Free Trial
Contact Us
Podcast

Root Causes 41: What Is Blockchain's Killer App?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
October 3, 2019

Our hosts frequently run into the assumption that blockchain and PKI are extremely similar technologies and are possibly even competitive to each other. While the two approaches accomplish some related goals, they are very different in how they work and ultimately accomplish different ends. Join us as we explain what blockchain actually does and how it compares to PKI, including some examples of use cases that are appropriate for each of these technologies.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanThis was a “Jay picks the topic day,” and you have chosen blockchain.
Jason SorokoJason SorokoYeah, it’s the elephant in the room. I do find, and Tim you and maybe some of the listeners might agree, boy, that term seems to come up a lot.

It’s come up so much, it’s just like a movie star that might’ve had too much exposure. You know people get tired of seeing their pictures. People sometimes get tired of hearing about blockchain.

I think this podcast today is going to be a real quick one where you and I talk about where it’s important and in fact, we might even want to title this podcast something around killer app. In other words, what’s blockchain really good at?
Tim CallanTim CallanAnd what is a blockchain killer app?
Jason SorokoJason SorokoYeah, and obviously blockchain has been advertised as great for everything. You know slice and dice. But blockchain is really not a good Swiss army knife. In terms of a technology, it does some things incredibly well, but those things are fairly narrow, and people need to know what they are.
Tim CallanTim CallanYou touched on so many important things about blockchain here. One of which is the hype cycle for blockchain has just been so extreme. It got hyped so high it is now in the process of crashing down into a deep troth, and ideally when we come out of that there will be a sensible understanding of a sensible and important technology that does, as you say, a narrow set of things but important things quite well. Used properly it is very helpful, but there absolutely is this idea that we’re going to do everything with blockchain.

One of the things that I routinely run into is people who don’t fundamentally understand the difference between blockchain and PKI, pure and simple. And cryptography. They just kind of have all these ideas mixed up in their minds. And you understand to some degree why, because they accomplish some similar goals, right? It’s about non-reputability. It’s about identifying information very specifically in a way that you know it’s valid.
Jason SorokoJason SorokoYou’re going down one path that I think is worth talking about. Especially for anybody who’s tuned into this podcast, because typically you’re coming in from the PKI world or the authentication world, and you’re scratching your head about blockchain, and I think that might be a place to start. So obviously we title this, something of the term killer app. The most obvious killer app is cryptocurrency.
Tim CallanTim CallanFor sure.
Jason SorokoJason SorokoIt is absolutely the killer app for blockchain technology because the whole concept of this is an agreed-upon set of values amongst multiple people. It’s kind of funny, people forget what money is. But that really is what money is and there are a lot of arguments: Is it currency? Is it not currency?, and what’s the definition of that?

I want to take it more from the technological standpoint of what’s underlying this. If you tuned in today to hear all about the math behind it, you’re going to be disappointed; you’re going to have to wait for a future podcast.

So Tim, if you and I are doing business together, we don’t know who each other are, and therefore we don’t necessarily trust each other. But we’ve successfully committed a transaction, and we were using any system, say PKI. I have a certificate, you have a certificate, then, we were going to do some sort of a transaction with a third-party that we don’t know yet and haven’t established a relationship. When that third-party comes in, we don’t know if this person is trustworthy or not, and if this person has been issued from a centralized certificate authority: A PKI certificate, just as an example of a technology.
Tim CallanTim CallanIf you have a certificate revocation list (CRL) or an Online Certificate Status Protocol (OCSP) responder, fundamentally these things are being maintained by the CA. They have to be maintained by the CA because, if we’re all out there making up our own CRL’s or making up our own OCSP responses, then of course the bad guy can just say, “No, it’s not on the list. Here’s my spoofed list.” So in this case the word, authority makes sense. It actually does have to be the certificate authority that is saying these certs are valid, or these certs are not valid.
Jason SorokoJason SorokoPerfect. And that works because the CA is essentially maintaining that database, so it works for multitudes of scenarios of authentication. Just think through the numbers of ways that PKI is used on a daily basis. Perhaps, that’ll be another podcast of, “where is PKI?”.

The fact of the matter is it’s in so many use cases it’s almost hard to imagine. And that centralized database, that tiny bit of latency of double checking, you just don’t even think about it. In fact, I know as a certificate authority I think the number is into the billions per day or more of OCSP responder checks that we do, right?
Tim CallanTim CallanOh gosh. I can’t think of having seen that statistic, but it has to be.
Jason SorokoJason SorokoThat’s just the way it works, and people barely think about it. It’s so ubiquitous. It’s been around a long time: It’s tried, It’s true, It’s tested.

Let’s get back to blockchain, and create a real-world scenario. Let’s say, you’re a bank and I'm a person who wants to apply for a loan. Well, in a very simplistic sense one of the ways that it works today is, you’re going to go off to a centralized database to check my credit rating. And there are several major credit rating agencies in North America. That’s pretty cool and It’s worked for an awfully long time. But jeez, wouldn’t it be interesting if I could present to you an artifact, and you could then look me up on a completely public type of system so that I could assert who I am and my credentials of my credit rating that were issued by other entities that I’ve done business with. And they’re not going to be seen by anybody except the people I want to give access to.

Therefore, essentially there’s no revocation check. You’re not checking to see if I'm a bad guy or a good guy based off of a centralized database. You’re checking out what is essentially a publicly distributed system. Which then can vet out what I'm claiming.
Tim CallanTim CallanIt’s a distributed consensus-based system.
Jason SorokoJason SorokoYeah. Which is why a killer app for blockchain is cryptocurrency. Because when you’re talking about currency, and we’re trading currency between one another for goods and services or whatever it is we’re doing. That’s, that ability to then say, “Hey is that real? Is that a real bit of money, a real bit of cryptocurrency?” The answer is yes or no, extremely quickly. And so therefore, the example I just gave you of credit ratings, or if I'm going to a doctor who’s never met me before and they want to see my health records, that’s perhaps another killer app.

So, think about all the scenarios where the lookup of someone is better when it’s on a distributed system, because of the fact that you want to reduce that latency of checking on a centralized system. That’s just an example.
Tim CallanTim CallanIs there a robustness against attack component to this as well, Jay? Because, I think about a cryptocurrency, if there were a single database of, who owned what, then if you could get into the database you could change who owns what. And one of the advantages of blockchain is that there isn’t that.
Jason SorokoJason SorokoRight on, Tim. What we are now talking about, and this could earn itself an entire podcast all by itself, is the concept of hash chaining.

Let me give you an example of hash chaining that’s near and dear to your heart, and that’s the certificate transparency logs. That is in technical terms, a one-way Merkle tree: Every single certificate that’s issued by a CA has a record that’s appended to the certificate transparency log. It cannot be modified, It cannot be deleted, It’s only one way. And, if there’s a mistake that’s made, the correction to the mistake record is added, and then you add the new record that makes the correction. And that is why you often hear about blockchain as a distributed ledger. It is absolutely a ledger because there’s no such thing as changing a record on a blockchain. You merely add records to it.
Tim CallanTim CallanIt’s a chain of blocks, you add another block to the chain. So, we say blockchain. A lot of people don’t think about the etymology of that word, but that’s absolutely what it is. You’re chaining these blocks and each block is the latest entry in the ledger.
Jason SorokoJason SorokoYeah, and to answer your question about, “what’s the basis for why we trust this in some way?” It’s because of the hashing algorithm, one, after another, after another, after another. In other words, the math behind the double check, just to get down to real basic English language, is based off of the previous record and all the previous records. So therefore, a change to any part of the ledger would mean that it has been compromised and it’s noticeable immediately.
Tim CallanTim CallanSo, an analogy for our PKI friends would be: When I sign with a certificate, if I were to go in and change anything inside, let’s say a piece of signed code or an e-signed document. Then if you go and you make any change inside of that code or that e-signed document, it no longer matches the hash. It’s something similar going on here. The blocks are expecting all the previous blocks to be the same and if I go in and I monkey with that in the file, then I get a disconnect and a failure.
Jason SorokoJason SorokoThat’s exactly right, Tim. Here’s what is interesting because beyond cryptocurrency, which has a specific implementation of blockchain. What I don’t think a lot of people realize, and we are going to cover this in future podcasts, is there are all kinds of blockchain implementations out there, for different reasons. So, when you were talking about what’s the killer app for blockchain, that’s when knowing the different types of underlying math and technologies, and consensus algorithms, and all those kinds of good things. You can start to be much more powerful and precise in understanding what type of blockchain implementation might be best for what you’re trying to do. Then I think Tim, what we’ll do on future podcasts as well, is we will compare it directly to PKI: “Why you use one? Why you use the other?” And perhaps very importantly, what’s the difference between public blockchains and private blockchains and where does PKI fit in an authentication mechanism within private blockchains? Stay tuned.
Tim CallanTim CallanAbsolutely, stay tuned. And all of this is important stuff and again, I run into a lot of people who seem to not understand how these things fit together. I love to cover that. And, I also love the idea that you’ve just touched on which is blockchain as a technology on its own, wouldn’t be able to really solve most of its use cases. It’s working at a hybridized environment and that pretty much includes PKI anyway. So, these are all interesting things. We will get into them for sure.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud