IoT and Blockchain. A match made in heaven?
2017-06-27 Andreas Schaad
When I last googled Blockchain, 21 million results were returned, and I am sure this number is on the rise as government agendas, panels at international trade shows, and every vendor dealing in IT security are touching upon this technology. Blockchain has grown in popularity as cryptocurrencies have shaken the markets and opened new opportunities to make or lose huge sums of money.
In our constant process of managing our technical portfolio, we are monitoring emerging technologies such as Blockchain and verify whether they can be applied to our ongoing architectural transition towards complete and integrated cloud-based licensing and software protection in IoT and enterprise application management scenarios alike.
Let’s take a closer look at the technology that is behind the success of Blockchain. The core idea of a Blockchain is to provide a distributed database (often referred to as a ledger). Each record is represented by a block that contains a timestamp and reference to the previous block. A block may contain data such as financial transactions or records of generic events. In the context of Wibu-Systems applications, such a record may include software licensing information.
In a distributed system where peers do not necessarily trust each other, a decentralized and distributed database would ideally implement a set of desirable properties:
- there is no need for a central broker or trusted third party
- the blocks are public (within the peer group) and can be verified by any participant
- without peer consensus the blocks are resistant to unwanted modification
- a ledger can contain executable code based on defined conditions (smart contracts)
In a nutshell, a Blockchain tries to approximate a decentralized and distributed digital ledger that is used to record transactions across many computers so that the record cannot be altered retroactively without the alteration of all subsequent blocks and the collusion of the network.
Another important aspect is that participants in a Blockchain are represented by their public / private key pairs. So, unlike the identity of an Internet service, a Blockchain identity cannot be “confiscated”. Looking at identity management from a different perspective, a Blockchain could be an ideal public database for retrieving certificates or other types of digital identities without the need for trusted third parties. A Blockchain could be a fundamental element in establishing a root of trust regarding device identities in the IoT as well as recording device transactions.
However, the reality differs substantially from this ideal model, as visible in current Blockchain implementations such as Bitcoin. Before a transaction can enter a ledger, some heavy processing is required (solving a hashing problems). Not only is this processing energy-intensive (and impacting our environment on the scale of the CO2 emissions of aircraft); most processing power is also concentrated in only a certain set of geographical locations across the world. Lastly, computing a valid entry to the ledger happens in anything but real time. However, it must be added that Bitcoin is not the only Blockchain implementation, and other implementations such as Ethereum are closer in one or the other aspect to the ideal model.
Besides such technical limitations, our goal is to consider how Blockchain can fit in with our technology portfolio and our customers’ scenarios:
- Recording B2C transactions: Let’s assume a scenario where an ISV has licensed an end user with 100 printing tokens for a 3D Printer. Each time a unit is printed, one token is subtracted from the current balance and the printer refuses to print anymore once the account balance is down to zero.
Questioning the use of Blockchain: Such a typical scenario already raises questions about the usefulness of Blockchain technology. Since this case illustrates a direct interaction between the ISV and the end user, there is no need to publicly record or validate transactions. In fact, current Wibu-Systems’ technology is sufficient to securely manage such “unit counters”.
This situation may change once Wibu-Systems starts offering a fully cloud-based licensing service and consumers begin to require a non-repudiable transaction log.
- Validating B2B transactions: In some cases, a more flexible approach is to allow ISVs to generate licenses on premise and only periodically report back to Wibu-Systems how many licenses were generated (based on reading the values from a hardware module (the FSB) used for generating the licenses).
Questioning the use of Blockchain: While a centralized ledger could be one possible way to record the generation of licenses and later validate the total number, there is only limited reason for why this could not be done with a standard database. Whether or not the ISV reports the correct figures is an issue of (socio-)technical trust and separate from the actual storage and validation process. In other words, even if we did implement a private Blockchain, we would still need to ensure that the transactions are generated reliably.
- Evaluating B2C transactions: When software is used based on the conditions stipulated by the ISV, a Blockchain entry could serve as an unforgeable data source to allow the calculation of remaining usage time or allowed feature invocations. However, the evaluation is done by program logic, separate from the actual ledger, unless Smart Contracts are used.
Considering the concept of Smart Contracts, Blockchains such as Ethereum already provide (almost) Turing-complete scripting languages. These could be used to define the execution of code based on transactions. For example, in the context of software licensing, code could be executed once a certain unit counter reaches a defined threshold. Yet again, Blockchains and Smart Contracts are designed for interactions in a network of (untrusted) peers and are thus not the primary choice for the software licensing supply chain.
Overall, at Wibu-Systems, we believe that Blockchain technologies will play an important role in future distributed systems (and are currently peaking on the hype curve), but they do not currently have a natural place in the existing application scenarios of our customers. However, we are actively developing a cloud-based licensing and software protection service (CmCloud) where a private Blockchain could be one possible way to address the non-repudiable logging of license transactions if an acceptable economic cost/benefit ratio for all participants can be met.
Professor of IT Security and Corporate Technology Member at Wibu-Systems
Andreas Schaad is a Professor of IT Security at the University of Applied Sciences Offenburg. Before that he worked at Wibu-Systems AG Corporate Technology, as well as in various technical and managerial IT Security roles for Ernst & Young, SAP Research Security & Trust and HUAWEI Security Research. He holds 13 international patents and authored over 50 publications in the domain of IT Security.