« CI Crypto-actifs/en » : différence entre les versions

De Wiki Campus Cyber
Aller à :navigation, rechercher
(Page créée avec « '''On 31/08/23, the WG Crypto-assets worked on''' * The audit plan for the node target. The objective will be to propose countermeasures to put on the node to make it more robust. »)
(Mise à jour pour être en accord avec la nouvelle version de la source de la page)
 
(24 versions intermédiaires par un autre utilisateur non affichées)
Ligne 2 : Ligne 2 :
|ShortDescription FR=Développer un point de vue de la cybersécurité sur les crypto-actifs et identifier les usages potentiels des crypto-actifs pour la cybersécurité
|ShortDescription FR=Développer un point de vue de la cybersécurité sur les crypto-actifs et identifier les usages potentiels des crypto-actifs pour la cybersécurité
|ShortDescription EN=Develop a cybersecurity perspective on crypto-assets and identify the potential uses of crypto-assets for cybersecurity
|ShortDescription EN=Develop a cybersecurity perspective on crypto-assets and identify the potential uses of crypto-assets for cybersecurity
|Status=En cours
}}
}}
==Description==
==Description==
Ligne 55 : Ligne 56 :




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He took the decisions to:''  
''Il a pris les décisions de :''  
* Make 2 nodes available to start the red team mission by testing and attacks and threats on the nodes.
* Mettre 2 nœuds à disposition pour commencer la mission de red team en testant et les attaques et menaces sur les nœuds
* Add a crypto document to the target node
* Ajouter un document crypto à la cible nœud
* Recruit people for the red team
* Recruter des personnes pour la red team
* In parallel, start work on the smart contract target.
* Commencer en parallèle la cible sur les smart contract
It should be noted that a meeting with the Banque de France lab has been scheduled to discuss the Innovation Challenge.
Il est à noter qu'un rendez-vous avec le lab de la Banque de France a été programmer pour échanger au sujet du Challenge Innovation
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 29/06/23, the WG Crypto-assets worked on''''  
'''Le 29/06/23, le GT Crypto-actifs a travaillé sur'''  
* The target nodes: CLR labs has received various comments from the last members of the WG to fine-tune the few remaining details. These comments will be incorporated into the document next week. The document will therefore be finalised. The next stage is to audit the Node target, attacking the node with several Red Teams (ledger and exaion) to test the robustness of the target.
* La cible nœuds : CLR labs a reçu les différents commentaires de la part des derniers membres du GT pour peaufiner les quelques détails restants. Ces commentaires seront intégrés au document la semaine prochaine. Le document sera donc finalisé. La prochaine étape est d'auditer la cible Nœuds, d'attaquer le nœud avec plusieurs Red Team (ledger et exaion) pour tester la robustesse de la cible.
* The innovation challenge:  
* Le challenge innovation :  
** The objective of the innovation challenge will be to propose and develop specific tools for detecting and potentially blocking cyber attacks in a blockchain environment using smart contracts.
** L'objectif du challenge innovation sera de proposer et de développer des outils spécifiques de détection et potentiellement de blocage, des attaques cyber dans un environnement blockchain mobilisant des smart contracts.
** Tools of this type already exist, so it would be interesting at the time of the challenge to give the resources we already know about.
** Des outils de ce type existent déjà, il serait alors intéressant de donner au moment du challenge les ressources dont on a déjà connaissance.
** The aim would be to create a link between the various tools, to create a toolbox: "Bringing Web3 into the CERT".
** Le but serait de faire le lien entre les différents outils, de faire une boîte à outils : "Amener le Web3 au sein du CERT".
** Prizes for the winners have yet to be determined.
** Les prix pour les gagnants restent à déterminer.
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He made the decisions to:''  
''Il a pris les décisions de :''  
* Finalise the target nodes next week
* Finaliser la cible nœuds la semaine prochaine
* Plan a meeting next Friday to define the audit plan
* Planifier une réunion vendredi prochain pour cadrer le plan d'audit
* To name the innovation challenge "Bringing Web3 to CERT".
* Donner comme nom au challenge innovation "Amener le Web3 au sein du CERT"
* To cancel the WGs held in mid-July and early August. The next session will take place at the end of August.
* D'annuler les GT de mi juillet et début août. La prochaine session aura lieu fin août
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 08/06/23, the WG Crypto-assets worked on'''  
'''Le 08/06/23, le GT Crypto-actifs a travaillé sur'''  
* The Nodes evaluation target document
* Le document sur la cible d'évaluation Nœuds
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''It took the following decisions:''  
''Il a pris les décisions de :''  
* Finalise the document for the next session on 29 June.
* Finaliser le document pour la prochaine session, le 29 juin
* Carry out an audit plan to test the product on nodes and then produce a REX.
* Réaliser un plan d'audit pour tester le produit sur des nœuds puis faire un RETEX
* Begin drafting the Smart Contract target, taking into account the test audit carried out for the Nodes target.  
* Commencer la rédaction de la cible Smart Contract en tant compte de l'audit de test réalisé pour la cible Nœuds.
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 13/04/23, the WG Crypto-assets worked on''''  
'''Le 13/04/23, le GT Crypto-actifs a travaillé sur'''  
* The Challenge Innovation use case. It emerged from the discussions that it would be interesting to develop a toolbox, a Web3 dashboard capable of managing and analysing incidents. A sort of Web3 SOC.
* Le cas d'usage du Challenge Innovation. Il ressort des discussions qu'il serait intéressant de développer une boite à outils, un dashboard sur le Web3 capable de gérer les incidents et de les analyser. Une sorte de SOC du Web3.
* The ToE diagram for the Nodes target. It needs to be clarified and the fact that the consensus algo needs to be controlled needs to be made explicit.
* Le schéma du ToE pour la cible Nœuds. Il est nécessaire de le repréciser et d'expliciter le fait que l'algo de consensus doit être contrôlé.
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He made the decisions to:''  
''Il a pris les décisions de :''  
* Concentrate on drafting the Nodes target
* Se concentrer sur la rédaction de la cible Nœuds
* Refine the ToE diagram
* Perfectionner le schéma du ToE
* The next session will be devoted to a workshop on drafting the Nodes target.
* La prochaine session sera dédiée à un atelier de travail sur la rédaction de la cible Nœuds.
'''On 16/03/23, the WG Crypto-assets worked on''''  
'''Le 16/03/23, le GT Crypto-actifs a travaillé sur'''  
* Use cases for the Innovation Challenge
* Les cas d’usage du Challenge Innovation
* The scope of CSPNs
* Le périmètre des CSPN
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He made the decisions to:''  
''Il a pris les décisions de :''  
* To support the use case on the detection of attacks in a decentralised environment of the blockchain type integrating smart contracts at the Banque de France
* Soutenir le cas d’usage sur la détection des attaques dans un environnement décentralisé de type blockchain intégrant des smart contracts auprès de la Banque de France
* To apply the CSPN to an example of an asset (nodes and smart contracts) and to produce generic specifications common to these assets.
* D’appliquer les CSPN sur un exemple d’asset (nœuds et smart contract) et d’en sortir les spécifications génériques et communes à ces asset
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
Note that the V2 workshops are scheduled to take place before the end of the month. The next meeting with the Banque de France to validate the Innovation Challenge will take place on 27.03.23.
Il est à noter que les ateliers V2 sont programmés et auront lieu avant la fin de mois. La prochaine réunion avec la Banque de France pour valider le Challenge innovation aura lieu le 27.03.23
</div>






<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 23/02/23, the WG Crypto-assets worked on''''
'''Le 23/02/23, le GT Crypto-actifs a travaillé sur'''
* The first draft of the CSPN security target document for blockchain nodes.
* La première ébauche du document sur la cible de sécurité CSPN sur les nœuds d'une blockchain
* The study of new proposals and use cases for the Innovation Challenge
* L'étude de nouvelles propositions et cas d'usage pour le Challenge Innovation
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He made the decisions to:''  
''Il a pris les décisions de :''  
* Redo the work on the security target with a blockchain other than Ethereum to identify other threats.
* Refaire le travail sur la cible de sécurité avec une autre blockchain que Ethereum pour identifier d'autres menaces
* Submit a new use case to the Banque de France for the Innovation Challenge.
* Soumettre un nouveau cas d'usage pour le Challenge Innovation à la Banque de France
* Contact Ledger
* Contacter Ledger
</div>






<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 02/02/23, the WG Crypto-assets worked on''''
'''Le 02/02/23, le GT Crypto-actifs a travaillé sur'''
* The schedule for drafting security targets
* Le planning sur la rédaction des cibles de sécurité
* The allocation of WG members to each workshop
* La répartition des membres du GT sur chaque atelier
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''It decided to:''  
''Il a pris les décisions de :''  
* Organise the two workshops on nodes and smart contracts.
* Organiser les deux ateliers relatifs aux noeuds et aux smart contract
* Contact Ledger
* Contacter Ledger
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
The idea of joining the BSI and Ledger was born.
Les sujets d'intégrer le BSI et Ledger ont éclos.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
It should be noted that the team will be working in triads on the subjects of nodes and smart contracts.
Il est à noter que l'équipe va travailler en trinôme sur les sujets de noeuds et smart contract.
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 12/01/23, the WG Crypto-assets worked on'''
'''Le 12/01/23, le GT Crypto-actifs a travaillé sur'''
* The CSPN working methodology
* La méthodologie de travail CSPN  
* The methodology for producing a TOE dedicated to nodes and smart contracts.
* La méthodologie de production d’un TOE dédié aux nœuds et aux smart contract
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''It took the following decisions:''
''Il a pris les décisions de :''  
* Finalise the framework document for the Innovation Challenge
* Finaliser le document de cadrage du Challenge innovation
* Identify experts and new members
* Identifier des experts et des nouveaux membres
* Rewrite the umbrella document and the timetable for implementation
* Ré écriture du document chapeau et du planning de réalisation
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
It should be noted that the CSPN target will rely on a specific Ethereum master node/stacking.
Il est à noter que la cible CSPN va s’appuyer sur un master node/stacking Ethereum spécifique.
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
'''On 01/12/22, the WG Crypto-assets worked on'''
'''Le 01/12/22, le GT Crypto-actifs a travaillé sur'''
* The framework note for the Innovation Challenge
* La note de cadrage du Challenge innovation
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He decided to:''
''''Il a pris les décisions de :''
* Finalise the document and present it to the Banque de France
* Finaliser le document et aller le présenter auprès de la Banque de France
* Contact the inter CERT to validate one of the challenge scenarios
* Contacter l'inter CERT pour valider un des scénarios du challenge
* Validate the contours of the implementation of the Innovation Challenge
* Valider les contours de la mise en place du Challenge innovation
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''Other topics discussed:''
''Les autres sujets discutés :''
* Distribution of the Innovation Challenge
* La diffusion du Challenge innovation
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''On 10/11/22, the WG Crypto-assets worked on''
'''Le 10/11/22, le GT Crypto-actifs a travaillé sur'''
* Defining a topic for an Innovation Challenge on Crypto-assets
* La définition d’un sujet pour initier un Challenge innovation sur les Crypto-actifs
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''He took the decisions to:''
''Il a pris les décisions de :''
* Define a use case for a Cyber Campus blockchain.
* Définir un cas d’usage autour d’une blockchain Campus Cyber
* To hold a meeting ahead of the next WG to discuss CSPN as applied to crypto-assets.
* Faire une réunion en amont du prochain GT pour discuter du CSPN appliqué aux crypto-actifs
</div>




<div lang="fr" dir="ltr" class="mw-content-ltr">
''Other topics discussed:''  
''Les autres sujets discutés :''  
* The drafting of a risk analysis on the Council's text on e-identity, which will be published in January 2023.
* La rédaction d’une analyse de risque sur le texte du Council concernant l'e-identité qui sortira en janvier 2023.
</div>
{{PageSubHeader Communauté d'intérêt}}
{{PageSubHeader Communauté d'intérêt}}

Dernière version du 17 avril 2024 à 09:52

Développer un point de vue de la cybersécurité sur les crypto-actifs et identifier les usages potentiels des crypto-actifs pour la cybersécurité

Catégorie : Communauté d'intérêt


Statut : En cours

Description

The emergence of Bitcoin in 2008 and its underlying technology, the blockchain, enabled the development of a decentralised and secure peer-to-peer payment system. The rise of Bitcoin paved the way for the development of other distributed ledger technologies, with more or less similar characteristics: public, private or permissioned ledgers, blockchains or acyclic graphs, block sizes, consensus algorithms, etc. With the advent of smart contracts stored on the blockchain, it is now possible to represent assets other than financial transactions on the blockchain. In addition to utility tokens, based on the ERC20 standard, which are mainly used in decentralised applications (Dapp), the community and various projects have developed new standards (ERC721) to represent physical or digital goods, NFTs, as well as "financial tokens similar to financial instruments" (Security Tokens), representing financial assets. Finally, with the growth of new verticals in the blockchain industry, such as decentralised finance, the gaming industry and metavers, the number of use cases will continue to increase and we will see a growing number of crypto assets emerge in the future.

Although the general interest is mainly in the various crypto-assets, we will also be looking at the technologies and tools that have been put in place to develop and improve these systems. We will be looking at several concepts: public blockchain, private blockchain, permission-based blockchain and, more generally, distributed ledger technologies, as well as other principles such as data structures like Merkle trees and open architecture. As well as zero-knowledge proofs (zk-SNARK or zk-STARK) used to ensure the anonymity of transactions in certain blockchains or to make blockchains more scalable with zk rollups.

In addition, concerns about the performance and scalability of the blockchain have led to the adoption of other cryptographic algorithms such as schnorr signatures, which are used by many crypto-currencies and have replaced previously more widespread algorithms such as ECDSA. These adoptions not only improve the system, but also bring about convergence and standardisation of best practice in the cryptoasset industry. It is important to spread these best practices across all industries via an open source cryptography approach.

In addition, the paradigm shift away from security being entirely the responsibility of the user has forced the developer ecosystem to work on solutions such as hardware wallets and multi-signature wallets.

We will also be looking at the different attack schemes on p2p protocols and their countermeasures. As well as identifying innovative tools for searching for cryptographic flaws.

Finally, blockchain and distributed ledger technologies are fundamentally based on the principles of cryptography in order to bring confidentiality, integrity and therefore greater security to the system. Cybersecurity concepts are omnipresent in the construction and evolution of the technologies that enable the development of crypto-assets. These innovations therefore provide fertile ground to help strengthen the security of more traditional systems such as digital identities, securing corporate data, respecting privacy and managing proof of transactions.

In addition, the rules and good practice of cyber security are not necessarily known or applied in this innovative field, and it will be essential to take them into account in the years to come.

🡪 The aim of this working group is to bring these two points of view together and to share common objectives between companies, institutions, research bodies conducting research into cybersecurity issues and players in the French ecosystem who are innovating in the field of crypto assets. The aim is to create innovative projects and find the associated funding to develop the French ecosystem in these areas.

The first key point of this group's work will be to identify relevant cybersecurity use cases for experimenting with new solutions from the world of crypto assets. These crypto-assets are increasingly referenced in new European regulatory proposals such as the revision of the eIDAS regulation.

The second key point will be to map out new areas of research into security-by-design methodologies, risk analysis and perhaps security assessment of these new crypto asset techniques. The management of potential vulnerabilities and associated cyber crises will have to be at the heart of our thinking, enabling the alliance of crypto freedom and the security of the assets that are managed in these innovative infrastructures.

The ultimate aim is to develop innovative cybersecurity projects using cryptoasset tools that guarantee a high level of security and innovative projects to secure cryptoassets. This dual issue must be analysed from two points of view: the cryptoasset ecosystem and the cybersecurity ecosystem.

Initial objectives

  • Catalogue the concrete uses of the technologies developed around cryptoassets for cybersecurity: which sub-systems? which needs? which issues?
  • Identify cybersecurity use cases using cryptoasset technologies to launch prototypes and/or innovative research projects.
  • Draw up a catalogue of attacks on crypto assets (key theft, consensus bias issues, define potential attack segments).

Possible deliverables

  • White paper presenting: tools from the world of crypto assets relevant to cybersecurity uses
  • Security by design" requirements for infrastructures using crypto assets
  • The needs of this R&D with cybersecurity issues that can be resolved through the use of crypto assets.
  • A map of pilot projects sorted according to their purpose: challenge, joint creation, calls for projects.
  • A summary of the issues to be addressed
  • Catalogue of attacks (past, current, 3 years and 10 years ahead).

WG logbook Crypto-actif

On 12/10/23, the WG Crypto-Assets worked on

  • Validating the audit plan configurations for the target nodes
  • The arrangements for the Paris Blockchain Society conference
  • Setting up a call for comments phase for the target nodes.


He took the decisions to:

  • Schedule a technical meeting for the audit plan with the Red Team.
  • Finalise the pentest agreement
  • Propose an operating agreement for the confidentiality aspects
  • Validate the benefits of implementing a CTI platform dedicated to Web3


On 31/08/23, the WG Crypto-assets worked on

  • The audit plan for the node target. The objective will be to propose countermeasures to put on the node to make it more robust.


He took the decisions to:

  • Make 2 nodes available to start the red team mission by testing and attacks and threats on the nodes.
  • Add a crypto document to the target node
  • Recruit people for the red team
  • In parallel, start work on the smart contract target.

It should be noted that a meeting with the Banque de France lab has been scheduled to discuss the Innovation Challenge.

On 29/06/23, the WG Crypto-assets worked on'

  • The target nodes: CLR labs has received various comments from the last members of the WG to fine-tune the few remaining details. These comments will be incorporated into the document next week. The document will therefore be finalised. The next stage is to audit the Node target, attacking the node with several Red Teams (ledger and exaion) to test the robustness of the target.
  • The innovation challenge:
    • The objective of the innovation challenge will be to propose and develop specific tools for detecting and potentially blocking cyber attacks in a blockchain environment using smart contracts.
    • Tools of this type already exist, so it would be interesting at the time of the challenge to give the resources we already know about.
    • The aim would be to create a link between the various tools, to create a toolbox: "Bringing Web3 into the CERT".
    • Prizes for the winners have yet to be determined.


He made the decisions to:

  • Finalise the target nodes next week
  • Plan a meeting next Friday to define the audit plan
  • To name the innovation challenge "Bringing Web3 to CERT".
  • To cancel the WGs held in mid-July and early August. The next session will take place at the end of August.


On 08/06/23, the WG Crypto-assets worked on

  • The Nodes evaluation target document


It took the following decisions:

  • Finalise the document for the next session on 29 June.
  • Carry out an audit plan to test the product on nodes and then produce a REX.
  • Begin drafting the Smart Contract target, taking into account the test audit carried out for the Nodes target.


On 13/04/23, the WG Crypto-assets worked on'

  • The Challenge Innovation use case. It emerged from the discussions that it would be interesting to develop a toolbox, a Web3 dashboard capable of managing and analysing incidents. A sort of Web3 SOC.
  • The ToE diagram for the Nodes target. It needs to be clarified and the fact that the consensus algo needs to be controlled needs to be made explicit.


He made the decisions to:

  • Concentrate on drafting the Nodes target
  • Refine the ToE diagram
  • The next session will be devoted to a workshop on drafting the Nodes target.

On 16/03/23, the WG Crypto-assets worked on'

  • Use cases for the Innovation Challenge
  • The scope of CSPNs


He made the decisions to:

  • To support the use case on the detection of attacks in a decentralised environment of the blockchain type integrating smart contracts at the Banque de France
  • To apply the CSPN to an example of an asset (nodes and smart contracts) and to produce generic specifications common to these assets.


Note that the V2 workshops are scheduled to take place before the end of the month. The next meeting with the Banque de France to validate the Innovation Challenge will take place on 27.03.23.


On 23/02/23, the WG Crypto-assets worked on'

  • The first draft of the CSPN security target document for blockchain nodes.
  • The study of new proposals and use cases for the Innovation Challenge


He made the decisions to:

  • Redo the work on the security target with a blockchain other than Ethereum to identify other threats.
  • Submit a new use case to the Banque de France for the Innovation Challenge.
  • Contact Ledger


On 02/02/23, the WG Crypto-assets worked on'

  • The schedule for drafting security targets
  • The allocation of WG members to each workshop


It decided to:

  • Organise the two workshops on nodes and smart contracts.
  • Contact Ledger


The idea of joining the BSI and Ledger was born.

It should be noted that the team will be working in triads on the subjects of nodes and smart contracts.


On 12/01/23, the WG Crypto-assets worked on

  • The CSPN working methodology
  • The methodology for producing a TOE dedicated to nodes and smart contracts.


It took the following decisions:

  • Finalise the framework document for the Innovation Challenge
  • Identify experts and new members
  • Rewrite the umbrella document and the timetable for implementation


It should be noted that the CSPN target will rely on a specific Ethereum master node/stacking.


On 01/12/22, the WG Crypto-assets worked on

  • The framework note for the Innovation Challenge


He decided to:

  • Finalise the document and present it to the Banque de France
  • Contact the inter CERT to validate one of the challenge scenarios
  • Validate the contours of the implementation of the Innovation Challenge


Other topics discussed:

  • Distribution of the Innovation Challenge


On 10/11/22, the WG Crypto-assets worked on

  • Defining a topic for an Innovation Challenge on Crypto-assets


He took the decisions to:

  • Define a use case for a Cyber Campus blockchain.
  • To hold a meeting ahead of the next WG to discuss CSPN as applied to crypto-assets.


Other topics discussed:

  • The drafting of a risk analysis on the Council's text on e-identity, which will be published in January 2023.


Groupes de travail

 StatusDescription
Crypto - actifs : Cible d'évaluation - Smart ContractsEn coursCible d'évaluation de Smart contracts exécutés par l’EVM.
Crypto-actif : Cible d'évaluation - Noeud EthereumTerminéCible d'évaluation de nœuds instanciés sur clients Ethereum
GT Crypto-actif - Pentest noeud EthereumEn coursAudit des nœuds de validation Ethereum et recommandations pour leur sécurisation
GT Crypto-actif : Catalogue d'attaquesTerminéRéférencer et suivre l'évolution des cyberattaques sur les crypto-actifs