ONLI Security Analysis

ONLI tokens are designed to store value, move it around and keep it safe. ONLI is a platform not an asset class like Bitcoin. It is the plumbing not the water. ONLI is not a fork of any other technology. ONLI is not open-sourced. ONLI asset backed tokens are created by licensed developers only.

We began nine years ago working on a completely different approach to value management. At the time we had some philosophical differences with the direction of the then completely unknown “blockchain space”. Today seems like everyone knows about blockchains. We went in a completely different direction then and one of the core reasons is security. In the Open Data Economy, where value is built around aggregating micro-work, security is inimical to economic development. However in the FinTech space security and data integrity is job one because losing money is not quite the same as losing photos.

The ONLI platform does not have wallets in the classic crypto sense. Cryptocurrencies in general, store cryptographic keys that grant access to modify and make an entry on a ledger. ONLI tokens each have their own individually evolving blockchains and thus a transaction is defined as a change in ownership of a individual blockchain rather than a key that allows a modification of an entry in a ledger. This distinction is important to understand to insure you are comparing apples to apples rather than apples to cucumbers.

When thinking of security there are some fundamental concepts you need to be familiar with.

Reducing the attack surface is accomplished a number of ways:

1. reduce the amount of code running (turn things off)

2. reduce entry points available (have a single point of entry)

3. eliminate services that are used by relatively few users (specialize, specialize, specialize)

Data at rest is data that is not actively moving between devices. If data is truly at rest, and need not be accessed, the best solution would be to literally turn off at least the software, if not the hardware on which the data resides (principle #1 above).

To understand how these first principles relate to ONLI, we must first understand why entire classes of security problems usually associated with crypto. This is a result of the simple fact that ONLI is based on the economic theory of Actual Possession, instead of ledgers in a Custodial Possession philosophy.

In the ONLI system, actual possession refers to tokens being exclusively stored in a cryptographically secured container called a ‘vault’. This vault is a high-performance, encrypted key-value store, that is accessible by a single user. This vault can be stored on any device the user wishes, from a mobile phone, to a desktop computer, to a usb stick, or any other storage device accessible and authenticateable by the ONLI client device. The user/owner of the vault can literally have physical possession of the device storing the vault and therefore the tokens themselves.

Optionally, exchanges can provide a service to maintain these private vaults for their users on centrally managed and maintained servers.

Encryption is the first line of defense for data at rest. The ONLI vault is accessible only by it’s owner, and every item stored in the fault is encrypted with it’s own private key. This vault can then be stored on a device that is itself encrypted (recommended).

The first principle of reducing the attack surface is to reduce the amount of code running. With ONLI’s implementation of Actual Possession users have the power to reduce the attack surface of their vault ot zero: Turn off the device (or place the device in a faraday cage) that has the vault containing their tokens.

In the case where users entrust their ONLI Vaults and Tokens to the ONLI Treasury, the attack surface is minimized to a single entry point for the Vault (the treasury service) that is accessible only over a TLS/SSl encrypted connection that uses bi-directional authentication. In traditional TLS handshakes, clients (in this case the ONLI treasury) authenticates the server (here, the ONLI Vault). In the ONLI implementation, the server also authenticates the client, before the client is allowed to proceed, creating in affect a secure, bi-directional, encrypted private tunnel between the treasury and the vault.

When ONLI tokens must be transferred between Vaults (Buy, Sell, Transfer), this encrypted private tunnel is used for the transmission of the actual ONLI tokens. In the case where these tokens are stored on a remote device, the user/owner of the vault has a private client certificate issued at the time of account creation. This private client certificate is associated with the user and stored on the local device’s key chain. This private client certificate is used to create the same TLS/SSL encrypted connection that uses bi-directional authentication as that used between the ONLI Treasury and ONLI Vault on the server.

Every time the user logs in to the ONLI Service, the client software uses an out -of-band secure channel (using the user’s private certificate) to communicate with the ONLI-U authentication service. The login message delivered to the ONLI-U service is the users single-use blockchain DNA, that evolves every time it is used. Once the user is authenticated over the out-of-band channel, the client application can proceed with creating a private, encrypted connection with the ONLI Treasury and proceed with the transfer of tokens.

The transfer of tokens between users or between the treasury and user always results in a cryptographic re-calculation of each tokens ‘DNA’ or blocks, and the association of a secret hash value with the token. This new private key is held in the token recipient’s vault and will only be exposed the next time that specific token is sold or transferred. The token and its secret hash are transferred over a secure, encrypted channel, and once at rest at the end of the transfer, the DNA again evolves with generation of a new secret hash.

The third principle of attack surface reduction is to eliminate services that are either used infrequently, or used by relatively few users. The ONLI Marketplace publishes a single service to ONLI applications: that is the ability to Buy/Sell/Transfer tokens. It exposes a single, non-standard port, and the Marketplace address itself is never published on DNS. It can be configured to reprogram it’s IP address, and every client has a unique, private set of certificates used for encryption. The ONLI system therefore has an incredibly small and dynamic attack surface. The ONLI system also has the unique ability because of Actual Possession tokens set the attack surface to zero: the storage device can be turned off, or air-gapped.

Conclusion

ONLI is a stable platform that clients have had up and running for over 6 years. ONLI isn’t just a blockchain, it is a complete suite of tools to build secure blockchain applications. It includes a custom database, a private transfer protocol, ownership management, value management and user identification system. The encryption features of the ONLI Vault (storage), ONLI Treasury (ownership management), and the high-security authentication and encryption features of the ONLI-U system, further minimize the security risk for Fin-tech implementations using ONLI technology. ONLI is an elegant solution for secure value transfer, management, and ownership.

Related posts:

Quando eu me recordo do Bruno, sempre penso naquele Flamengo campeão Brasileiro de 2009. Um time relativamente fraco, digno do torneio daquele ano. Alguns nomes se destacavam: Adriano “Imperador”…

Say you get a bill from a doctor s office that the insurance should have covered, according to your policy. You write a letter clearly explaining how your policy covers the expense at 100%. You…

To figure out if friends are available to play, you have to add each other on your League of Legends accounts to see who’s online. The process is pretty straightforward but if you have multiple…