Bitcoin Security
Securing bitcoin is challenging because bitcoin is not an abstract reference to value, like
a balance in a bank account. Bitcoin is very much like digital cash or gold. You’ve prob‐
ably heard the expression “Possession is nine tenths of the law”. Well, in bitcoin, pos‐
session is ten tenths of the law. Possession of the keys to unlock the bitcoin, is equivalent
to possession of cash or a chunk of precious metal. You can lose it, misplace it, have it
stolen or accidentally give the wrong amount to someone. In every one of those cases,
the end-user would have no recourse, just as if they dropped cash on a public sidewalk.
However, bitcoin has capabilities that cash, gold and bank accounts do not. A bitcoin
wallet, containing your keys, can be backed up like any file. It can be stored in multiple
copies, even printed on paper for hard-copy backup. You can’t “backup” cash, gold or
bank accounts. Bitcoin is different enough from anything that has come before that we
need to think about bitcoin security in a novel way too.
Security principles
The core principle in bitcoin is de-centralization and it has important implications for
security. A centralized model, such as a traditional bank or payment network, depends
on access control and vetting to keep bad actors out of the system. By comparison, a
de-centralized system like bitcoin pushes the responsibility and control to the end-users.
Since security of the network is based on Proof-of-Work, not access control, the network
can be open and no encryption is required for bitcoin traffic.
On a traditional payment network, such a credit card system, the “payment” is really
open-ended because it contains the user’s private identifier (the credit card number).
After the initial charge, anyone with access to the identifier can “pull” funds and charge
the owner again and again. Thus, the payment network has to be secured end-to-end
with encryption and must ensure that no eavesdroppers or intermediaries can com‐
promise the payment traffic, in transit or when it is stored (at rest). If a bad actor gains
access to the system, they can compromise current transactions and payment tokens
that can be used to create new transactions. Worse, when customer data is compromised,
the customers are exposed to identity theft and must take action to prevent fraudulent
use of the compromised accounts.
Bitcoin is dramatically different. A bitcoin transaction authorizes only a specific value
to a specific recipient and cannot be forged or modified. It does not reveal any private
information, such as the identities of the parties and cannot be used to authorize addi‐
tional payments. Therefore, a bitcoin payment network does not need to be encrypted
or protected from eavesdropping. In fact, you can broadcast bitcoin transactions over
an open public channel, such as unsecured Wifi or Bluetooth, with no loss of security.
Bitcoin’s de-centralized security model puts a lot of power in the hands of the end-users.
With that power comes responsibility for maintaining the secrecy of the keys. For most
users that is not easy to do, especially on general purpose computing devices, such as
Internet-connected smartphones or laptops. Whereas bitcoin’s de-centralized model
prevents the type of mass compromise seen with credit cards, many end-users are not
able to adequately secure their keys and get hacked one by one.
Developing Bitcoin Systems Securely
The most important principle for bitcoin developers is de-centralization. Most devel‐
opers will be familiar with centralized security models and may be tempted to apply
these models to their bitcoin applications, with disastrous results.
Bitcoin’s security relies on decentralized control over keys and on independent trans‐
action validation by miners. If you want to leverage bitcoin’s security, you need to ensure
that you remain within the bitcoin security model. In simple terms: don’t take control
of keys away from users and don’t take transactions off the blockchain.
For example, many early bitcoin exchanges concentrated all user funds in a single “hot”
wallet with keys stored on a single server. Such a design removes control from users and
centralizes control over keys to a single system. Many such systems have been hacked,
with disastrous consequences for their customers.
Another common mistake is to take transactions “off blockchain” in a misguided effort
to reduce transaction fees or accelerate transaction processing. An “off blockchain” sys‐
tem will record transactions on an internal, centralized ledger and only occasionally
synchronize them to the bitcoin blockchain. This practice, again, substitutes decentralized bitcoin security with a proprietary and centralized approach. When trans‐
actions are off blockchain, improperly secured centralized ledgers can be falsified, di‐
verting funds and depleting reserves, unnoticed.
Unless you are prepared to invest heavily in operational security, multiple layers of access
control, and audits (as the traditional banks do) you should think very carefully before
taking funds outside of bitcoin’s de-centralized security context. Even if you have the
funds and discipline to implement a robust security model, such a design merely rep‐
licates the fragile model of traditional financial networks, plagued by identity theft,
corruption, and embezzlement. To take advantage of bitcoin’s unique decentralized se‐
curity model, you have to avoid the temptation of centralized architectures which may
feel familiar but ultimately subvert bitcoin’s security.
The Root of Trust
Traditional security architecture is based upon a concept called the root of trust, which
is a trusted core used as the foundation for the security of the overall system or appli‐
cation. Security architecture is developed around the root of trust as a series of con‐
centric circles, like layers in an onion, extending trust outwards from the root. Each
layer builds upon the more-trusted inner layer using access controls, digital signatures,
encryption, and other security primitives. As software systems become more complex,
they are more likely to contain bugs, which make them vulnerable to security compro‐
mise. As a result the more complex a software system becomes, the harder it is to secure.
The root of trust concept ensures that most of the trust is placed within the least complex
part of the system, and therefore least vulnerable, parts of the system while more com‐
plex software is layered around it. This security architecture is repeated at different
scales, first establishing a root of trust within the hardware of a single system, then
extending that root of trust through the operating system to higher-level system services,
and finally across many servers layered in concentric circles of diminishing trust.
Bitcoin security architecture is different. In bitcoin the consensus system creates a trus‐
ted public ledger which is completely de-centralized. A correctly validated blockchain
uses the genesis block as the root of trust, building a chain of trust up to the current
block. Bitcoin systems can and should use the blockchain as their root of trust. When
designing a complex bitcoin application that consists of services on many different
systems, you should carefully examine the security architecture in order to ascertain
where trust is being placed. Ultimately the only thing that should be explicitly trusted
is a fully validated blockchain. If your application explicitly or implicitly vests trust in
anything but the blockchain, that should be a source of concern as it introduces points
of vulnerability. A good method to evaluate the security architecture of your application
is to consider each individual component and evaluate a hypothetical scenario where
that component is completely compromised and under the control of a malicious actor.
Take each component of your application, in turn, and assess the impacts on the overall
security if that component is compromised. If your application is no longer secure when
components are compromised that shows that you have implicitly misplaced trust in
those components. A bitcoin application without vulnerabilities should be vulnerable
only to a compromise of the bitcoin consensus mechanism. Meaning that its root of
trust is based on the strongest part of the bitcoin security architecture.
The numerous examples of bitcoin exchanges serve to underscore this point as their
security architecture and design fails even under the most casual scrutiny. Though cen‐
tralized implementations had invested trust explicitly in numerous components outside
the bitcoin blockchain, such as hot wallets, centralized ledger databases, vulnerable
encryption keys, etc. Worse yet, in most cases those trusted components lacked even
the most rudimentary security controls.
thank you for your time , please upvote and follow if you like
Good read, and an important topic.
Although, I'm afraid the layout made it difficult to read...