Efficient Encryption Key Management for Blockchain Applications

Jason Sfaelos

Nearly every industry is investigating potential applications of distributed ledger technology (DLT), also known by the more popular term-blockchain. According to the Deloitte 2018 Global Blockchain Survey 74 percent of organizations responding to the survey recognize a “compelling business case” for blockchain applications.

Blockchain is a distributed database (ledger) that is both shared and synchronized across a peer-to-peer network with no single or central control point. Blockchain securely records transaction data (a block) and replicates copies among every participant in the blockchain network. Once recorded, the information becomes nearly impossible to modify, a distinct benefit of the technology. The information recorded is secured by cryptographic keys, essential items in a blockchain system.

The Promise of Enhanced Efficiency and Security

Driving the adoption of these technologies are the increased efficiency and enhanced collaboration across business ecosystems, as well as visibility and transparency that greatly reduce the chances of fraudulent transactions. Expectations are high:

Banking: transactions can be securely processed in minutes, avoiding the delays associated with centralized clearance of transactions, allowing much faster transfer of funds between accounts and making it extremely difficult to execute fraud.

Healthcare: medical records can be encoded with a private key and written to the blockchain to ensure access only by authorized individuals. Once written, these medical records cannot be changed, providing a permanent health record.

Supply chains: these complex processes often involve the participation of dozens of suppliers, manufacturers, transportation providers and retailers. Blockchain enables accurate, immutable recording of materials, supplies and chain of custody as products make their way from source to market. FDA regulations that place additional levels of compliance on supply chain participants may be an ideal application for blockchain.

As with new technologies, enterprises need to carefully evaluate the temporal and technical investments required to implement blockchain applications. Although the benefits can be compelling, a few of the underlying technology approaches that enable blockchain require careful consideration. Security, specifically encryption key management for blockchain applications, may need to accommodate a wide range of use cases.

Blockchain Security Relies on Efficient and Effective Encryption Key Management

Blockchain applications rely on cryptography as a means of ensuring transactions are done safely, while securing all information that is stored. It accomplishes this by securing the identity of the sender of transactions and ensuring past records cannot be tampered with. As a result, anyone using a blockchain can have complete confidence that once something is recorded, it is legitimate and has been done so in a manner that preserves security.

Blockchain accomplishes this by leveraging a trust model, which boils down to proving identity (authentication) and proving permissions (authorization). Put more simply, the trust model answers the questions ‘Are you who you say you are?’ and ‘Can you see what you are trying to see?’

Private key cryptography provides a powerful ownership tool that fulfills the authentication requirement by creating a secure digital identity reference. Identity is based on possession of a combination of private and public cryptographic keys.

Efficient and effective encryption key management for blockchain applications needs to address several challenges:

  • Blockchain sometimes uses non-standard cryptography, which many hardware solutions do not support.
  • Upgrading hardware to support new cryptographic schemes requires lengthy development and complex upgrades.
  • Protection is required multiple components of the blockchain, including the private key.
  • Multi-signature architectures require massive amounts of keys on the server side.
  • Certain authentication schemes used for ledger operations require approvers to hold keys in cumbersome, external hardware
  • Enterprises will likely leverage multiple blockchain platforms from different providers.
  • Blockchain applications will be integrated with applications running in public, private and hybrid cloud environments.

Given the dynamic growth, global distribution (particularly in supply chain and finance) and varied use cases for blockchain applications, encryption key management using physical hardware security modules (HSM) is insufficient. A far better approach to encryption key management for blockchain applications is leveraging a highly scalable, platform-neutral, service-based approach to key management.

Encryption Key Management as a Service for Blockchain Applications

Key management as a service addresses many of these challenges. The service is deployed on-demand, easily scales as blockchain platforms or applications grow, and can be deployed where needed to optimize blockchain transactions.

Encryption key management as a service provides the flexibility to address the variations of blockchain implementations. A few use-case examples help illustrate the advantages of this approach.

Blockchain Applications Hosted on Cloud Service Providers

In a relatively simple use case, an organization contracts with a cloud service provider (CSP) such as IBM, Microsoft, AWS, SAP or Oracle to run their blockchain node on the provider’s Blockchain as a Service platform. CSPs are typically adverse to, or prohibit clients from, installing enterprise-owned hardware security modules in their (the CSP’s) data centers, and although the CSP may offer a key management service, their keys can only be used within the CSP’s own environment. This is important because if the enterprise needs to utilize a blockchain ledger across multiple clouds they would need to store and manage their keys within those multiple cloud key management services.

To overcome this limitation, key management services available from cloud-neutral providers like Equinix enable an organization to manage encryption keys independently of the cloud service provider. Transaction data written to a given blockchain ledger is secured and retrieved using the participant’s private key, managed by an encryption key service hosted in an Equinix data center that provides interconnection services with major cloud providers. As blockchain applications expand, it’s likely that these applications will be hosted on additional cloud environments. Encryption key management as a service provides globally available key management, regardless of the cloud environment.

Participation in Multiple Line-of-Business Blockchain Applications

As blockchain adoption grows, the overwhelming majority of enterprises will participate in multiple blockchain applications-human resources, payroll, tax records and submissions, health insurance and others that involve numerous counterparty transactions. These various applications are likely to be hosted across multiple cloud-based blockchain platforms. Additionally, an enterprise may have situations where it manages its own private node and connects to other (permissioned) participants who provide the proper credentials.

In both instances, key management as a service hosted on a decentralized platform enables the enterprise to manage the private keys required for each of these blockchain applications. For the line-of-business blockchain applications, encryption key management services ensure transactions are securely recorded.

Blockchain Consortium: Global and Secure

Blockchain applications like supply chains may have a consortium of thousands of participants, globally distributed, with each playing a vital role in bringing products to market. Here too, key management as service hosted on a neutral platform with global interconnections simplifies blockchain implementation and management. Regardless of the participant’s actual location, a globally available key management as a service provides a single authority for managing access and transaction security.

Encryption Key Management: Service vs Hardware

Enterprises embarking on blockchain or distributed ledger applications can simplify implementation by opting for encryption key management as a service. In comparison to HSM devices, encryption key management as a service:

  • Is implemented on-demand and scales easily as blockchain applications grow.
  • Supports a wide range of use cases including private ledgers, participation in multiple blockchain applications, consortia and deployment across private, public and hybrid cloud environments.
  • Provides management of encryption key lifecycles, regardless of where keys are actually deployed across network or nodes.
  • Supports high-performance transaction speeds by deploying encryption services “at the edge” to minimize latency.

Learn more about the technical capabilities and benefits of encryption key management as a service, available from Equinix as SmartKey, by taking a few minutes to read Encryption Key Management Best Practices.

Enhance Blockchain Application Performance

When people discuss blockchain performance, they often only think in terms of the time it takes to commit a transaction to the ledger. While many Enterprise grade blockchain networks seek to improve transaction times, enterprise performance expectations go beyond this. Over time, organizations will need fast, scalable connections to move big data quickly for transaction purposes that bypass the public internet to avoid network contention, variability and security issues. Enterprises will deploy their core infrastructure, critical components such as ERP or Data Warehouse systems, at the digital edge, in close proximity to their blockchain nodes thus allowing companies to privately connect to multiple blockchain networks efficiently.

Thereafter, the focus will turn to the high degree of performance, scale and reliability required by the enterprise as it relates to the intersection point between blockchain network-based data and internal or proprietary (off-chain) data. Converging the datasets and making the end-result “information” available to their constituents, be it employees, customers, etc, will drive tremendous value. Ensuring the data sets are strategically distributed allows the enterprise to properly localize the information to their target markets or in some cases to maintain adherence to in-country regulations.

Global data center and interconnection providers like Equinix offer private connections that eliminate throughput delays and security risks inherent in internet connections. Platform Equinix supports enhanced application performance with proximate, vendor-neutral, private, low-latency, globally distributed interconnection hubs to the major cloud, network and communications service providers.

Jason Sfaelos
Jason Sfaelos Director of Blockchain & Neural Data Systems