区块链系统安全性测评标准,区块链系统安全性测评报告
请查看相关英文文档
❶ What is the data security of smart contracts in blockchain technology?
Chongqing Jinwowo analyzes the security of data in smart contracts as follows:
Intelligent The data of the contract cannot be deleted or modified, but can only be added, and the history of smart contracts can be traced. At the same time, the cost of tampering with the contract or breach of contract will be very high, because its evil behavior will be recorded forever and become widely known.
❷ Is blockchain wallet safe?
It can be said that it is very unsafe. The technology related to blockchain wallet has lost its original technical meaning in China. Now it has become a means of making money. So you must be very vigilant about this aspect. Anyway, I personally don’t believe it.
❸ FISCO - Golden Chain Alliance creates a new era of public alliance chain
Public chain, alliance chain (permission chain) and private chain can be said to basically include the blockchain technology Three ways to use. In recent years, the planning, financing, development and ecological construction of the public chain can be said to have been carried out in a noisy manner. Some are real, and there are even more deceptions. It is noisy, noisy, muddy and sandy, and investors' money has really gone in. But not many are online, and the ecological construction of the few public chains that are online is also sparse. There are very few DApps, and the daily activity is even less. In short, not many current public chain projects can or are willing to survive. Ecological construction is even further away.
Private chains are self-built and internally run blockchain architectures of respective companies and institutions. Very little information is disclosed, but I believe that using your own money to do your own things and solve your own problems will not cause any problems. What a big deal.
The development of the alliance chain has always been low-key. Since blockchain technology was recognized by the mainstream economy and society, pragmatic mainstream economic institutions have been solidly carrying out research, development and application for about 4 years. During this period, the backbone of the alliance chain was formed, and another correct path was found for the implementation of blockchain applications and ecological construction. In a certain sense, the alliance chain has passed its infancy and has begun to solidly move towards the "public alliance chain" new era. The alliance chain's natural and strong relationship with mainstream economic industry resources also determines the alliance chain's mainstream status in the application prospects of blockchain technology.
With the dawn of the digital economy era and the popularization of distributed business models, blockchain technology has also been able to give full play to its advantages and become a representative of cutting-edge technology. In 2016, three companies, WeBank, a member of the Golden Link Alliance, Shanghai Wanxiang Blockchain, and Matrix Yuan, a member of Chinaledger, reached a strategic cooperation and jointly committed to exploring blockchain technology, and
The full name of Golden Link Alliance is Financial Blockchain Cooperation Alliance (Shenzhen). It was jointly established on May 31, 2016 by more than 20 financial institutions and technology companies including Shenzhen Financial Technology Association, Shenzhen Qianhai WeBank, and Shenzhen Securities Co., Ltd. Non-profit organization established. Golden Alliance as an open groupFinancial institutions that voluntarily comply with the charter and enterprises that provide technological services to financial institutions can apply to join. So far, members of the Golden Link Alliance include more than 80 institutions in six major industries including banks, funds, securities, insurance, local equity exchanges, and technology companies.
On November 26, 2016, Golden Link Alliance released the "Financial Distributed Ledger Proposal", proposing five major principles such as legal compliance, traceability, security, privacy protection, and business orientation, as well as a value alliance , autonomous and controllable, safe and trustworthy, efficient and available, business feasible, flexible configuration, intelligent supervision and other seven propositions.
Purpose: Integrate and coordinate financial blockchain technology research resources, form a synergy and coordination mechanism for financial blockchain technology research and application research, and improve the research and development capabilities of member units in the field of blockchain technology. Explore, develop, and implement financial alliance blockchain suitable for financial institutions, as well as application scenarios based on this.
The General Assembly of the Golden Chain Alliance is the highest authority; the permanent body of the General Assembly is the Presidium, which leads the alliance to carry out daily work during the intersessions of the General Assembly and is responsible to the General Assembly; the Presidium has a technical committee (chaired by Application project work), Standards Technical Working Committee (presides over the establishment, formulation, review and release of standards), Advisory Committee (organizes external experts to participate in technical and standards discussions).
Jinlianmeng has established research directions in the fields of credit, equity, points, insurance, bills, cloud services, digital assets, financial product issuance and trading, and some of the projects have now been implemented or products have been launched. prototype.
The FISCO BCOS underlying blockchain platform is jointly built by the FISCO open source working group. Members of the working group include Beyondsoft, Huawei, Shenzhen Stock Exchange, Digital China, Sifang Inextron, Tencent, WeBank and Yuexiu Jinke and other members of the Golden Link Alliance, aiming to create a secure and controllable blockchain suitable for the financial field. The underlying platform of the chain.
Financial services are one of the earliest application areas of blockchain. Blockchain technology brings advantages such as security and reliability, simplified processes, cost savings, reduced operational risks, and increased trust, and has the potential to reconstruct and sublimate the original financial industry infrastructure. The financial industry focuses on multi-party reciprocal cooperation and has strong supervision and high-level security requirements, which require node access and authority management. Therefore, the technical direction of the alliance chain has become the main choice for the financial industry.
At present, my country's financial industry is opening up to the outside world with unprecedented intensity, and the pace of financial innovation is also accelerating. Therefore, how to effectively balance the relationship between open innovation and risk prevention and firmly maintain the bottom line of no systemic risks is an important issue for the industry. challenges that urgently need to be addressed.
From Financial IT InfrastructureFrom this perspective, there are still some deficiencies and pain points in terms of operational risks, moral risks, credit risks, information protection risks, etc.
First, financial IT system data may still be tampered with, forged, or have consistency differences.
Second, the infrastructure structures and business processes of different financial institutions are different, and even still involve many manual processes, which greatly increases operating costs and is also prone to operational risks and ethics. risk.
Third, financial business and financial cooperation may involve multiple participants or intermediaries, which can easily increase trust costs and friction costs. There are also certain issues of mutual trust, collaboration or cooperation reciprocity.
Fourth, financial business is often highly complex, and it is easy to miss records of all business elements. Sometimes it is difficult to trace the entire business process, and it cannot meet the needs of supervision and auditing.
Fifth, the data between different financial institutions are relatively independent, making it difficult to achieve safe and efficient interaction, resulting in high costs for repeated KYC, anti-money laundering, and anti-fraud, and also indirectly causing the loss of user data. Risk of disclosure by certain intermediaries.
Sixth, the availability and adaptability of centralized IT infrastructure are weak, and distributed technologies need to be used to improve robustness or adaptability.
As a combined infrastructure solution, blockchain technology can in principle respond to the needs of the financial industry. However, because the requirements of the financial industry are more diverse and strict, as a financial version of the blockchain solution, it needs to be based on the blockchain technology of the universal industry and according to the special business needs of financial institutions, existing technical levels, and laws and regulations. Requirements or conditions in other aspects shall be comprehensively considered from multiple dimensions such as business suitability, performance, security, policy, technical feasibility, operation and maintenance and governance, and cost.
First, the appropriateness of the business scenario. Not all financial business scenarios require the use of blockchain technology. Generally speaking, when it comes to scenarios involving multi-party participation and peer-to-peer cooperation, the traditional centralized system architecture is often difficult to meet the needs, so you can consider using blockchain technology. This will increase multi-party mutual trust, improve business operation efficiency, and reduce business operation costs and friction costs.
Second, the performance of the blockchain system. Financial business often has characteristics such as massive transactions, high-frequency transactions, and timely confirmation. Therefore, the blockchain open source platform in the financial industry needs to analyze the business volume, potential business growth scale, and potential business growth scale that the blockchain system needs to support based on the current business scale of financial institutions. Technical performance index requirements such as concurrent business volume and response time. Since blockchain platforms using different technical modules, such as different consensus mechanisms, have greatly different performance support, it needs to be evaluated based on business performance requirements and combined with blockchain performance efficiency indicators.
Third, blockchainSystem security. Blockchain can ensure the credibility of recorded data from a technical level and prevent data from being tampered with, forged and other risks. In addition, in terms of data sensitivity and security, it is necessary to evaluate the content encryption strength of the on-chain data, as well as access control, etc. Financial institutions need to choose mature, appropriate, and secure encryption algorithms based on the specific security requirements of their business.
Fourth, policy compliance. Blockchain is a set of technical solutions that, with reasonable design, can provide good support for existing businesses or complement existing centralized systems. However, when financial institutions use blockchain to conduct business, they must implement it within the country’s existing regulatory requirements and legal framework.
Fifth, technical feasibility. Blockchain technology has already been implemented in some financial scenarios, but it is still an emerging technology. It is necessary to fully evaluate the fit of the technology with specific businesses and its advantages and disadvantages compared with traditional systems before finally choosing the appropriate area. Demonstration and trial operation of the blockchain platform.
Sixth, operation and maintenance and governance capabilities. Since there are differences in operations and management between blockchain-based businesses and traditional centralized systems, and the continuous governance requirements of financial businesses are extremely high, corresponding planning and adjustments are required to evaluate the feasibility and sustainability of the new governance structure. , evaluate the impact of version iterations and the official launch of the system, monitor the operation of the blockchain system in real time, and ensure business controllability and financial environment stability.
Seventh, costs are controllable and economically feasible. Blockchain applications use technical features to solve specific problems in actual business. Applications that effectively solve pain point problems can bring great benefits to financial businesses, and the value of the application itself can also be revealed; on the contrary, if it cannot solve important problems in the industry , you need to face a trade-off between costs and benefits.
If a safe and reliable underlying financial blockchain platform can be built to meet the special needs of the financial industry, blockchain technology will be of great use in the financial industry.
For example, from the perspective of banking institutions, the key exploration directions are generally to apply blockchain technology to reduce clearing and settlement costs, improve middle and back-office operational efficiency, improve process automation, and reduce operating costs. In addition, in cross-border financial scenarios, blockchain can help realize ledger sharing among cross-border financial institutions, reduce reconciliation and settlement costs and dispute friction costs between cooperative banks, thereby improving the processing speed of cross-border business. and efficiency.
From the perspective of non-bank financial institutions, blockchain can be used to improve the authority of rights registration and information storage, reduce counterparty risks, solve data tracking and information anti-counterfeiting issues, and reduce audits. operating costs, etc.
From the perspective of financial regulators, blockchain provides regulators with consistent and easy-to-audit data. Through data analysis of inter-institutional blockchains, it can perform better than traditional audits.Processes regulate financial businesses faster and more accurately. For example, in an anti-money laundering scenario, the balance and transaction records of each account are traceable, and no aspect of any transaction will be out of sight of supervision, which will greatly strengthen anti-money laundering efforts.
Designed an efficient, reliable, message communication protocol based on the blockchain network, referred to as Advanced Messenger On-chain Protocol AMOP (Advanced Messenger On-chain Protocol), focusing on the following functions:
Based on the blockchain network, it supports cross-bank and point-to-point real-time message communication;
Provides standardized interfaces for the interaction between off-chain systems and blockchain;
< br /> The blockchain system can actively call the business interface of the off-chain system;
The technical characteristics of this protocol are:
In the point-to-point blockchain network topology , plan node communication paths to ensure message reachability;
Can quickly sense node abnormalities in the blockchain network and automatically switch paths to resend messages;
In communication Encryption technology is used in the process to ensure privacy at the communication layer.
Designed the contract naming service CNS (Contract Name Service). The design goal of CNS is to name the correspondence between the business layer and smart contracts, so that the business layer no longer cares about the relevant contract addresses. Similar to DNS on the Internet, the use of domain names makes it easier for users to remember how to access a website, and also gives the website great flexibility in terms of clustering, migration and expansion.
Parallel PBFT consensus
Standard RAFT consensus
Parallel computing and hot account solutions
FISCO BCOS in data integration Conduct in-depth exploration in analysis, transaction control, identity authentication and other aspects to meet the financial industry’s high standards for supervision, risk control and other aspects.
Risk data integration
Based on immutable, traceable, distributed and highly consistent data on the blockchain, regulatory agencies can be given sufficient and transparent information and transactions Participants, transaction details, transaction process and transaction history records are all recorded on the blockchain ledger, which can completely and properly preserve massive historical data, solve the problem of data islands, and meet the needs of structured, clear, accurate and complete risk data. requirements.
Risk Modeling, analysis and prediction
By organically combining the data completed on the blockchain with technologies such as big data mining and machine learning, and then integrating market data and industry data, a more accurate risk model can be developed to improve Risk prediction capabilities meet the requirements of the organization’s comprehensive risk management.
Real-time transaction monitoring, reporting and interception
Identity recognition
Special Prize: ODRchain - a typical application of public consortium chain
The most high-profile champion project - ODRChain, is based on the FISCO BCOS underlying platform and uses blockchain technology to solve the pain points of traditional judicial processing of online disputes, such as the difficulty in verifying the authenticity of electronic data and the inability to digest a large and rapidly backlog of case disputes.
At present, ODRChain has shortened the time it takes for customers to go from clicking "one-click arbitration" to receiving the arbitration award, from the traditional arbitration process that lasted several months to about 7 days. , and the arbitration fees that originally cost tens of thousands of dollars have been reduced to a few hundred yuan. As of December 2018, ODRChain has completed the deposit of over 10 million contracts, involving hundreds of billions of funds.
First prize: JustSign - a white-box cryptographic algorithm that turns a mobile phone into a USB shield
The project that grabs the first prize in the competition - JustSign, is based on FISCO BOCS It is an electronic contract signing and certificate storage system. Its original JustKey white-box cryptographic algorithm realizes "mobile phone as USB shield", which solves the problem of limited compatibility of traditional CA, inability to protect key security on the mobile terminal, and vulnerability to attacks in centralized data storage. question.
Expert reviewers commented that electronic contracts involve complex legal relationships and ownership of interests, and it has long been difficult to achieve a balance between security, integrity and portability. The team’s original white-box cryptographic algorithm is really conducive to improving security in blockchain certificate storage scenarios.
Second Prize: Internet of Things Trusted Interconnection Solution - The Picture of Smart Life Looks Like This
The Internet of Things Trusted Interconnection Solution competed by Sichuan Changhong Security Laboratory depicts Come up with a smart home blueprint that requires almost no extra worry on your part. When analyzing the blockchain technology behind it, team representatives said that an inter-enterprise cooperation alliance is established based on the alliance chain to open up the interconnection and mutual trust of IoT devices between different manufacturers, and based on insights into typical business scenarios of smart life, through smart contracts Implement smart terminal registration, scene rules, trust rules and linkage rules.
Expert judges of the competition believe that this project has practical hardware and scenarios in the field of Internet of Things, and is expected to further promote application scenarios such as distributed AI assistants, resource sharing, life cycle management, and multi-channel payment.Come to the ground and truly usher in smart life.
Among the projects that won the third prize in the competition, they accurately targeted the characteristics of blockchain in terms of security and efficiency improvement, and provided practical solutions for the industries they represented. Tsinghua University The team of teachers and students found a new way to develop cross-layer full-stack blockchain security detection technology to protect other blockchain applications comprehensively, and its technical strength was highly praised by the judges.
The third prize winners were the trusted electronic certificate platform of Shenzhen E-Commerce Security Certificate Management Co., Ltd., the real estate registration platform of Wuhan Liandong Times Technology Co., Ltd., and Shandong Guanhai Data Technology Co., Ltd. The company's Rongcheng blockchain service platform, the livestock industry blockchain traceability of Quanliantong Co., Ltd., the tourism finance alliance platform of Shenzhen Youxun Information Technology Co., Ltd., and the copyright safe deposit box of Beijing FamilyMart Technology Development Co., Ltd.
Shanghai Jiuyaojiu Information Technology Co., Ltd.’s first-responder mutual aid first aid, “Yongteng Group My Innovate”’s HaveFund, Qianhai Life Insurance Co., Ltd.’s blockchain policy management, “Huazhong Technology The University's Guanshankou Hulu Brothers' Book Enjoying Campus and the Cloud Block project team's "Yun Block" account system also won the Outstanding Social Value Award, Outstanding Business Design Award, Outstanding User Value Award, Outstanding Creativity Award, and Outstanding Application Integration Award respectively.
Ma Zhitao, chairman of the Golden Alliance Technical Committee, elaborated on the concept of the “public alliance chain”. He believes that the alliance chain should achieve self-sublimation and should be able to evolve into an ecosystem that provides services to the public, that is, a "public alliance chain."
Different from the public chain project’s idea of “coming up with a plan first, raising funds, vigorously promoting it, raising the price, and finally investing in development”, the alliance chain project adheres to the idea of “investing in development first with its own funds” , go to the production environment to verify, accumulate real customers and users, run steady trials and errors, and finally carry out promotion and publicity.” However, due to the focus on practical implementation and focusing on real applications, there is a lack of publicity, and it has no choice but to fall into a passive situation of "many people have implemented it, but few people have praised it". Golden Chain Alliance hopes that through this competition, the project team of the alliance chain will come to the stage to show their results, enhance the influence of the alliance chain, and let the public know more about the real application implementation and sustainable development of the alliance chain project.
❹ What is the main way to ensure the security of blockchain?
Blockchain technology is a distributed recording technology that ensures the security of blockchain by encrypting and distributing data. Data security and reliability.
The security of the blockchain is mainly ensured through the following methods:
1. Encryption technology: The blockchain uses symmetric encryption and asymmetric encryption algorithms, which can effectively protect the security of data.
2. Distributed storage: Blockchain data is not stored centrally on a single node, but is dispersedStored on various nodes in the network, this effectively prevents data tampering and loss.
3. Consensus mechanism: Blockchain usually uses a consensus mechanism to confirm the legitimacy of transactions, which helps prevent malicious transactions from occurring.
4. Contract mechanism: Blockchain can automatically execute transactions through smart contracts, which helps prevent manipulation of transactions.
Blockchain technology also brings some challenges while achieving security. For example, the security of the blockchain can be attacked by vulnerabilities, or assets can be stolen because private keys are leaked. Therefore, when using blockchain technology, you also need to pay attention to issues such as identity authentication and password security to ensure the security of the blockchain.
In addition, the security of blockchain technology may also be affected by policies, regulations, etc. For example, in some countries and regions, blockchain technology may be subject to censorship and restrictions, which may also have an impact on the security of the blockchain.
In general, the security of blockchain technology is mainly guaranteed through encryption technology, distributed storage, consensus mechanism and contract mechanism, but other challenges and influencing factors need to be paid attention to.
❺ The data transparency and security that blockchain can achieve are almost unprecedented, right?
Blockchain characteristics:
1. Decentralization . Blockchain technology does not rely on additional third-party management agencies or hardware facilities, and there is no central control. In addition to the self-contained blockchain itself, through distributed accounting and storage, each node realizes information verification, transmission and manage. Decentralization is the most prominent and essential feature of blockchain.
2. Openness. The foundation of blockchain technology is open source. In addition to the private information of the transaction parties being encrypted, the data of the blockchain is open to everyone. Anyone can query the blockchain data and develop related applications through the public interface. Therefore, the entire System information is highly transparent.
3. Independence. Based on consensus specifications and protocols (similar to various mathematical algorithms such as the hash algorithm used by Bitcoin), the entire blockchain system does not rely on other third parties. All nodes can automatically and securely verify and exchange data within the system without the need for any human intervention.
4. Security. As long as you cannot control 51% of all data nodes, you cannot manipulate and modify network data at will. This makes the blockchain itself relatively safe and prevents the concealment of data changes that can be easily interpreted by humans.
5. Anonymity. Unless required by legal regulations, technically speaking, the identity information of each block node does not need to be disclosed or verified, and information transfer can be carried out anonymously.
❻ How to detect the risk level of blockchain smart contracts
With the acceleration of the digital transformation of Shanghai city, blockchain technology has been widely used in government affairs, finance, logistics, justice, etc. fields have been deeply applied. In the process of application, not only new business forms and business models have been born, but also many security issues have arisen.Safety supervision is particularly important. As one of the important means of supervision, security evaluation has become a focus of many blockchain R&D manufacturers and application companies. This article talks about some of our exploration and practice on the blockchain compliance security assessment that everyone is concerned about.
1. Blockchain technology evaluation
Blockchain technology evaluation is generally divided into functional testing, performance testing and security evaluation.
1. Functional testing
Functional testing is a test of the basic functions supported by the underlying blockchain system, with the purpose of measuring the capabilities of the underlying blockchain system.
Blockchain functional testing is mainly based on GB/T 25000.10-2016 "System and Software Quality Requirements and Evaluation (SQuaRE) Part 10: System and Software Quality Model", GB/T 25000.51-2016 "System and Software Quality" Requirements and Evaluation (SQuaRE) Part 51: Quality Requirements and Testing Details for Ready to Use Software Products (RUSP)" and other standards to verify whether the software under test meets the requirements of relevant test standards.
Blockchain function testing specifically includes networking methods and communication, data storage and transmission, encryption module availability, consensus function and fault tolerance, smart contract function, system management stability, chain stability, privacy protection, and interoperability , account and transaction types, private key management solutions, audit management and other modules.
2. Performance testing
Performance testing is a type of test implemented and executed to describe the performance-related characteristics of the test object and evaluate it. Most of them are used in project acceptance evaluation to verify the established Whether the technical indicators are completed.
Blockchain performance testing specifically includes high-concurrency stress test scenarios, peak impact test scenarios, long-term stable operation test scenarios, query test scenarios and other modules.
3. Security Assessment
Blockchain security assessment mainly conducts security testing and evaluation of account data, cryptography mechanisms, consensus mechanisms, smart contracts, etc.
The main basis for blockchain security evaluation is "DB31/T 1331-2021 General Requirements for Blockchain Technology Security". You can also refer to standards such as "JR/T 0193-2020 Blockchain Technology Financial Application Assessment Rules" and "JR/T 0184-2020 Financial Distributed Ledger Technology Security Specifications" based on actual testing needs.
Blockchain security assessment specifically includes storage, network, computing, consensus mechanism, cryptography mechanism, timing mechanism, personal information protection, networking mechanism, smart contracts, services and access, etc.
2. Blockchain Compliance Security Assessment
Blockchain compliance security assessment generally includes “Blockchain Information Service Security Assessment”, “Network Security Level Protection Assessment” and “Special Funding Projects” "Acceptance Evaluation" three categories.
1. Blockchain Information Service Security Assessment
Blockchain Information Service Security Assessment is mainly based on the "Blockchain Information Service" issued by the State Internet Information Office on January 10, 2019.Information Service Management Regulations (hereinafter referred to as the "Regulations") and the national blockchain standard "Blockchain Information Service Security Specifications (Draft for Comments)".
The "Regulations" aim to clarify the information security management responsibilities of blockchain information service providers, standardize and promote the healthy development of blockchain technology and related services, avoid blockchain information service security risks, and provide blockchain Provide effective legal basis for the provision, use and management of information services. Article 9 of the "Regulations" states: Blockchain information service providers that develop and launch new products, new applications, and new functions must report to the national and provincial, autonomous region, and municipality Internet Information Offices for security assessment in accordance with relevant regulations.
The "Blockchain Information Service Security Specification" is a construction and preparation project led by the Institute of Information Engineering of the Chinese Academy of Sciences and jointly participated by Zhejiang University, China Electronics Technology Standardization Institute, Shanghai Information Security Evaluation and Certification Center and other units. National standards for evaluating the security capabilities of blockchain information services. The "Blockchain Information Service Security Specification" stipulates the security requirements that blockchain information service providers of alliance chains and private chains should meet, including security technical requirements and security assurance requirements as well as corresponding test and evaluation methods, and is suitable for guiding blockchain Chain information service security assessment and blockchain information service security construction. The security technical requirements and guarantee requirements framework proposed by the standard are as follows:
Figure 1 Blockchain information service security requirements model
2. Network security level protection evaluation
The main basis for network security level protection evaluation includes "GB/T 22239-2019 Basic Requirements for Network Security Level Protection" and "GB/T 28448-2019 Network Security Level Protection Evaluation Requirements".
As an emerging information technology, the application system built by blockchain is also an object of level protection and needs to be evaluated for level protection in accordance with regulations. The general requirements for level protection security evaluation are applicable to the evaluation of the infrastructure part of the blockchain, but currently there are no blockchain-specific security requirements. Therefore, the expansion requirements for blockchain security evaluation still need to be further explored and studied.
3. Special fund project acceptance evaluation
According to the relevant regulations of the Municipal Economic and Information Technology Commission, information technology special fund projects are required to issue a safety evaluation report during project acceptance. The acceptance evaluation of blockchain application projects will be carried out in accordance with Shanghai’s latest blockchain local standard "DB31/T 1331-2021 General Requirements for Blockchain Technology Security".
3. Exploration and practice of blockchain security assessment
1. Standard preparation
Shanghai Assessment Center actively participates in the preparation of blockchain standards. Led by the Shanghai Evaluation Center, Suzhou Tongji Blockchain Research Institute Co., Ltd., Shanghai Qiyin Information Technology Co., Ltd., Shanghai Moheng Network Technology Co., Ltd., the First Research Institute of Telecommunications Science and Technology and other units participated in the preparation of the blockchain local standard " DB31/T 1331-2021 General Requirements for Blockchain Technology Security" was officially released in December 2021. In March this yearIt will be officially implemented on the 1st. The blockchain national standard "Blockchain Information Service Security Specification", which the Shanghai Assessment Center participated in the preparation of, is in the stage of soliciting opinions.
At the same time, the assessment center also participated in the compilation of primary and intermediate textbooks for blockchain engineering technicians organized by the Ministry of Human Resources and Social Security and led by Tongji University, and was responsible for compiling the chapter "Testing the Blockchain System".
2. Project Practice
In recent years, the Shanghai Assessment Center has conducted a large number of blockchain security assessment practices based on relevant technical standards, including grade protection assessment, information service security assessment, project security assessment, etc. In the evaluation practice, the main security issues discovered are as follows:
Table 1 Blockchain is mainly a security issue
Serial number
Evaluation items
Problem description
1
Consensus Algorithm
The consensus algorithm uses Kafka or Raft consensus and does not support Byzantine fault tolerance or tolerate malicious node behavior.
2
On-chain data
On-chain sensitive information is not encrypted, and all data on the chain can be accessed through the query interface or blockchain browser.
3
Cryptographic Algorithm
The random numbers used in the cryptographic algorithm do not meet the randomness requirements of GB/T 32915-2016.
4
Node Protection
For the alliance chain, security protection measures failed to be configured for the area where the node server is located.
5
Communication transmission
When communicating between nodes, the blockchain and upper-layer applications, no secure information transmission channel has been established.
6
Consensus Algorithm
The number of nodes deployed in the system is small, and sometimes the number of fault-tolerant nodes required by the consensus algorithm is not even reached.
7
Smart Contract
The operation of the smart contract is not monitored, and problems that arise during the operation of the smart contract cannot be discovered and dealt with in a timely manner.
8
Services and Access
Upper-layer applications have access control flaws such as unauthorized and unauthorized access, leading to business confusion and data leakage.
9
Smart Contract
Smart contract coding is not standardized. When an error occurs in the smart contract, the smart contract freezing function is not provided.
10
Smart Contract
The running environment of smart contracts is not isolated from the outside, and there is a risk of external attacks.
3. Tool Application
When the evaluation center organized and compiled the "DB31/T 1331-2021 General Requirements for Blockchain Technology Security", it has considered the connection needs with the level protection evaluation. The "infrastructure layer" security in DB31/T 1331 is consistent with the relevant requirements of the secure physical environment, secure communication network, security area boundary, secure computing environment, security management center, etc. of level protection, "protocol layer security", "extension layer" "Safety" is moreReflect the unique security protection requirements of blockchain.
Based on the relevant security requirements of DB31/T 1331, the assessment center is organizing and compiling extended blockchain assessment requirements. The relevant results will be applied to the network security level protection assessment tool - Assessment Expert. By then, evaluation institutions using the "Evaluation Expert" software will be able to carry out blockchain security evaluations accurately, standardly and efficiently, discover blockchain security risks, and put forward corresponding rectification suggestions
❼ Blockchain Is it safe?
Hi, everyone, I am your quiz assistant - Zi Xiaochen. Recently, blockchain resistance has been widely concerned and discussed. But there are many people who don’t know much about its safety. So today we will talk about the security issues of blockchain.
First of all, would you like to hear an easy-to-understand metaphor? A friend of mine joked: "The blockchain is like a password lock. Without the password, no one can open it." Although this is simple and interesting, it makes a lot of sense. Since the blockchain uses distributed ledger technology, data is stored in a huge network, and the transmission between each node uses asymmetric encryption, the blockchain has extremely high security, and third-party attacks are very vulnerable. difficult.
Secondly, of course there are some security issues that need attention. For example, hacker attack methods such as "51% attack" can pose a threat to the blockchain. In addition, there are also security risks in virtual currency trading venues, such as Bitcoin exchanges, and you need to pay attention to precautions. Therefore, when choosing a blockchain platform or participating in virtual currency transactions, you need to know more and consider carefully to avoid losses.
In short, blockchain is an open technology, which has huge advantages in ensuring data security and preventing tampering. But we also need to be alert to potential security risks and choose reliable platforms and exchanges to participate in cryptocurrency investments.
I hope my answer can help you better understand the blockchain and its security issues. If you have any questions or want to share your experience, please feel free to message me privately! Finally, don’t forget to like, comment and forward, follow my articles, more content is waiting for you!
❽ Security rules of blockchain
Security rules of blockchain, the first rule:
Storage is everything
A person’s property ownership and security , fundamentally depends on how the property is stored and how it is defined. In the Internet world, massive user data is stored on the platform's servers. Therefore, the ownership of this data is still a mystery. Just like who owns your and my social IDs, it is difficult to determine, but user data assets have pushed up The market value of the platform, but as a user, does not enjoy the market value dividend. The blockchain world has led to changes in storage media and methods, allowing the ownership of assets to be delivered to individuals.
Extended information
The risks faced by the blockchain system are not only attacks from external entities, but also attacks from internal participants, as well as component failures, such as software failures. Therefore, before implementation, it is necessary to develop a risk model and understand the specificspecial security requirements to ensure an accurate understanding of risks and response plans.
1. Security features unique to blockchain technology
● (1) Security of written data
Under the action of the consensus mechanism, only when most nodes (or multiple key nodes) in the entire network When everyone agrees that the record is correct at the same time, the authenticity of the record can be recognized by the entire network, and the record data is allowed to be written into the block.
● (2) Security of reading data
Blockchain does not have inherent security restrictions on information reading, but it can control information reading to a certain extent, such as encrypting certain elements on the blockchain, The key is then handed over to the relevant participants. At the same time, the complex consensus protocol ensures that everyone in the system sees the same ledger, which is an important means to prevent double payments.
● (3) Distributed Denial of Service (DDOS)
Attack Resistance Blockchain’s distributed architecture gives it point-to-point, multi-redundant characteristics, and there is no single point of failure, so it is more resistant to denial of service attacks. The method is much more flexible than a centralized system. Even if one node fails, other nodes are not affected, and users connected to the failed node cannot connect to the system unless there is a mechanism to support them to connect to other nodes.
2. Security challenges and response strategies faced by blockchain technology
● (1) The network is open and undefended
For public chain networks, all data is transmitted on the public network, and all nodes joining the network You can connect to other nodes and accept connections from other nodes without any obstacles. There is no authentication or other protection at the network layer. The response to this type of risk is to require greater privacy and carefully control network connections. For industries with higher security, such as the financial industry, it is advisable to use dedicated lines to access the blockchain network, authenticate the accessed connections, exclude unauthorized node access to avoid data leakage, and pass the protocol stack level firewall Security protection to prevent network attacks.
● (2) Privacy
Transaction data on the public chain are visible to the entire network, and the public can track these transactions. Anyone can draw conclusions about something by observing the blockchain, which is not conducive to the legal privacy of individuals or institutions. Protect. The response strategies for this type of risk are:
First, the certification agency acts as an agent for users to conduct transactions on the blockchain, and user information and personal behaviors do not enter the blockchain.
Second, instead of using a network-wide broadcast method, the transmission of transaction data is limited to nodes that are conducting relevant transactions.
Third, access to user data is controlled by permissions, so only visitors holding the key can decrypt and access the data.
Fourth, use privacy protection algorithms such as "zero-knowledge proof" to avoid privacy exposure.
● (3) Computing power
Blockchain solutions using proof-of-work are faced with the problem of 51% computing power attack. With the gradual concentration of computing power, it is objectively possible for organizations to control more than 50% of the computing power. Without improvement, it cannot be ruled out that it will gradually evolve into a weakling.The law of the jungle is strong food. The response strategy for this type of risk is to use a combination of algorithms and realistic constraints, such as joint management and control using asset mortgages, legal and regulatory means, etc.
- 上一篇: 人工智能机器人区块链是什么,人工智能机器人区块链应用
- 下一篇: 区块链 联盟链,区块链联盟链项目