Vulnerability Assessment of Bitcoin Architecture

Abstract

Bitcoin is considered to be the world's rst peer to peer and unregulated crypto-currency which has received widespread popularity in the last few years. It is considered to be the most popular way of achieving open source P2P money. A large number of businesses have started accepting bitcoins e.g WordPress, Baidu, Amazon, Reddit, VMware, Subway and SoundCloud etc. It operates in cyberspace and requires a special software called Bitcoin wallet to be installed on the client's computer. The core of the Bitcoin protocol is the mining process which is meant for veri cation of transactions and bringing new bitcoins into the system. It involves a Proof-of-work (PoW) mechanism which is based on a complex cryptographic puzzle. Looking analytically into the Bitcoin protocol, there are certain security issues in the Bitcoin protocol which make Bitcoin transactions a major target of fraudsters. Incidents related to bitcoins being stolen or Bitcoin exchanges being shut down due to various attacks are observed daily. As of now, there exists no comprehensive survey which highlights the existing vulnerabilities and attack possibilities in the Bitcoin architecture. We also review existing countermeasure techniques that can make Bitcoin architecture more e cient and secure. In order to highlight the weaknesses that can make Bitcoin transactions a major target of fraudsters, STRIDE threat modeling of the Bitcoin architecture has been performed. One of the identi ed problems is the security of the web based Bitcoin wallets. The web based Bitcoin wallets, if not protected properly, can become a valuable target of theft. The web based hosted Bitcoin wallets are considered to be the most vulnerable type of Bitcoin wallets since they are hosted on the servers of a trusted third party. The aim of the research is to address the authentication and authorization issues in Bitcoin wallets. As a proof-of-concept, we use Java Cryptography Extension (JCE) classes, PKCS7, PBE encryption algorithm and Shamir Secret Sharing Algorithm in such a way that no other entity would be able to carry out transactions without the intervention of the legitimate user.