Blockchains are ruled almost entirely by cryptographic mechanisms. These mechanisms mostly involve digital signatures & PKI, hashes, and key derivation.

In permissioned blockchains, the network effect is significantly lesser than in public networks. Besides permissioned blockchains do not use proof-of-work such as in the Bitcoin network or proof-of-stake such as found in Ethereum network and as such do not have the strong and inherent security behind these mechanisms.

By nature, permissioned networks are heavily dependent on cryptographic operations being done in a secure and safe way when used for financial institutions. They require banking-grade HSMs.

In what follows, we will present an overview of the key roles of HSMs in permissioned blockchains for banking & payment services.

Cryptographic Protocols Involved with Blockchains

There are no norms defining blockchains. Therefore, any blockchain implementation is free to pick up cryptographic algorithms that they want and for what they need.

Blockchains may use hash algorithms such as SHA-256 for the blockchain network. For example, Dagger-Hashimoto is used for the Ethereum network and ECDSA is used for Ripple-based networks. Additional hash algorithms include: 

  • X11
  • X13
  • CryptoNight hash
  • Scrypt hash
  • NXT
  • BLAKE256

Here we list the hashes and cipher suites supported by major permissioned blockchains frameworks:

Framework

Hashing

Signature scheme

R3 Corda

  • Block hashing: SHA-256 
  • RSA+SHA256
  • ECDSA_SECP256K1+SHA256
  • ECDSA_SECP256R1+SHA256
  • EDDSA_ED25519+SHA512
  • SPHINCS-256+SHA512

Hyperledger Fabric

  • Block hashing: SHA3 SHAKE256 
  • ECDSA+SHA256
  • ECDSA+SHA384
  • ECDSA+SHA512

Hyperledger  Sawtooth

  • SHA-3/256/512
  • Block hashing:64-byte header signature(instead of hash)
  • libsecp256k1

Quorum

 
  • Keccak signature
  • hash-256/384/512+AES
  • ECDSA
  • P-256
  • P384
  • P521
  • S256
  • BN256

Multichain

  • Block hashing: SHA-256 (BTC)
  • secp256k1 +ECDSA (BTC)

There are many other permissioned frameworks, including HydraChain, OpenChain, and BigchainDB. Most are based on existing frameworks like Bitcoin or Ethereum. Many of the permissioned blockchain networks are crypto-agile and/or post-quantum proof. 

Role of HSMs in Permissioned Blockchains

Permissioned blockchains incorporate the identity authentication, access control, and authorization features for the nodes for the participation in the blockchain network. Cryptographic keys are utilized for the identities of nodes. These cryptographic keys are securely managed through HSMs. Typically, blockchains incorporate the HSM as a service by which a single HSM or a cluster holds the cryptographic keys of various blockchain nodes. These keys should be managed in separate and secure HSM partitions with designated roles for each partition. In some scenarios, PKI-based digital certificates are also used to ensure the trust between the blockchain nodes.

By design, HSMs are perfectly suited for the needs of a permissioned blockchain.

Permissioned blockchain consensus is vulnerable to cryptographic attacks. Therefore, PKI operations should ideally be performed in HSMs. In general, the key pair generation in blockchains is essential, and such keys should not be handled directly by their end-users. Instead, they should be generated and securely stored in HSMs or in key management servers.

Hashing and specifically, keyed hashing operations, are an integral part of the blockchain system. They also need secure random generation functions that should also be achieved with an HSM.

Why Are These Standards Important for Compliance and Auditability?

HSMs are a vital part of any security infrastructure that is under the mandate of securely managing cryptographic keys. The HSMs considered for incorporation must be FIPS 140-2 level validated and Common Criteria certified. If PKI-based digital certificates are being used in the permissioned blockchain, they must comply with the latest X.509 v3 standard. When a permissioned blockchain is employed in a banking/financial services department, the PCI PTS HSM version 3.0 certification is mandatory for legal obligations and compliance.

Conclusion

In preventing and mitigating malicious attacks, the implementation of strong authentication and cryptographic mechanisms is a critical requirement for protecting permissioned blockchains. Since the permissioned blockchain incorporates the identities of blockchain nodes, the need for HSMs is critical.

It would be in the best interest of banks and payment services providers to use HSMs and secure key management systems to perform the cryptographic operations needed for blockchain operations.

New call-to-action

References and Further Reading