Nothing I’ve read suggests that blockchain will replace SSL for IoT security. Blockchains are “distributed ledgers” that are known to be tamper-proof (though there are ways to tamper with them in actuality if you own enough of the computing power validating the transactions). This design works fine for certain Internet applications like bitcoin, but I don’t see the blockchain fitting well into the IIoT.
Size matters
First of all, since there is no central ledger, all participating devices must contain, or have access to, the entire ledger. No entry can ever be removed from the ledger. As the number of devices grows, and the number of transactions it contains grows, the size of the ledger grows geometrically. The size of the bitcoin blockchain is roughly doubling every year and currently is over 60GB. For an IoT node to fully trust the blockchain it would need a geometrically growing amount of storage. That’s obviously not possible.
So, individual devices can prune the block chain and store only the last few minutes or seconds of it, hoping that nearby peer devices will provide independent confirmation that their little piece of the blockchain is cryptographically secure. That produces a possible line of attack on the device, where nearby devices could lie, and produce a satisfactory probability of truth in the “mind” of the target device.
Thus security is based on the availability of massive storage, and attempts to reduce that storage requirement diminish security. As far as I can tell this is an unsolved problem right now.
Too much connectivity?
The second problem with blockchains is that they assume that every transaction in the system must be transmitted to every participant in the blockchain. Yes, when somebody’s fridge turns on in Paris, every one of the billions of devices participating in the blockchain must be told. If they are not, then their local copy of the blockchain is inconsistent and they cannot trust the next transaction, which they might actually be interested in. As the number of devices and transactions rises, the amount of worldwide network bandwidth required to maintain the integrity of the blockchain grows geometrically. One article I read says that on a 10Mbit Internet connection the theoretical maximum number of transactions in the entire bitcoin universe that connection could sustain would be 7 transactions per second. Seven.
The result of these two limitations is that a blockchain probably cannot be used to carry the actual data that the devices produce. Instead it is more likely to be used as an authentication mechanism. That is, a device that is legitimately on the blockchain can be verified as being itself based on something that the blockchain knows. My personal opinion is that it sounds very much like the blockchain would become a distributed certificate authority. Instead of having the current SSL “chain of trust” of certificates, you would have a “blockchain of trust”. But since an individual device could not contain the entire blockchain you would still need a server to provide the equivalent of certificate validation, so there’s your point of attack.
There are some examples of IoT devices using blockchains, like a washing machine that buys detergent using bitcoins, that are using misdirection to claim the use of blockchains. Yes, they are using blockchains in their bitcoin transactions because that’s how bitcoin works, but the maintenance data they produce (the real point of the blockchains-for-IoT conversation) are not being transmitted via blockchain at all.
I have yet to see a practical application of blockchains to IoT data or even to IoT authentication. The conversation at the moment is in the realm of “it would be nice” but the solutions to the implementation problems are not clear. Incidentally the same problems exist for bitcoin and there are no clear solutions in that space either.
– Andrew Thomas, Skkynet