or process. More often than not, solutions using MFA still rely on the same infrastructure, same company and same processes to issue, process and verify. It is not a true Y model.
For example, a BaaS provider provides API connectivity to its customers. This can be done using a traditional PKI or a more modern (and secure) decentralized approach. However, the BaaS provider should also check that the payload in the API has not been modified in flight, so a good way to do that is by digitally signing the payload with a private key. The BaaS provider has the public key. But the problem here, how did the BaaS customer get/create/share their keys? It is typically a process through a single infrastructure and with the same departments at the BaaS provider. This introduces risk and does not provide a “Y” security model at all, as the keys are still exchanged and use the same infrastructure (even the CA) in the same way.
In a “Y” security model, the message would be signed with different keys that were created in a completely different way, and exchanged via a completely different infrastructure. The BaaS provider would ideally have nothing to do with the key exchange process itself. Now when a message is signed as recipient (the provider of the BaaS solution) you have two independently formed verification points. Hence the ‘Y’ model.
How does decentralization help?
Decentralization removes the need for CAs from the PKI solution. By moving to a DPKI, the CA is removed, and therefore risks associated with a centralized issuing authority are avoided. CA as a single point of failure is also removed from the process, something regulators often look at when assessing technology systems.
DPKI replaces an organization, CA, as the root of trust, placing it in science, specifically mathematics. In a DPKI implementation, public keys reside on the blockchain, which is decentralized, highly resilient, and available for anyone to access. Not only does blockchain remove a single point of failure, it also enables significant levels of automation, improved secure communication capabilities for key exchanges, and dramatically reduces the cost of implementation and ongoing maintenance.
This implementation then allows subsequent keys to be created, privately, and with DPKI for payment systems bilaterally (point-to-point) exchanged. This provides automation and ensures that keys are never shared across a centralized infrastructure, removing human intervention and thus associated risk. The resulting public keys are stored on a local private blockchain ledger.
A patented DPKI for payment systems infrastructure is now available for regulated businesses to use, securing everything from message communication between institutions, to BaaS implementations, payment systems and much more. It will take some time for a DPKI for payment systems infrastructure to be adopted across the industry, but early adopters of this decentralized approach are already reaping the rewards.
Complex, operational processes are either completely removed or significantly simplified with a DPKI for payment systems. This simplification reduces costs and at the same time increases the level of security.
Looking at the cost of keys alone, a decentralized approach shows significant cost savings. As the cost of creating, and securely distributing and sharing keys drops dramatically, the lifetime of a key can change. Typically a key can cost around £1,000 and as a result most keys live for around 12 months in systems. Longer-lived keys have significantly greater risk than keys that only live for a few hours.
Recently, I have been fortunate enough to work with a DPKI for the implementation of payment services. Here, the price of keys means that they can have a lifespan of just a few hours. The fully automated implementation means that keys are created, issued, destroyed and replaced without any human intervention at all, removing almost all of the typical risks you associate with keys. In this implementation of DPKI for payment systems, keys are truly bilateral, they provide a secondary authentication point, so having messages signed with these keys provides not only a “Y” security model, but a true end-to-end cryptographic capability, again something FMIs and central banks strive for.
Technology that enables
In financial services, there is a lot of debate when it comes to blockchain technology, primarily because blockchain is almost exclusively discussed as a method for moving money or for the actual delivery of digital currency. Here, the blockchain is the perfect technology to solve several significant and very real security problems. Here there is no debate about the value of the technology, rather the debate is how long will it take before the industry catches up and adopts?