The Objectives of the Project is to securing the supply chain especially the 5 critical components Inventory, Production, Location, Transport and Return of Goods which are critical components within an organization ensuring the security of these components would help streamline and providing privacy to the data from the buyer to the supplier critically ensuring the data is kept at the most discretion in the project.
The project would be looking into 3 critical components within the logistics supply chain Inventory, Location, and Production. They were integral to the parts of the logistics which need to be secured so creating smart contracts for these three components would help them to be immutable since these contracts can be put upon the Etherium blockchain and securing the blockchain using cryptographic protocols would ensure the security of the project. The basis of the project was to provide an immutability feature by introducing an immutable database to track transactions and one of the challenges that were faced were looked into identity verification and trust-based cryptographic protocols could be utilized to provide identity verification based privacy-enhancement to sensitive data.
The Motivation in developing the project in the Supply chain especially in Inventory Management Systems came across due to faults in security and privacy of transactional and sensitive identity data on the inventory application which lead me to look into blockchain technology ie. etherium to provide privacy by providing Zero-Knowledge proof implementation to Transaction data. The interest in the following area was based on events with recent hacks on the Supply chain Sector with the Mazar Virus in 2018 and the Equifax hack in 2019 who were involved in the deletion of the entire supply-chain which resulted in the logistics industry to move to a paper-based approach for 2 months before the Mazars infrastructure was brought back online whereas in the Equifax hack trust was lost since any user(third party) could be verified and can gain access to information using third party download links. (Barrett, 2020).
The current proof of concepts that I came across since the introduction of blockchain technology involves adding data to the etherium blockchain using smart-contracts. To give a brief overview of the technology Blockchain is an immutable distributed database with a network of nodes that are cryptographically hashed with blocks. If a user requests a transaction the user asks the blockchain. The blockchain verifies the user status and transaction using distributed algorithms. Once verified the transaction creates a new block of data in the ledger. The new block of data added exists on the blockchain which is immutable and unalterable once entered into the etherium network.
Making sense of bitcoin and blockchain: PwC
The Current projects in the supply chain area focus on testing data on the blockchain however they have not focused on enhancing the privacy of sensitive data which hasn’t been dealt with with the existing applications. Therefore the usage of Zero-Knowledge proofs provides an additional layer of privacy which would be the focus of the project to provide anonymity to sensitive data.
The importance of protecting sensitive data on the blockchain is due to the implementation of GDPR which resulted in the importance of protecting users sensitive data which lead me to research on potential Implementation of cryptography standards to secure sensitive data from the public database where I came across a cryptographic protocol called Zero-Knowledge Proofs which hides sensitive data from the public blockchain ensuring public sensitive data Is hidden from the user providing proof the existence of the data using key id’s and by using a prover and verifier construct.
The prover provides proof that information is available on the blockchain using a special keyword or id and hiding the sensitive data in a zkp which provides trust for the supplier in regards to the presence of information and thereby adhering to GDPR compliance and provides security to key security risks described in OWASP 2017 TOP 10 cyber-security risks. (2017 Top 10 | OWASP, 2020).The diagram below describes how zero-knowledge proofs works based on the prover verifier construct.
Zero-knowledge Proof: Proving age with hash chains
Implementation of the project
To Furthur Clarify how a Zero-Knowledge Proof would work in the web application. The first zero-knowledge proof is to work on the specifics of the supplier's login information hidden from the public blockchain by implementing the zero-knowledge proof on the login credentials by hashing the information that is sent between the client and the firebase server using the zero-knowledge proof cryptographic protocols. The reason for the utilization of the zero-knowledge proof over traditional public-key cryptography is since zero-knowledge proof doesn’t require any key exchange and it doesn’t leak information as it derives temporary keys from secret key transportation which can be enabled after authentication. (Limited, 2020).
The second zero-knowledge proof would be to hide the transaction details(credit card details) of the supplier and the receiver from the public blockchain while a user places an order. The current approach looks into the implements using SHA-256 with credit cards where the need to secure data to the highest Cryptographic standards is necessary for the project’s need to be implemented where all credit card numbers are marked with asterisk symbols while transmitting it over secure channels however the encryption methodologies used uses a key to encrypt data which would be enhanced with zero-knowledge proofs where the identity of the user isn't shared and users are safe from identity theft from Social Engineering attacks. (Credit Card Encryption, 2020).
Special Resources Required
The project would involve usage of Consensys Blockchain Courses and Udemy to get in grips with Angular which would be the frontend stack for the project and use Node.js to communicate with web services within the web application and external databases. Alongside this, I would be using Solidity for the implementation of Supply chain smart contracts for the supply chain use-cases like Inventory, Production, Location, and the Return of Goods.
For enhancing the privacy on the blockchain, Zero-Knowledge Proofs (ZKP) would be used to communicate with the external data source providers where ethical standards would be considered. I aim to use my user input data in the project however I have sourced few data sources which are OPDL(Open Source Data Licences ) and MIT Licences oriented data sources, Therefore relevant data issues are not of absolute concern in the project.
Gantt chart using Microsoft Project with details on implementation steps and timelines
Gantt chart attached within the folder
Implementation language and principal libraries
The Project would be a web application that would be built using Angular. Angular will be used as the front end of the web application as the UI Layer of the web application. Solidity will be used for the implementation of the project's smart contracts. Ganache would be used initially to test the smart contract on the local ropsten test net before deploying it to the public live testnet.
Angular frontend would be using the routing modules that would be used to route between web pages for example adding, deleting, and updating products on the inventory system.Zokrates(https://zokrates.github.io/) will be used for the implementation of cryptographic protocols to encrypt sensitive data as described earlier in the proposal using the verifier and supplier contract implementation.Web3.js integration will be an integral part of the project interacting with the smart contracts and the Public blockchain where it would act as an intermediary converting the smart contract code into an EVM byte code which thereby interacts with the public blockchain and also integrates well with the truffle test environment.
Mocha and Chai would be used to test the web application and bcrypt protocols will be added to the encryption of login credentials on the web application.
Unit tests will be written in each implementation of the smart contract using mocha and Jest frameworks which can be used to test the angular UI as well as test the implementation of the smart contracts using hooks like before,beforeEach, after all, after each and ensuring these tests validate these conditions would help in reducing bugs within the code which complies with development principles in Smart Contract Development(Test Early and Often).
The evaluation criteria for testing the application would be Testing the Web Application for SQL Injections and Cross side scripting, Smart Contract testing would be done based on Consensys Secure Development Recommendation Criteria which looks into Compliance with security flaws in smart contracts which is integral in ensuring common security attacks like reentrancy attacks or integer overflow attacks is considered while developing the web application Furthermore, works like avoiding state changes after external calls and not handling errors in external calls will ensure the reliability of the smart contracts against potential attacks before deploying the contracts to the testnet. ( Consensys.github.io. 2020).
The Evaluation criteria will be assessed with the Qualitative DREAD Security Assessment Model and a Score would be provided in the Final Documentation which would provide a qualitative analysis of security concerns and compliance with OWASP Secure Coding Principles and Consensys Smart Contract Development Guidelines. (Owasp.org. 2020).
Finally, Performing Penetration tests and using Secure Software Development Principles and Standards on the web application will ensure privacy is of the utmost concern in the development of the project.