Security Problem Definition and Security Objectives of Cryptocurrency Wallets in Common Criteria
Yıl 2020,
Cilt: 13 Sayı: 2, 157 - 165, 30.04.2020
Yasir Bulut
,
İsa Sertkaya
Öz
Bitcoin paper gave birth to a new era; cryptocurrencies aiming distributed trust model. Almost all the cryptocurrencies require their users individually manage their own cryptographic keys, provide or recommend use of cryptocurrency wallets. A wallet, which at least stores public-private keys and addresses, is one of the key points for end-users' security. Since the authentication of a transaction strictly depends on private keys, any adversary who gains access to a wallet may seize all the coins within. Hence, cryptocurrency wallet solutions should be carefully analyzed and better to be certified if possible. In this study, we aim to define the security problems and objectives necessary for the development of a certified product that can stand against the known attacks within the Framework of Common Criteria (CC). We believe this would be a brief source for cryptocurrency wallet Protection Profile (PP) and Security Target (ST) documents.
Kaynakça
- S. Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System”, 2008.
- S. Guler, Secure Bitcoin Wallet, Master’s Thesis, KTH, School of Information and Communication Technology, Stockholm, Sweden, 2015.
- S. Eskandari, D. Barrera, E. Stobert, J. Clark,” A First Look at the Usability of Bitcoin Key Management”, Internet Society, doi:10.14722/usec.2015.23015, 2015.
- O. Boireau, “Securing the blockchain against hackers”, Network Security, 2018(1), 8-11. doi:10.1016/S1353-4858(18)30006-0, 2018.
- T. Bamert, C. Decker, R. Wattenhofer, S. Welten, “BlueWallet: The secure Bitcoin wallet”, Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8743, 65–80, 2014.
- J. H. Mosakheil, “Security Threats Classification in Blockchains”, Culminating Projects in Information Assurance, 2018.
- Internet: A. Rosic, 5 high profile cryptocurrency hacks. https://blockgeeks.com/guides/cryptocurrency-hacks/, 2017.
- R. Juzenaite, “Security vulnerabilities of cryptocurrency exchanges”, Infosec Instittute, 2018.
- Internet: J. Kirk, Cryptocurrency exchanges lost 882 million to hackers. https://www.bankinfosecurity.com/ cryptocurrency-exchanges-lost-882-million-to-hackers-a-11624, October 2018.
- G. Karame, E. Androulaki, Bitcoin and blockchain security, Boston: Artech House, 2016.
- M. Conti, E. S. Kumar, C. Lal, S. Ruj, “A Survey on Security and Privacy Issues of Bitcoin”, IEEE Communications Surveys & Tutorials, 20(4). doi: 10.1109/COMST.2018.2842460, 2018.
- M. Tanriverdi, M. Uysal, M. Üstündağ, “Blokzinciri Teknolojisi Nedir? Ne Değildir?: Alanyazın İncelemesi”, Bilişim Teknolojileri Dergisi. 203-217. 10.17671/gazibtd.547122, 2019.
- Internet: J. Weiczner, Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads. http://fortune.com, 14 February 2018.
- T. Volety, S. Saini, T. Mcghin, C. Z. Liu, K.-K. R. Choo, “Cracking Bitcoin wallets: I want what you have in the wallets”, Future Generation Computer Systems, 91, 136–143. doi: 10.1016/j.future.2018.08.029, 2019.
- R. Houben, A. Snyers, Cryptocurrencies and blockchain: legal context and implications for financial crime, money laundering and tax evasion, Brussels: European Parliament, 2018.
- Internet: Security: Threats, https://wiki.trezor.io/Security:Threats#Hacking_SatoshiLabs_servers.
- Internet: P. Marek, R. Pavol, V. Aaron, B. Sean, Mnemonic code for generating deterministic keys, https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki, 10 September 2013.
- A. M. Antonopoulos, Mastering Bitcoin: Unlocking Digital Crypto-Currencies, California, USA: O'Reilly Media Inc., 2014.
- N. Courtois, P. Emirdag, F. Valsorda, “Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events”, IACR Cryptology ePrint Archive, 2014, 848, 2014.
- Technical Committee ISO/IEC JTC 1 SC 27, ISO/IEC TR 15446:2017 Information technology - Security techniques - Guidance for the production of protection profiles and security targets, Geneva, Switzerland, 2017.
- M. Gregg, CISSP Exam Cram, Fourth Edition. USA: Pearson IT Certification, 29 August 2016.
- Common Criteria Development Board, Common Criteria for Information Technology Security Evaluation Part 1, 2017.
- E. Karataş, “Developing Ethereum Blockchain-Based Document Verification Smart Contract for Moodle Learning Management System”, Bilişim Teknolojileri Dergisi, 11(4), 399-406, DOI: 10.17671/gazibtd.452686, 2018.
- S. Y. Kang, J. H. Park, M. K. Khan, J. Kwak, “Study on the common criteria methodology for secure ubiquitous environment construction”, Journal of Intelligent Manufacturing, 23(4), 933-939, 2009.
- S. P. Kaluvuri, M. Bezzi, Y. Roudier, “A Quantitative Analysis of Common Criteria Certification Practice”, Trust, Privacy, and Security in Digital Business Lecture Notes in Computer Science, 132-143, 2014.
- Bundesamt für Sicherheit in der Informations technik (BSI), Guidelines for Developer Documentation according to Common Criteria Version 3.1., 2007.
- A. Bialas, “Ontology-Based Security Problem Definition and Solution for the Common Criteria Compliant Development Process”, 2009 Fourth International Conference on Dependability of Computer Systems, 3-10. Brunow, Poland, 2009.
- Common Criteria Development Board, Common Criteria for Information Technology Security Evaluation Part 3, 2017.
- Bundesamt für Sicherheit in der Informations technik (BSI), Security IC Platform Protection Profile with Augmentation Packages, BSI-CC-PP-0084-2014, 2014.
- F. X. Standaert, “Introduction to side-channel attacks”, Secure integrated circuits and systems, 27-42. Springer, 2010.
- R. Sachova, M. M. Marcos, S. H. Revetti, Security of Mobile Payments and Digital Wallets, European Union Agency for Network and Information Security, 2016.
- Trusted Computing Group, Protection Profile PC Client Specific TPM, 2014.
- A. Garba, Z. Guan, A. Li, Z. Chen, “Analysis of Man-In-The-Middle of Attack on Bitcoin Address”, ICETE 2018, 388-395. 10.5220/0006864003880395, 2018.
- Full Drive Encryption International Technical Community, Collaborative Protection Profile for Full Drive Encrytion Authorization Acquisition, 1 February 2019.
- Internet: A. Rosic, Paper Wallet Guide: How to Protect Your Cryptocurrency, https://blockgeeks.com/guides/paper-wallet-guide/, 2017.
- C. H. Kateraas, Threats to Bitcoin Software, Master’s Thesis, Norwegian University of Science and Technology Department of Computer and Information Science, 2014.
- Internet: L. King, Bitcoin Hit by Massive DDoS Attack as Tensions Rise. www.forbes.com, 12 February 2014.
- K. Fanning, D. P. Centers, “Blockchain and Its Coming Impact on Financial Services”, J. Corp. Acct. Fin, 27(5), 53-57. doi:10.1002/jcaf.22179, 2016.
- D. Dasgupta, J. Shrein, K. D. Gupta, “A survey of blockchain from security perspective”, Journal of Banking and Financial Technology, 10.1007/s42786-018-00002-6, 2019.
- D. Mellado, E. Fernández-Medina, M. Piattini, “A common criteria based security requirements engineering process for the development of secure information systems”, Computer Standards & Interfaces. 29. 244-253. 10.1016/j.csi.2006.04.002, 2007.
- O. Taş, F. Kiani, “Blok Zinciri Teknolojisine Yapılan Saldırılar Üzerine bir İnceleme”, Bilişim Teknolojileri Dergisi, 11(4) , 369-382, 2018.
- I. Bashir, Mastering blockchain distributed ledgers, decentralization, and smart contracts explained, Birmingham: Packt Publishing, 2018.
- R. Richards, D. Greve, M. Wilding, W. M. Vanfleet, “The Common Criteria, Formal Methods and ACL2”, ACL2 Workshop 2004, Texas, USA, 2004.
Kripto Para Cüzdanlarının Ortak Kriterler’de Güvenlik Problemi Tanımı ve Güvenlik Hedefleri
Yıl 2020,
Cilt: 13 Sayı: 2, 157 - 165, 30.04.2020
Yasir Bulut
,
İsa Sertkaya
Öz
Bitcoin makalesi, dağıtık güven modelini amaçlayan kripto para birimlerinin ortaya çıkmasını sağlamıştır. Neredeyse tüm kripto para birimleri, kullanıcılarının kendi kriptografik anahtarlarını bireysel olarak yönetmelerini veya kripto para birimi cüzdanlarını kullanmalarını zorunlu hale getirmektedir. Açık-özel anahtar çiftlerini ve kullanıcı adreslerini saklayan cüzdanlar, son kullanıcıların güvenliği için kilit noktalardan birisidir. Bir işlemin gerçekleştirilmesi tamemen özel anahtarlara bağlı olduğundan, cüzdana erişen herhangi bir saldırgan, bu özel anahtarlara bağlı tüm paraları ele geçirebilir. Bu nedenle, kripto para cüzdanları dikkatlice analiz edilmeli ve mümkünse sertifikalandırılmalıdır. Bu çalışmada, Ortak Kriterler çerçevesinde, bilinen saldırılara karşı dayanıklı sertifikalı bir ürünün geliştirilmesi için gerekli güvenlik problemleri ve hedeflerinin tanımlanması amaçlanmaktadır. Bu çalışmanın kripto para birimi cüzdanı Koruma Profili ve Güvenlik Hedefi dokümanları için temel bir kaynak teşkil etmesi hedeflenmiştir.
Kaynakça
- S. Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System”, 2008.
- S. Guler, Secure Bitcoin Wallet, Master’s Thesis, KTH, School of Information and Communication Technology, Stockholm, Sweden, 2015.
- S. Eskandari, D. Barrera, E. Stobert, J. Clark,” A First Look at the Usability of Bitcoin Key Management”, Internet Society, doi:10.14722/usec.2015.23015, 2015.
- O. Boireau, “Securing the blockchain against hackers”, Network Security, 2018(1), 8-11. doi:10.1016/S1353-4858(18)30006-0, 2018.
- T. Bamert, C. Decker, R. Wattenhofer, S. Welten, “BlueWallet: The secure Bitcoin wallet”, Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8743, 65–80, 2014.
- J. H. Mosakheil, “Security Threats Classification in Blockchains”, Culminating Projects in Information Assurance, 2018.
- Internet: A. Rosic, 5 high profile cryptocurrency hacks. https://blockgeeks.com/guides/cryptocurrency-hacks/, 2017.
- R. Juzenaite, “Security vulnerabilities of cryptocurrency exchanges”, Infosec Instittute, 2018.
- Internet: J. Kirk, Cryptocurrency exchanges lost 882 million to hackers. https://www.bankinfosecurity.com/ cryptocurrency-exchanges-lost-882-million-to-hackers-a-11624, October 2018.
- G. Karame, E. Androulaki, Bitcoin and blockchain security, Boston: Artech House, 2016.
- M. Conti, E. S. Kumar, C. Lal, S. Ruj, “A Survey on Security and Privacy Issues of Bitcoin”, IEEE Communications Surveys & Tutorials, 20(4). doi: 10.1109/COMST.2018.2842460, 2018.
- M. Tanriverdi, M. Uysal, M. Üstündağ, “Blokzinciri Teknolojisi Nedir? Ne Değildir?: Alanyazın İncelemesi”, Bilişim Teknolojileri Dergisi. 203-217. 10.17671/gazibtd.547122, 2019.
- Internet: J. Weiczner, Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads. http://fortune.com, 14 February 2018.
- T. Volety, S. Saini, T. Mcghin, C. Z. Liu, K.-K. R. Choo, “Cracking Bitcoin wallets: I want what you have in the wallets”, Future Generation Computer Systems, 91, 136–143. doi: 10.1016/j.future.2018.08.029, 2019.
- R. Houben, A. Snyers, Cryptocurrencies and blockchain: legal context and implications for financial crime, money laundering and tax evasion, Brussels: European Parliament, 2018.
- Internet: Security: Threats, https://wiki.trezor.io/Security:Threats#Hacking_SatoshiLabs_servers.
- Internet: P. Marek, R. Pavol, V. Aaron, B. Sean, Mnemonic code for generating deterministic keys, https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki, 10 September 2013.
- A. M. Antonopoulos, Mastering Bitcoin: Unlocking Digital Crypto-Currencies, California, USA: O'Reilly Media Inc., 2014.
- N. Courtois, P. Emirdag, F. Valsorda, “Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events”, IACR Cryptology ePrint Archive, 2014, 848, 2014.
- Technical Committee ISO/IEC JTC 1 SC 27, ISO/IEC TR 15446:2017 Information technology - Security techniques - Guidance for the production of protection profiles and security targets, Geneva, Switzerland, 2017.
- M. Gregg, CISSP Exam Cram, Fourth Edition. USA: Pearson IT Certification, 29 August 2016.
- Common Criteria Development Board, Common Criteria for Information Technology Security Evaluation Part 1, 2017.
- E. Karataş, “Developing Ethereum Blockchain-Based Document Verification Smart Contract for Moodle Learning Management System”, Bilişim Teknolojileri Dergisi, 11(4), 399-406, DOI: 10.17671/gazibtd.452686, 2018.
- S. Y. Kang, J. H. Park, M. K. Khan, J. Kwak, “Study on the common criteria methodology for secure ubiquitous environment construction”, Journal of Intelligent Manufacturing, 23(4), 933-939, 2009.
- S. P. Kaluvuri, M. Bezzi, Y. Roudier, “A Quantitative Analysis of Common Criteria Certification Practice”, Trust, Privacy, and Security in Digital Business Lecture Notes in Computer Science, 132-143, 2014.
- Bundesamt für Sicherheit in der Informations technik (BSI), Guidelines for Developer Documentation according to Common Criteria Version 3.1., 2007.
- A. Bialas, “Ontology-Based Security Problem Definition and Solution for the Common Criteria Compliant Development Process”, 2009 Fourth International Conference on Dependability of Computer Systems, 3-10. Brunow, Poland, 2009.
- Common Criteria Development Board, Common Criteria for Information Technology Security Evaluation Part 3, 2017.
- Bundesamt für Sicherheit in der Informations technik (BSI), Security IC Platform Protection Profile with Augmentation Packages, BSI-CC-PP-0084-2014, 2014.
- F. X. Standaert, “Introduction to side-channel attacks”, Secure integrated circuits and systems, 27-42. Springer, 2010.
- R. Sachova, M. M. Marcos, S. H. Revetti, Security of Mobile Payments and Digital Wallets, European Union Agency for Network and Information Security, 2016.
- Trusted Computing Group, Protection Profile PC Client Specific TPM, 2014.
- A. Garba, Z. Guan, A. Li, Z. Chen, “Analysis of Man-In-The-Middle of Attack on Bitcoin Address”, ICETE 2018, 388-395. 10.5220/0006864003880395, 2018.
- Full Drive Encryption International Technical Community, Collaborative Protection Profile for Full Drive Encrytion Authorization Acquisition, 1 February 2019.
- Internet: A. Rosic, Paper Wallet Guide: How to Protect Your Cryptocurrency, https://blockgeeks.com/guides/paper-wallet-guide/, 2017.
- C. H. Kateraas, Threats to Bitcoin Software, Master’s Thesis, Norwegian University of Science and Technology Department of Computer and Information Science, 2014.
- Internet: L. King, Bitcoin Hit by Massive DDoS Attack as Tensions Rise. www.forbes.com, 12 February 2014.
- K. Fanning, D. P. Centers, “Blockchain and Its Coming Impact on Financial Services”, J. Corp. Acct. Fin, 27(5), 53-57. doi:10.1002/jcaf.22179, 2016.
- D. Dasgupta, J. Shrein, K. D. Gupta, “A survey of blockchain from security perspective”, Journal of Banking and Financial Technology, 10.1007/s42786-018-00002-6, 2019.
- D. Mellado, E. Fernández-Medina, M. Piattini, “A common criteria based security requirements engineering process for the development of secure information systems”, Computer Standards & Interfaces. 29. 244-253. 10.1016/j.csi.2006.04.002, 2007.
- O. Taş, F. Kiani, “Blok Zinciri Teknolojisine Yapılan Saldırılar Üzerine bir İnceleme”, Bilişim Teknolojileri Dergisi, 11(4) , 369-382, 2018.
- I. Bashir, Mastering blockchain distributed ledgers, decentralization, and smart contracts explained, Birmingham: Packt Publishing, 2018.
- R. Richards, D. Greve, M. Wilding, W. M. Vanfleet, “The Common Criteria, Formal Methods and ACL2”, ACL2 Workshop 2004, Texas, USA, 2004.