You are on page 1of 6

Network and Computer Security: Validation of Cryptographic Currencies as Safe Funds

Samuel X. Chandler, Electrical Engineering Junior, Northeastern University


I. Abstract II. Introduction Cryptographic currencies or cryptocurrencies are peer to peer digital currencies used to make low costing transactions between people using an open source software. Examples of these cryptocurrencies include Bitcoin, Litecoin, Dogecoin and Digitalcoin. The common links between these currencies classifying them as cryptocurrencies include: peer to peer networking, mining verification, cryptographic security, and low fee transactions. Peer to peer networking means that cryptocurrencies are decentralized. No one person or organization owns or runs a cryptocurrency. The network is kept alive by miners verifying transactions, and people exchanging currencies. When two people send/receive cryptocurrencies to each others virtual wallet it is put into a transaction log and then further grouped in with other transactions called a block. This block is then verified by someone running a software called a miner that attempts to crack an algorithm to verify all of the transactions. When a miner succeeds in solving this algorithm, they are rewarded with new coins and with the small transaction fees that peers spent to send the currency to each other. This proof-ofwork system continues and trends with a logarithmic function so there cant be an overproduction of currencies. All cryptocurrencies are secured by computer cryptography for protection against hackers and viruses. Since there is no central authority running cryptocurrencies, the fees to exchange are extremely low regardless of location. Someone in Africa could send someone in America 2 dollars with a fee of a few cents and a verification time of a couple minutes. Because cryptocurrencies have the potential to unite countries into one global economy and also serve as a medium of exchange for people who want privacy from banks and the government, recent attention has come to its future validity. This paper will review the future validity of cryptocurrencies from the view point of computer and network security emphasizing the strengths and weaknesses of cryptocurrency security and possible future solutions to the weaknesses. III. Basic Concepts of Computer Security Because of the extremely fast technological advances trending over the past decades, computer security advances have become necessary to protect information. Online commerce has become extremely popular to the point where most people do their shopping online. To combat hackers from snooping in on peoples purchases, Hypertext Transfer Protocol Secure (HTTPS) was implemented for protection. HTTPS was created by combining Hypertext Transfer Protocol (HTTP) with Transport Layer Security (TLS) protocol. HTTP, the original method for distributed online data, was subject to middle-man snooping and needed upgrading because of this new e-commerce. TLS offers more security by encrypting information as it is being sent so hackers only receive encrypted forms of the original information. Encrypted data has become very popular for securing online information because it gives

hackers an extremely difficult time deciphering messages even if they can tap into the data stream. 2. 3.

4.

5. 6.

Fig. 1. A simplified pictographic representation of an TLS protocol between a client or user and the server or data receiver.

7. There are many different forms of encryption but the main focus of this paper will be on the encryptions used for cryptocurrencies. Namely SHA-256, and Scrypt encryption.

A. TLS Protocol
The TLS Protocol claims to give companies a guaranteed secure method for customers sending money and information via the internet. This Protocol can be broken down into the following steps. If at any point one of these steps are not satisfied, connection is broken. These steps are summarized in Fig. 1.

8. 9.

3rd party snooper- Message ReceivedAjYT68Bj&^( The receiver responds with a message verifying connection. The receiver sends a TLS certificate verifying the secure connection. This certificate needs to be bought from a third party who will install a unique software on the companys servers. The receiver requests that the user sends a TLS certificate to verify security on both sides of the connection. The user sends an TLS certificate The user sends a session key and the servers public key. The session key can be thought of as a password specifically for this information being sent and received. The servers public key is a password that is specific for every data transfer done with the server using TLS. The user and receiver make one final verification that the data will be exchanged in the next phase and that this data will be encrypted with the session key made in step 6. The user sends the encrypted data. Both parties send a finished verification message.

The TLS protocol benefits from extreme attention to every detail where interference could occur. Multiple verification steps allow for multiple checks if the server is legitimate.

B. SHA-256 Encryption
Secure Hashing Algorithm (SHA) was developed by the NSA to create a secure encryption for the Digital Signature Standard in order for the authentication of United States electronic documents. Several advances of the secure hashing algorithm have been developed to keep up with new technology.

1. The user asks the receiver to establish connection. All of these steps are encrypted so anyone attempting to receive data from these steps will get the encrypted message. Example. Message sent-Hello,

SHA-256 is a version of the NSAs Secure Hashing Algorithm which utilizes a compression algorithm to take an incoming message and divide it into a 512 bit message then put it through a series of other transforms finally resulting in an encrypted message. A reverse transform is done on the encrypted message with knowledge of certain constants by the receiving party to end up with the original message. The following formula represents the 512 bit message transform done to the original message where Wi is the 512 bit message, Mi represents sixteen 32 bit letters of the message being sent, 1 and 2 represent an S-box function (symmetric given algorithm in cryptography) based off of XORed () and rotated to the right (ROTR) functions and XORed shifted to the right functions of S-boxes(SHR).

( )

( )

( )

( )

( )

( )

( )

( )

( )

( )

The encrypted output consists of Bi, Ci, Di, Fi, Gi, from the original predefined 32 bit fixed variables, plus the compressed functions containing the original message Ai+1, Ei+1, Hi+1. Decoding the output requires knowledge of Ai-Hi , Ki, plus the fact that this is an SHA-256 encryption process.

( (

) )

( )

( )

( )

( )

( )

( )

( )

( )

( )

( )

( )

Fig. 2. The first step of the compression process starting with the 8 32 bit variables Ai-Hi predefined, and also with the equation constraints summed up in (1) Maj(A,B,C),(2) Ch(E,F,G), (3) 0(x), (4) 1(x), (5) Wi and also with Ki being a fixed constant. The output from this step is the encrypted message.

After the message is expanded into Wi it is sent through a series of additional transformations shown in Fig. 2. Additional fixed 32 bit variables Ai-Hi are defined and mixed in with the 512 bit message Wi along with a fixed constant Ki. The additional variables are also compressed with 2 functions Maj(A,B,C) and Ch(E,F,G) with the following AND() and OR() constraints:
( ) ( ) ( ) ( ) ( )

C. Scrypt Encryption
Scrypt encryption was developed in order to make hardware attacks extremely costly and memory extensive. The process of scrypt encryption follows the same equation line as the secure hash algorithm with a twist: implementing an additional mix function ROMixH (B,N) Parameters: H: A hash function.

) (

( )

The S-boxes noted as are the same as the previous S-box functions but are defined in all ROTR instead of ROTR and SHR

K: Integerify: Input:

Length of output produced by H, in bits. A bijective function from {0,1}k to {0, . . .2k 1}.

bytes. This method involves getting past all of the security put forth by the encryption and will be summed up in the next section Analyzing these methods shows that the only easy way to overcome the TLS protocol is to create fraudulent certificates and even then, the user is always warned of the fraudulent HTTPS. TLS proves that a credible company using TLS as a form of security is very hard to hack based on the steps taken to verify the user and server parties at every step. Because of all of the TLS check points and required certificates, keys, and encryption knowledge, it is very hard to hack through parties using TLS.

B: Input of length k bits. N: Integer work metric, < 2 k/8 Output: B Output of length k bits. This scrypt algorithm functions as an assurance that all data will be stored in random access memory (RAM). IV. Analysis of TLS, SHA-256 and Scrypt Encryption

B. SHA-256 and Scrypt encryption


Statistical analysis of SHA-256 shows that there are some weaknesses in the system. Using 8 random tests with a set limit of statistical process control threshold (SPCT), a study found that samples were found to be out of the accepted SPCT range. An ideal encryption creates a level hardiness regardless of what method a hacker uses to attempt to crack a system. Hackers knowing what inputs provoked this reaction could abuse them, however the SPCT only shows that there are a range of inputs that make a certain encryptions easier to crack. This does not mean that cracking the encryption is easy. For example, if an encryption is extremely hard to crack, easier than extremely hard to crack is still extremely hard to crack. From the encrypted equations shown in section III there 2256 * the length of the message possible solutions to an SHA-256 encryption so brute force hacking (running a program that cycles through random solutions) would take several lifetimes if the user has a secure password. The key component of SHA-256 encryption is the necessity of a secure password. If the encryption is run through a protocol like TLS then it will be secure since the encryption password will be set a

A. TLS Protocol
TLS Protocol has been around since 1995 and the weaknesses of this method are outlined from anecdotal attacks on servers. The first way low level computer hackers try to break TLS protocol is by using invalid TLS certificates. Certificates usually show up in the browser heading where it will say HTTPS followed by a lock and the TLS owners company name. If an invalid certificate is present, any browser will notify the user that the site is not secure. This usually will only work on the computer illiterate. The second way is for the computer hacker to obtain valid company TLS certificates and use them. This method involves hacking the company infrastructure and therefore is extremely hard to do for any well-known company with up to date security. This is can only be done by high level hackers. A third way is to directly crack the encrypted keys which usually contain 1024-2048

high digit string but if the encryption password is left up to users then the secureness of the encryption is directly proportional to how long and random the password is.

This paper reviewed the future validity of cryptocurrencies solely based off of computer and network security ideas such as encryption and SSL protocol. Analysis of SSL protocol revealed that with a proper company run server security is good. However, considering the infancy of Cryptocurrencies there is no credible 3rd party to be trusted at this point in time so online storage of virtual currencies should be avoided. Analysis of SHA-256 and Scrypt encryptions revealed that the encryption system is very secure only if the user provides a lengthy passcode to avoid brute force hacking. There are some weaknesses in the system based on statistical analysis but these are also irrelevant if the password is long enough. Future research into improving SHA-256 and Scrypt encryptions should be aimed at improving the randomness compression functions namely equation (4) and (5). The statistical analysis revealed that because the encryption wasnt completely random, improving the fundamental equations would yield to overall improvement of the randomness.

V. Cryptocurrency Security

A. Online Wallet security


Storing your virtual wallet online seems convenient and simple plus the 3rd party will usually guarantee storage security. The problem with this guarantee is that these virtual currencies are still very much in their infancy, therefore you are trusting strangers with your cryptocurrency. The companies that have been around since the very start of the cryptocurrencies have still only been around for a couple years. This idea was stressed when one of the most reputable Bitcoin exchange websites filed for bankruptcy with thousands of peoples Bitcoins left unclaimed. Assuming you can guarantee security online and they are using TSL protocol with transactions, online wallets could potential be secure based on the analysis in section IV.

B. Offline Wallet security


Storing your virtual Wallet offline with the cryptocurrency software means that you are taking all variables out of the equation with the exception of SHA-256/Scrypt encryption security. Based on the analysis in section IV done for the encryption security, it can be said that with a lengthy password (256 bits) for encryption, your cryptocurrency will theoretically be safe from anyone who tries to directly hack your wallet. The only alternative to brute force hacking the offline wallet is for someone to directly gain access to the passcode via snooping around your computer and finding it saved somewhere or you somehow revealing the information to a third party. V. Conclusion

References (These need to be properly cited and also in text citations are needed) 1. 2. 3. 4. 5. https://www.globalsign.com/ssl-information-center/what-is-an-ssl-certificate.html http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/ http://freeknowledge.eu/blog/wouter/an-accidental-millionaire-by-bitcoin http://www.slate.com/articles/technology/future_tense/2014/02/mt_gox_bitcoin_exchange_closu re_could_help_legitimize_the_currency.html 6. http://mit.uvt.rnu.tn/NR/rdonlyres/Electrical-Engineering-and-Computer-Science/6857Fall2003/BE87D8FB-827F-4F53-A777-2BE9AF751506/0/chp_ssl_1.jpg 7. http://tools.ietf.org/html/rfc5246 8. http://searchnetworking.techtarget.com/tip/Six-ways-hackers-try-to-break-Secure-Sockets-Layerencrypted-data 9. http://www.w3.org/PICS/DSig/SHA1_1_0.html 10. Advances in Information and Computer Security by Kanta Matsuura 11. Analysis of Step Reduced ShA-256 by Florian Mendel 12. Cryptography, Security and the Future by Bruce Schneier 13. Third-Round report of the SHA-3 cryptographic Hash Algorithm Comopetition by Lawrence E, Bassham 14. Stronger Key Derivatio Via Sequential Memory-Hard Functions by Colin Percival 15. Analysis of Simplified Variants of SHA-256 by Krystia Matuseiwicz 16. SHA-256 Limited Statistical Analysis by Dr. Russell J. Davis

You might also like