How and why we use the Stellar blockchain in Phalanx for tamper-proofing
“Tamper-proofing” in the blockchain, huh?
Blockchains were developed with some core properties in mind: decentralization, transparency, and immutability, making it particularly useful for certain use cases. These properties enable and empower transparent and secure financial systems which is what most people think of when they think blockchain and cryptocurrencies (e.g. bitcoin), but there are several creative use cases for blockchain that are not particularly main stream today. By understanding and utilizing things like SHA-2 hashing and transparency and immutability, it's possible to store digital signatures of data in order to at a later time come back and validate with certainty that this information was in fact true and existed at a particular snapshot in time.
At risk3sixty we store audit evidence for customers when going through internal or external audits (SOC 2, ISO27001, PCI, etc.), or when they're simply using our tool as a GRC platform. For audits in particular though, it's important to be able to validate at a later point in time that an artifact provided as evidence is in fact the same document that was provided days, weeks, or months ago when the audit was being performed. This is where we can utilize blockchain to implement this tamper-proofing use case. Because of its immutability (i.e. transactions cannot be changed) and transparency properties, the blockchain is the perfect tool to use to implement tamper-proofing for your application.
You can take a look here at an actual Stellar blockchain transaction which has a memo containing the SHA-256 hash (8Mmc/UhiZ2GmVgRcT2F7CvkY/3Q+A7LUXaYFLE950BI=) of a policy that we uploaded while a consultant was performing an ISO27001 internal audit for us.
What is Phalanx?
At risk3sixty we're building an audit and GRC platform to help high growth tech startups manage their security programs, ongoing compliance efforts, and risk effectively with ease, efficiency, and transparency across the organization. Within our platform we perform internal and external audits for our customers and provide tools and functionality to support ongoing compliance and security efforts.
Because the things that are done within our tool are subject to audit themselves, we wanted to provide a meaningful way to prove that things like audit logs and evidence artifacts are in fact the same as they were when they were logged/uploaded. We realized utilizing the blockchain was a perfect use case for this.
The Stellar Development Foundation (SDF) describes Stellar as “... an open network for storing and moving money”. Although they focus their marketing and R&D on enabling fast and decentralized payments among individuals, they have all the features needed to support our requirements of a tamper-proofing use case and more.
Low fees: The Lumen, or XLM, is the native cryptocurrency or asset that's used within the Stellar blockchain to move throughout the network. At the time of writing 1 XLM == ~$0.30 USD and transaction fees on the network are currently 0.00001 XLM per transaction. As you can see and compared to other blockchains, the Stellar network charges an extraordinarily small amount to execute transactions making it attractive for anyone wanting to use it for a particular use case.
Fast transactions: Bitcoin transactions can take minutes to hours to complete. The Stellar network uses a consensus protocol (instead of a proof of work or other algorithm that are used in other blockchains and are slow and inefficient) that supports both security and near instant transactions. You will see your transaction complete in a matter of seconds upon submitting it, which is great for the impatient.
Bump sequence: The Stellar blockchain supports a number of the usual transaction types one would find when banking or managing money, but one in particular is virtually (not quite though) a noop in which doesn't transfer any assets to anyone. It can however store a transaction memo just like any other transaction where our SHA-256 hash will live in the blockchain forever. Bump sequence is this transaction type that we decided upon to support our use case without having to move assets continuously between accounts. There are a couple other transaction types we could've used like manage data, but bump sequence was the simplest and easiest to implement at the time.
As you can see, if we hash an artifact or audit log content at the time it is uploaded or populated and put that hash into the blockchain then, we can at a later point in time hash the currently stored data and, if the currently generated hash matches that of the hash in the transaction we executed days, weeks, or months ago, we can confidently conclude that this data has not been tampered with and it's the same as it was back when first populated.
As an added bonus we spent $30 to purchase XLM to implement our use case within the Stellar blockchain back on March 30 2020 at $0.0404 USD/XLM (~694.128 XLM purchased). We now have ~690 XLM left which, at ~$0.30 USD/XLM means we now have ~$207 USD worth of XLM. Not too shabby of an investment if you think about it ;)
Shameless plug, xlmfile.com
You can use a super small frontend-only utility I developed to use a funded Stellar account/key to populate a transaction with the SHA-256 hash of a file you upload.