TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / Permissioned Blockchains for Banking – Understanding the Technology and Security Aspects

Permissioned Blockchains for Banking – Understanding the Technology and Security Aspects

November 09, 2020

The banking industry is currently rolling out several permissioned blockchain projects.

These are still controlled projects, but so far they demonstrate how powerful a blockchain-enabled banking system could be with respect to gains in effectiveness, security, as well as creating a technical basis for new innovative business models in banking.

Many financial institutions are considering the creation of a global payment system using permissioned blockchain technology. This would allow for the pooling of resources, gaining market standing, but also achieving the critical mass needed for a blockchain network and to enable emergent network effects (e.g., for innovation), by creating many consortiums of banks and technology providers.

In what follows, we will see the different technologies used for using permissioned blockchain technology in the banking context.

Overview of Permissioned Blockchains for the Banking Industry

The Blockchain concept works by creating a unique chain of blocks, with each one being “glued” to the next one by a digital signature system. In the context of the banking industry, this may allow checking the history of a digital value and its associated transaction records.

Blockchains prevent actively counterfeited transactions, fraud, and collusion between rogue actors and allow a better, faster, and more efficient Know-Your-Customer (KYC) process. For instance, such technology may also allow interaction with other blockchains like identity blockchains provided by the public sector.

Here is the main lifecycle of a transaction in a permissioned blockchain system:

blockchain-architectures-and-collective-control

  • The transaction is ciphered and added to a distributed ledger;
  • All the relevant parties with authorization to access the shared ledger check the details of the transaction;
  • Checked transactions are concatenated as a permanent, immutable component of the shared ledger;
  • The transaction is completed.

Blockchain Security

Permissioned blockchains inherit security from a public network blockchain. A blockchain is formed block by block. Each block is concatenated to the blockchain after a consensus. The block of transactions is signed by the actors of the transactions and a timestamp is embedded in the block.

  • Each past transaction can be verified in the future because the public keys are inserted into the blockchain
  • Rewriting a block without modifying the subsequent blocks is impossible

Here is a typical example of such a blockchain:

Typical-blockchain-example

Consensus

In a permissioned blockchain, the consensus is achieved via different techniques.

Technically, proof-of-work as in permissionless blockchains is possible but highly unlikely to be implemented. Also, it is not advisable, given the irresponsible consumption of energy and time. The permissioned blockchain concept has other possibilities of consensus, such as:

  • Proof of stake
  • Delegated proof of stake
  • Round-robin
  • Proof of authority/identity
  • Proof of elapsed time

In the banking context, the consensus would generally be achieved via proof of validity and proof of uniqueness. For example, in a Corda banking application, this is achieved by running the smart contract code attached to a transaction, and by checking all the signatures.

Validation of Correctness

New call-to-action

Banking sector-based networks like the Corda network tend to use the notary concept to validate the correctness of a block. Notaries are dedicated nodes that are used for multi-signing. All actors are required to digitally sign the transactions. This provides non-repudiation, technical protection, and a high level of legal assertion. In general, security relies on a complex and well-designed PKI in permissioned networks.

Strong Authentication

A permissioned blockchain builds on authentication and identification, as a prerequisite to earn the permission to enter. To be granted the permissions required to operate over such a blockchain is always linked to entering a login and a password or performing a similar identification.

Multi-level conditional authorization can be maintained as well. The identification can be linked directly to the ownership of a private key. With financial and payment sector permissioned blockchain networks, banks are advised to use 2FA authentication and to link user accounts to all the same private keys to reach strong authentication.

In non-permissioned networks, all users have equal rights and authority. However, in permissioned networks, this is often not the case. Therefore, an attacker could attack the network by simply stealing credentials from authorized users of the blockchain and eventually gain control over it and rewrite transactions.

In the banking context, the security related to authorizing the access of the blockchain network must, therefore, be extremely strong. The whole architecture relies on banking-grade PKI. Banks need to provide a bulletproof PKI system to the participants of the permissioned blockchain.

HSM and Key Management – Backbone of Strong Authentication, Compliance, Auditability and Non-Repudiation

New call-to-actionTo incorporate strong authentication and/or 2FA  in a business solution, the secure management of cryptographic keys is critical for the effective use of cryptography. A cryptographic key has a lot of phases in its life cycle starting from the generation, storage, distribution, and destruction. Since the increase in deployment and evolution of cryptographic mechanisms implemented in blockchains and hence decentralized architectures, effective key management is challenging.

Regulating bodies in the financial market mandate the use of certified HSMs and Key Management solutions.
Choosing an HSM and Key Management System, compliance is required with one or several of the following standards (depending on the context of implementation and the area of jurisdiction):

  • PCI (PIN Transaction Security) PTS HSM version 3.0
  • FIPS 140-2 Level 3+
  • Common Criteria (Evaluation Assurance Level) EAL Level 4+
  • NIST Special Publication 800-­57 “Recommendations for Key Management”
  • New call-to-actionNIST Special Publication 800-130 “A Framework for Designing Cryptographic Key Management Systems”
  • NIST Special Publication 800-152 “A Profile for U.S. Federal Cryptographic Key Management Systems”

If the blockchain uses eIDAS compliant signatures to benefit from its legal assertion and non-repudiation, the HSM and key management system should also be compliant to the

  • eIDAS Protection Profile (PP) EN 419 221-5 “Cryptographic Module for Trust Services”

It is highly recommended to use HSMs that have earned globally recognized certifications and implement standard/best practices.

Conclusion

Blockchain technology is very attractive to the banking sector. It promises gains in efficiency and effectiveness, increases in security and profitability, and acts as an accelerator in innovation. Nevertheless, additional security measures must be taken, when compared to a public blockchain system, such as running banking-grade strong authentication infrastructures and making sure the cryptographic operations and the associated private keys are handled in secure HSMs possessing and globally recognized standards / certifications.

New call-to-action

References and Further Reading

  • Learn more about Utimaco’s HSMs for blockchains
  • More articles on permissioned blockchains (2018 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
  • More articles on eIDAS (2018 – today), by Gaurav Sharma, David McNeal and more
  • More articles on HSMs (2018 – today) by Terry Anton, Dawn M. Turner and more
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

CREA plus d.o.o. Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Altacom UAB Softline Solutions GmbH Encryption Consulting LLC Clearkey Consulting - Utimaco Hardware Security Modules Partner Compumatica secure networks GmbH Thomas-Krenn.AG PKI Solutions Inc. Fornetix - Utimaco Hardware Security Modules Partner CertiSur S.A. Nexus Technology GmbH Versasec PETA (Thailand) Co., Ltd. CewTec S.A. IQuantics Corp CEGA Security Abrantix AG Real security d.o.o. SecureMetric Technology Sdn. Bhd. E-Sign S.A. AKEA S.A. - Utimaco Hardware Security Modules Partner Cyber Armor Pte Ltd Primekey Solutions AB Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Ascertia - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner VAR Group SpA - Utimaco Hardware Security Modules Partner Fortiedge Pte Ltd. JJNet International Co., Limited - Utimaco Hardware Security Modules Partner MTG - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. Telegrupp AS ESYSCO Sp. z o.o. Compumatica secure networks B.V. CREAplus Italia S.r.l Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Safesoft Kft. Cogito Group Pty Ltd Perceptus-sp.-z-o.-o. PrimeKey Labs GmbH Microexpert Limited MIcrosec Utimaco HSM - PTESA_profesionales en transacciones electronicas Cryptomathic GmbH Baas Control s.r.o. cv cryptovision GmbH Cryptomathic Inc. Rohde & Schwarz Cybersecurity GmbH MALKOM D.Malińska i Wspólnicy s.j. Utimaco HSM - InfoGuard Swiss Cyber Security Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner intarsys AG Nexus - Utimaco Hardware Security Modules Partner Utimaco HSM - QuintessenceLabs Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Envoy Data Corporation - Utimaco Hardware Security Modules Partner Cryptomathic A/S Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Macroseguridad
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research