Podcast
Root Causes 51: Blockchain vs PKI
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
November 19, 2019
In our industry interactions we frequently run into questions about how PKI and blockchain compare with each other. How do they work similarly or differently? Are they surrogates for each other? Are they complimentary? Join us this episode as we explain the details of how blockchain and PKI work, similarities and differences between them, and what use cases are appropriate for each.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo, we are talking - - it was Jay picks the topic day and we are going to talk about Blockchain versus PKI.
Jason SorokoThanks, Tim. Yeah, you know, for those of you who are Blockchain fatigued, this is where I'll make my initial apology. But I want to bring this up, Tim, just because I am reading articles about Blockchain and PKI and some of its good, and some of it is just I can see there's confusion. I can see that people are looking at Blockchain and going, hey, this is all encryption stuff, or this is a way to avoid man in the middle or this is a way of protecting data. Blockchain just seems to mean so many things to so many people and when it comes to PKI, which has been around for, you know, three decades, plus, I think it's time to really, for you and I, Tim, to kind of dig into what's the difference between the two things? Where do they intersect? And where does the - - what does the future? You know, what, what does it hold for us?Tim CallanYeah, and you can see where the question would come up, right? Where the two technologies do some similar things, employ some similar elements, and you can understand where somebody who isn't steeped in the details might say, hey, are these substitutes for each other? Are they complimentary? Are they like, like, what's the relationship between these two technologies? So, I think clarifying that is a great thing for us to do.Jason SorokoYeah, Tim. Blockchains are really about verifying transaction records.Tim CallanRight.Jason SorokoSo, most of you who probably are thinking about PKI or Blockchain together, might be thinking about, you know, the basic use case of hey, Tim, you and I want to do business together or we want to trade a secret together.Tim CallanRight.Jason SorokoAnd PKI is typically, you know, has been ideal for that for years and years. So, we're talking about SSL certificates, TLS certificates. We're talking about S/MIME certificates, all these things that have been used so that the bearer of that certificate can actually verify the identity of the other entity. So, in other words, if you hold on to a certificate, and perhaps you have signed a challenge that I have given to you, then I can, with your public key, verify, hey, yeah, that actually is you. That is actually a check upon the fact that whoever it is that's trying to authenticate to me is bearing that private key, typically within a certificate. And, you know, that's great. That's fantastic. But the problem with Blockchain is Blockchain is not doing, Blockchain is not the basis of doing that identity validation. Blockchain is really a really cool hashing technique that allows you to verify transaction records. Essentially - - I like the term ledger, Tim, whenever I talk about Blockchain because it really does explain better what Blockchain is versus what PKI is.Tim CallanYeah. It's an immutable ledger. Right? It's an unspoofable ledger.Jason SorokoYes, that's right. That whole unspoofable topic is I think we're - - again, a lot of people are like, well, PKI is unspoofable. Well, yes. But that's if you, you know, if you're encrypting a file, if you're signing a document, if you're, you know, doing those kinds of things. Signing and encrypting. Those things then become, you know, unspoofable or untamperable or, you know, whatever you'd like to call it and Blockchain has those properties, as well. But again, the Blockchain really is the ledger side of things and PKI is about verification of the bearer of a certificate. There's a fairly big difference there.Tim CallanYeah. So, either way, there's an authenticity component, right? But it's authenticity of different things.Jason SorokoYou're correct. You're correct. It is the authenticity of different things, for sure. Let's go back, Tim, to what we were talking about earlier, which is you and I want to do business together.Tim CallanRight.Jason SorokoLet's go back to the most simplistic thing possible, which is not PKI or Blockchain. Let's talk about a shared secret. Let's talk about what might be just a symmetric token.Tim CallanOk.Jason SorokoAlright. So, we don't even have computers in this use case. I say to you, hey, Tim, let's do business together. How about you walk up to my house tonight? Knock on my door three times. I’ll know it’s you. I won't even question that it’s you.Tim CallanWhat’s the password.Jason SorokoThis is the whole password problem. Where you and I, Alice and Bob, you and I, had to actually trade a secret before the transaction went down. And that's, that's great. It works. It's cheap. It’s cheerful, and it's been around since anybody's ever, you know, handed a secret to each other. The reason we call that symmetric, Tim, is because the secret is the same on both sides. You know, I know it's three knocks, you know it's three knocks.Tim CallanRight.Jason SorokoOr you know the password is ABC 123. You know, or the token. Whatever it is you happen to be passing between devices or people. It's a shared secret, which makes it essentially a symmetric secret.Tim CallanRight.Jason SorokoThe advent of PKI was the whole idea of breaking that secret in half, and doing some really fancy math in order so that the cryptographic algorithm of the secret paths itself are unspoofable and that this is where the unspoofable part kind of comes in. And the beauty there is, let's say you have a, you have a document, you want to prove to me that you signed - - that this document has not been changed by the time it gets into my hands, you can actually sign that with your private key and if you hand me half of the secret, which is the public key, I'm able to verify, yes, that's Tim's signature. And in fact, that is also the basis of a challenge request, that's part of all PKI-based authentication. That's why private keys can be protected. They never have to be taken out of where they're being, you know, the safe place that you've put them, such as a secure element. If you're authentic, if you're a client, and I'm a server, you can actually say to me, hey, I want to authenticate. I'll issue you a challenge. You sign it with your private key. I check it with a public key. And guess what? It’s, you know, it is it is done. And we know that you are the bearer of a private key that allows you privileges into my server system. That's PKI.Tim CallanYes.Jason SorokoNow with Blockchain, it's different in the sense where Blockchain has a whole lot of moving parts that you and I will talk about in future podcasts. Things like consensus algorithms are just fascinating topics. I think that's worth at least one or two podcasts, Tim. But keep in mind that really, let's go back to the PKI use case for a moment because there's a piece I left out intentionally in that authentication use case, that is the downside to PKI, and potentially, potentially, the upside to Blockchain. And this is where I think a lot of people say, hey, man, I think PKI is, you know, it's kind of had it’s today, and Blockchain is a better idea and then we'll talk about why that's really not the case. When you and I are doing business together, you want to authenticate to me, right?Tim CallanRight.Jason SorokoOr even there's a signing mechanism that that we're performing. Part of what could and should typically happen in PKI scenarios is we will actually do a revocation check. In other words, if Alice and Bob are doing business together, Alice might want to check that Bob's, not only does he bear the certificate, but is that certificate still valid? And with a centralized authority, a Certificate Authority, PKI, by its definition, needs to look up a database, and says, alright, here's this certificate. I want to see whether or not this thing has been revoked. And if it has been revoked, well, even if this person is bearing the certificate, I actually don't trust that certificate anymore, which is a very important thing.Tim CallanYeah. And this is part of every, so every PKI implementation has a Certificate Authority, whether it's your own, you know, in-house private Certificate Authority, or whether it's some kind of public Certificate Authority. The structure depends on that fundamentally. That's how the technology works.Jason SorokoExactly, Tim. Wo you're getting right into the heart of one of the big differences between PKI and Blockchain, which is PKI, by, almost by its definition, and definitely by how it's been implemented for the past, you know, several decades. It's centralized, right? Blockchain is all about decentralization, and we'll get into why that's really important. Because in most private PKI, or in even publicly trusted certificates, there are typically, you know, one or just a small handful of Certificate Authorities who actually will have that record of whether or not a certificate has been revoked or not and you typically will go to that centralized place to discover whether or not that certificate is good or not. Now, you might think to yourself, well, gosh, that might, that operation might take a long time. I don't want to have to spend, you know, very long when I'm going through an authentication session, in order to just check a certificate. Well, Tim, I think we brought this up not long ago, how many SSL revocation checks are done in a day, right? Like, right, it's into the billions. So, over the past 30 years, the CAs have gotten very, very, very good at doing revocation checks very quickly, right. So, they've kind of gotten around that problem. However, I think that people who argue Blockchain has a place to play here is that the verification of a record is decentralized. You're no longer, you know, depending on a Certificate Authority in order to be able to say, hey, is this record, is this record on the ledger, you know, and what does this record happen to say? It's inherent.
So, in other words, if you and I were trading Bitcoin together, if you were somebody who was declared a bad guy, that would be inherent in the data structure of a decentralized database, known as Blockchain. There would be no centralized authority, looking that up. I think one of the arguments being made is there could be a timing problem. In other words, by the time something has been revoked, and by the time it's looked up, a bad guy might have might have slipped through the cracks. Whereas with Blockchain, the knowing about whether or not an entity is blacklisted is kind of inherent in the data structure.
Tim CallanYeah. It's built in.Jason SorokoThat's it. On the other hand, right? There's no free lunch. The Blockchain concept still requires that the person needing to do this lookup is actually downloading or doing a lookup as well. In other words, it's not like it's just somehow guaranteed that the person you're doing business with isn't a bad guy. All you are guaranteed is the immutability of the data on the Blockchain.Tim CallanRight.Jason SorokoSo, in other words, I think a lot of people have confused the immutability of the data on the Blockchain with the concept of the timing issue. Now, granted, PKI perhaps takes slightly longer, but that's - - I don't know if that's really true in practice, Tim, because the CAs have done such a good job at having very, very fast revocation check latencies. That's just been my experience.Tim CallanYeah, I mean, to some degree, it kind of depends, right? Because if you need to have 100%, like let's use the example of cryptocurrency. It's the obvious Blockchain example. These things are worth money. So, if there's ever a time where it didn't work, that would be an opportunity for theft or arbitrage and essentially, what it would do is it would devalue the whole currency. It would destroy the trust of the whole currency and the only reason cryptocurrencies are worth money is because people count on the ability to tell what's genuine and what's not. Right? Now, um, when you get around to a PKI implementation, and you're looking at this revocation checking, and depends on connecting to an outside entity, in principle, that could occasionally not work and your rationale goes and follows. Ok, there's a very slim chance that it doesn't work, but revocation is still effective, because nobody knows when it's going to work and when it's not. And so, you can't reliably use a revoked cert for nefarious purposes. Right? And so that's where I think you see the strengths and weaknesses of the two technologies, why they're applied the way they are.Jason SorokoYeah. That’s it, Tim. Exactly. So, think about - - it really comes back to what I said at the top of the discussion, which is, you know, the bearer of a PKI certificate that has been granted certain kinds of privileges, that centralization of that still makes a lot of sense for a lot of use cases. So, let's talk about where there's actually an intersection point where PKI and Blockchain work well together and then we're going to talk about where Blockchain really, really shines.Tim CallanOk.Jason SorokoYeah. So public Blockchains versus private Blockchains. I think a lot of people are, they're so familiar with the Bitcoin and the cryptocurrency topic, that the public Blockchain is mostly what they think about. They don't even make a distinction. Whenever they say Blockchain, they're actually thinking about public Blockchains and not private Blockchains, perhaps not even knowing that those things exist. But private Blockchains are interesting in that you might want to have a distributed architecture, for your database, whatever it is, you know, that immutable data structure that just works so nicely with Blockchain but you might not want to share it with the whole world, you might want to share it with just some players.Tim CallanYeah.Jason SorokoYou might want to limit who can run a node. You might want to, you know, limit who actually has the full data set underneath. You might want to do all these kinds of things.Tim CallanYeah. Sure. Well, there's information there. Right? Like if I'm using Blockchain for, let's say, logistics, I may not want everyone in the world to be able to know the details of my logistics. I wouldn't want my competitors to know that, for instance. And so, that would be a reason why you wouldn't want that, you know, that information to just be available to the world.Jason SorokoYeah. You might have Blockchains that make sense within a consortium or within an individual company with, you know, spread across product lines. You know, the financial system, you might not want to, you might think that well, you know, my insurance system, I might want to do business with the whole world but, on the other hand, if I have internal, you know, trading data, and I put those records on a Blockchain so that, you know, I can more efficiently read off what happened in a day and have auditing for that, that's not something I want the whole world to see.Tim CallanRight? Yes, exactly. Because some of those things could be, you could be in, you know, that could constitute a breach. Right? Or you could be in violation of the law. I mean, there's plenty of occasions where the kind of thing where you might want an immutable, reliable ledger absolutely could be for stuff that needs to remain secret.Jason SorokoRight? So, enter the world of private Blockchains.Tim CallanRight.Jason SorokoAnd in fact, there are specific consensus algorithms and underlying infrastructure that are ideal for private Blockchains, Tim. That perhaps is a is a whole other set of podcasts because, you know, it's a very fascinating subject and I think it will grow and become part of our fundamental infrastructure and probably sit beside PKI. And let me explain what I mean by that. Since PKI, its main strength, right, as we said, at the top of the conversation, is about verifying entities, people who are bearing the private key, bearing a certificate. It's the perfect way to create that walled garden of players. In other words, if you want to play with that private Blockchain, if you bear a PKI certificate, you can come and play. Right. To put it in its most basic terms, because Blockchain in itself does not have that capacity to say, to provision you. You know. This is I think, where and this is - - let me just bring it to this point. If you are a bank, and you want to issue a loan to customers, well, you know, the way it had to be done was you had to have the person in the bank, you know, prove who they are with their, you know, forms of government identification, and then sign a bunch of paperwork and ok, that's it. But wouldn't it be nice if you didn't have to care who the person was, and that person was able to perhaps apply for the loan, just with records that happened to be on an agreed-upon public Blockchain that happened to include their credit rating? How fast would the paperwork be to sign, Tim?Tim CallanSure. And there might be other benefits. There might be a privacy benefit there. Once again, it might be to my advantage - -Jason SorokoHuge privacy benefit.Tim Callan- - for people not to know what my financial dealings are. Yeah.Jason SorokoAnd you can imagine all of those kinds of decentralized, low friction of provisioning use cases where Blockchain is kind of ideal, and, you know, cryptocurrency is probably your number one killer app.Tim CallanSure.Jason SorokoBut you know, anything that has to do with self-sovereign identities. So, this is where, you know, the interesting intersection point of PKI and Blockchain where Blockchain really shines - - so, think about that, you know, banks doing loans, issuing loans, perhaps it is healthcare data. I know that the country of Estonia has a Blockchain-based patient healthcare information system.Tim CallanOh, wow. Ok.Jason SorokoYeah. Yeah. They're leaders in that space and, you know, Blockchain anytime that there is a concept where a decentralized architecture makes the most sense, Blockchain can really help and I think that those are where the killer apps are going to emerge. On the other hand, replacing PKI on a wide scale, that's just not in the cards because not every use case is decentralized.Tim CallanAbsolutely. And there's a difference between a ledger and an identity. Like they don't do all the same things. So, for instance, you and I have talked in the past about using PKI let's say to secure containers in a DevOps environment. There's no - - you couldn't do that with Blockchain. Right? So, there are a lot of places where it just wouldn't - - Blockchain can't do the thing that PKI is being asked to do.Jason SorokoYou know, Tim, I've always thought about this hard, and I've heard this from other people, so I can't take credit for it, but anytime you think about a use case that has been touted, oh, Blockchain will completely revolutionize how X, Y or Z is done.Tim CallanRight.Jason SorokoThe thing you have to ask yourself is, hey, is that being accomplished with a database today? And if the answer is yes, you have to question whether or not Blockchain can really replace it. Some databases that are centralized, by definition, probably should remain centralized. Some databases such as patient healthcare, where you as a patient are the actual customers. It’s not the hospital that’s the customers, it’s the patient and that patient needs to walk around with self-sovereign identity and very private information.Tim CallanYeah.Jason SorokoYou as the patient entity, are going to benefit from a decentralized ledger, rather than a centralized database in that example.Tim CallanRight.Jason SorokoThat's ideal. So, anytime you think about other use cases, that's when it becomes kind of risky in trying to assume that, you know, a ledger is just going to replace this other, you know, database that’s been around for 20, 10, you know, 10, 20, 30 years, because probably, the database, the underlying centralized database technology, is incredibly efficient, and probably should be, and remain to be centralized, just because that's the nature of not just its ideal architecture, but it's ideal in terms of the use case itself. Cryptocurrencies, healthcare data, loan applications. Geez, those are places where decentralized architectures make a lot of sense. Enter Blockchain. But, Tim, I think, I'm trying to be helpful to help people to distinguish where one might work and where the other might work.Tim CallanYes. So, we all know about cryptocurrencies, obviously. To what degree are these other Blockchain, let's call them, you know, high value use cases? To what degree are these being exercised today? You gave us the Estonia example earlier, but, you know, is this real? Or is this more potential?Jason SorokoI think one of the things that had to become real first, was for there to be infrastructure available. In other words, you're not going to roll your own Blockchain typically. Right?Tim CallanOk.Jason SorokoAnd so, a lot of the public cloud offerings that are out there, I think we can name them, right. It's AWS, and Google's Cloud, and Azure, etc. and others, have actually been able to implement various kinds of Blockchain and hyper ledger type technology.Tim CallanGotcha.Jason SorokoAnd so, in other words, rather than having to invent this yourself, or implement it yourself, it kind of seems ideal to just put it in the cloud with some pre built infrastructure that's ready to go.Tim CallanSo, they've got tooling all set for me, and I can go in, and I can basically configure my Blockchain application, and then operate it in their environment without needing to myself build a Blockchain or be an expert in that particular, in the nuances of that technology?Jason SorokoYeah. And for those of you who are curious, go ahead and do an internet search on self-sovereign identities and you'll actually see all kinds of apps for iPhone and Android that will help you to actually establish your identity in that way and start putting properties about yourself on a Blockchain.Tim CallanSo, there's an agility problem with that, right? There's a lock in, vendor lock in problem. If I'm using AWS’ tools. I'm stuck on AWS.Jason SorokoYeah. You might be. You might be. You know what, this is where as a practitioner, I have not personally done enough to be able to say, hey, if I'm using Ethereum on one cloud and Ethereum on another, how portable are they? That's not a question I can answer right now.Tim CallanRight.Jason SorokoBut the fact that I can't even answer that shows you that, well, first of all, I'm not at the absolute cutting edge, the way that, you know, there may be other people who are on the topic of Blockchain, but the thing is, I think it's still growing. I think it's still at a point where the infrastructure is still growing out. The platforms with which to use it are still growing out. Choices to be made such as is this going to be, you know, coin mined based or non-coin mine based. We're going to get into what all that means in future podcast, Tim, but there's a long way to go. I definitely think that Blockchain is in use today. To say otherwise is crazy. But the uptake of it - - I think if you are, you know, an escrow clearing house in New York, right, you move money around between parties. You're, you know, if you're an insurance company, if you're a big finance company, you got worried really fast that you as a centralized clearinghouse of data, right, that even though it could be money or information that you're having in escrow on behalf of two other people, anytime you hear the term escrow in the finance world, Blockchain has a place to play there. And what you've been reading over the past little while, most of the headlines have been about that industry just pouring money to essentially disrupt themselves so that they became the experts in Blockchain. And so, you know, those people have set up enormous infrastructures, very impressive Blockchain infrastructures, for themselves. So to say it doesn't exist, would be just crazy, because so much effort has been put in in the past few years. However, does it touch our daily lives a lot yet? It probably does without you knowing it. It's just, I don't see it. Let's get back to the original theme of this podcast. Is it displacing PKI, and the enormous ubiquity of PKI in your life? Not at all?Tim CallanYeah. Not at all. Absolutely. I think you touched on a few points I completely concur with. You know, the hype cycle on Blockchain was so extreme. Was so steep, right? It got so hyped so fast, it's now crashed into the trough of disillusionment, where everybody is feeling like, hey, I kind of got sold a bill of goods but when it comes out the other end, we're gonna find, like you said, a broad variety of killer applications beyond just cryptocurrency, for which it's going to be just a fundamentally better way to do things. And to your point, it'll probably touch all of us many times daily, but it will do so under the covers in a way that the normal layman doesn't see it. Exactly the same as PKI, right? PKI is touching all of us daily all the time. You know, every time you use your cell phone, but you don't see it. It just it makes the digital stuff work and that's the relationship that non-practitioners will have with Blockchain.Jason SorokoThat's right, Tim. In future podcast for those of you who are waiting for it, yes, we will talk about Blockchain and IoT. We'll talk about smart contracts. We'll talk about consensus algorithms. We'll probably get into all those topics in eventual podcasts, Tim, but for those of you listening right now, the theme was PKI vs. Blockchain. I think we're talking apples and oranges. Apples are great. Oranges are great. And you know what? So is fruit salad, and I think you'll see the two working together. But that's the basic message.Tim CallanI think that's a great spot to leave it today, Jay. Obviously, it's a deep, interesting and important topic and one that we will be returning to for sure. But for today, I want to thank you for that. I think a very cogent explanation of the two technologies, how they're the same and different and how they relate and it's always a pleasure. Thank you. This has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
