Ethereum Hyperledger Fabric Multichain flunk security

Report: Ethereum, Hyperledger Fabric, MultiChain flunk U.S. security standards – Updated

A damning new report published by the influential Institute of Electrical and Electronics Engineers found R3’s Corda was the only one of four major blockchains to meet the cryptographic requirements of government agencies

A bombshell report has warned three major blockchain networks fail to fully comply with the U.S. government’s cryptographic standards, potentially banning them from use in federal blockchain projects.

Ethereum, Hyperledger Fabric, and MultiChain do not fully meet the cryptographic standards set out by the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce. [Update: The Linux Foundation, creator of Hyperledger Fabric, says this is a temporary problem, and workarounds are available. See below.]

Ethereum Hyperledger Fabric Multichain flunk security
R3’s Corda scored a big win in IEEE report on U.S. government agency security standards (Photo: R3).

This effectively means that IT managers in the federal government are prohibited from using these systems when they are developing projects. That’s according to a paper published by the influential Institute of Electrical and Electronics Engineers’ journal IEEE Security & Privacy’ January-February issue. It’s available here for free.

“Blockchain Compliance With Federal Cryptographic Information-Processing Standards,” authored by James Howard II, a researcher at the Johns Hopkins University Applied Physics Lab, and Maria Vachino, a director at Easy Dynamics Corp. It put the four popular blockchain platforms through their paces. 

The only one that managed to pass was R3’s Corda. If NIST agrees, that means any new government IT programs and modernization efforts based on blockchain must rely on its infrastructure over the other three, unless those platforms make changes to meet the government’s standards.

Businesses also tend to follow the IEEE’s recommendations, meaning that Ethereum, Hyperledger’s Fabric flavor, and MultiChain—which have had success in the corporate world—could now struggle to gain more traction. Worse still, NIST’s work has “become the global de facto standard” because of how the federal government “is a leading buyer of computational resources,” Howard and Vachino wrote.

What went wrong (and right)

The pair said they chose to examine these four blockchains because, on the face of it, they had characteristics that made them suitable for use by the U.S. federal government. Stellar and Chain Core were excluded from the analysis because they are finance-specific rather general purpose, according to the pair.

Ethereum was described as a “moving target for analysis and development” because of the platform’s upcoming transition from proof-of-work to Ethereum 2.0’s proof-of-stake, according to the report. Its mining algorithm, Ethash, failed to meet NIST requirements, Howard and Vachino found. Another problem lay in the type of digital signature algorithm it used, which it said had also not been approved by the agency. MultiChain ran into similar difficulties on this latter point.

For Hyperledger Fabric, the main problem seemed to be that crucial technologies—hash algorithms and digital signatures—were implemented using a programming language called Go. As a result, its mechanisms could not be validated as meeting NIST standards.

In response to questions, a spokesperson for the Linux Foundation—which created Hyperledger Fabric—told Modern Consensus via email that the issue is a temporary one. The “cryptography Hyperledger Fabric uses is NIST-approved. The sticking point is that the implementation of NIST-approved algorithms in more modern programming languages (in Fabric’s case GO) has not yet been officially approved by NIST.”

Gari Singh, an IBM Distinguished Engineer who is CTO and IBM Blockchain and Hyperledger Fabric maintainer, told Modern Consensus that Hyperledger Fabric’s digital signing and hashing algorithms are both NIST-approved. He said that while GO is standard, the platform supports other certified cryptographic libraries. One of Fabric’s most popular and widely used versions, IBM Blockchain, uses NIST-certified alternatives, Singh added.

Corda managed to avoid these hurdles because of how it used an “acceptable hash algorithm” known as SHA-256, with Java—a familiar programming language to NIST—being relied upon. The network also used “a wide range of digital signature algorithms” that also passed the bar, they said.

As for Bitcoin, it is too decentralized to make the researchers’ cut. The first of the three criteria Howard and Vachino set out for blockchains they would review was that they be “supported by a single business or consortium responsible for developing standards and guiding future work.”

What now?

This lack of compliance with NIST standards has the potential to leave some of these platforms red-faced.

Major businesses such as Walmart are among those who have relied on Hyperledger Fabric’s technology, mainly with a view to tackling the perennial issue of food safety. These solutions may have been effective, but what the IEEE-published report is saying is Howard and Vachino believe NIST wouldn’t approve the three platforms for government use. R3’s Corda, however, would pass muster.

Agencies throughout the U.S. government, including the security-focused Department of Homeland Security—are actively testing blockchain technology. Excluding major blockchain platforms could put the U.S. at a disadvantage against other countries. Most notably China, whose president, Xi JinPing, recently called for China to be the world leader in developing blockchain. 

Modern Consensus has reached out to Hyperledger Fabric and Corda for a comment, but none was forthcoming by publication time.

Updated at 5:57 p.m. on April 23, 2020 to explain why Bitcoin’s blockchain was not reviewed.

Updated at 7:06 p.m. on April 23, 2020 to reflect comments by the Linux Foundation, creator of Hyperledger Fabric. The paragraph about Ethereum and MultiChain was moved for clarity.

 You May Also Like

Connor Sephton is a journalist with an interest in cryptocurrencies, personal finance, and financial inclusion—as well as the challenges the crypto industry faces in achieving mainstream adoption. He owns cryptocurrencies.