Blockchains are ruled almost entirely by cryptographic mechanisms. These mechanisms mostly involve digital signatures & PKI, hashes, and key derivation.

In permissioned blockchains, the network effect is significantly lesser than in public networks. Besides permissioned blockchains do not use proof-of-work such as in the Bitcoin network or proof-of-stake such as found in Ethereum network and as such do not have the strong and inherent security behind these mechanisms.

By nature, permissioned networks are heavily dependent on cryptographic operations being done in a secure and safe way when used for financial institutions. They require banking-grade HSMs.

In what follows, we will present an overview of the key roles of HSMs in permissioned blockchains for banking & payment services.

Cryptographic Protocols Involved with Blockchains

There are no norms defining blockchains. Therefore, any blockchain implementation is free to pick up cryptographic algorithms that they want and for what they need.

Blockchains may use hash algorithms such as SHA-256 for the blockchain network. For example, Dagger-Hashimoto is used for the Ethereum network and ECDSA is used for Ripple-based networks. Additional hash algorithms include:

X11
X13
CryptoNight hash
Scrypt hash
NXT
BLAKE256

Here we list the hashes and cipher suites supported by major permissioned blockchains frameworks:

Framework	Hashing	Signature scheme
R3 Corda	Block hashing: SHA-256	RSA+SHA256 ECDSA_SECP256K1+SHA256 ECDSA_SECP256R1+SHA256 EDDSA_ED25519+SHA512 SPHINCS-256+SHA512
Hyperledger Fabric	Block hashing: SHA3 SHAKE256	ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512
Hyperledger Sawtooth	SHA-3/256/512 Block hashing:64-byte header signature(instead of hash)	libsecp256k1
Quorum		Keccak signature hash-256/384/512+AES ECDSA P-256 P384 P521 S256 BN256
Multichain	Block hashing: SHA-256 (BTC)	secp256k1 +ECDSA (BTC)

There are many other permissioned frameworks, including HydraChain, OpenChain, and BigchainDB. Most are based on existing frameworks like Bitcoin or Ethereum. Many of the permissioned blockchain networks are crypto-agile and/or post-quantum proof.

Role of HSMs in Permissioned Blockchains

Permissioned blockchains incorporate the identity authentication, access control, and authorization features for the nodes for the participation in the blockchain network. Cryptographic keys are utilized for the identities of nodes. These cryptographic keys are securely managed through HSMs. Typically, blockchains incorporate the HSM as a service by which a single HSM or a cluster holds the cryptographic keys of various blockchain nodes. These keys should be managed in separate and secure HSM partitions with designated roles for each partition. In some scenarios, PKI-based digital certificates are also used to ensure the trust between the blockchain nodes.

By design, HSMs are perfectly suited for the needs of a permissioned blockchain.

Permissioned blockchain consensus is vulnerable to cryptographic attacks. Therefore, PKI operations should ideally be performed in HSMs. In general, the key pair generation in blockchains is essential, and such keys should not be handled directly by their end-users. Instead, they should be generated and securely stored in HSMs or in key management servers.

Hashing and specifically, keyed hashing operations, are an integral part of the blockchain system. They also need secure random generation functions that should also be achieved with an HSM.

Why Are These Standards Important for Compliance and Auditability?

HSMs are a vital part of any security infrastructure that is under the mandate of securely managing cryptographic keys. The HSMs considered for incorporation must be FIPS 140-2 level validated and Common Criteria certified. If PKI-based digital certificates are being used in the permissioned blockchain, they must comply with the latest X.509 v3 standard. When a permissioned blockchain is employed in a banking/financial services department, the PCI PTS HSM version 3.0 certification is mandatory for legal obligations and compliance.

Conclusion

In preventing and mitigating malicious attacks, the implementation of strong authentication and cryptographic mechanisms is a critical requirement for protecting permissioned blockchains. Since the permissioned blockchain incorporates the identities of blockchain nodes, the need for HSMs is critical.

It would be in the best interest of banks and payment services providers to use HSMs and secure key management systems to perform the cryptographic operations needed for blockchain operations.

References and Further Reading

Learn more about Utimaco’s HSMs for blockchains
More articles on permissioned blockchains (2018 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten, Asim Mehmood, Dawn M. Turner and more
More articles on eIDAS (2018 – today), by Gaurav Sharma, David McNeal and more
More articles on HSMs (2018 – today) by Terry Anton, Dawn M. Turner and more