Published on 11/25/2016 | Market Sizing
Almost weekly there is a new story about the instability of these critically important systems resulting mostly from the lack of, or just poorly designed security. Add to this that government agencies are intentionally weakening popular, trusted security standards, software and hardware for their own purposes, and friendly countries are spying on each other routinely.
This is the perfect storm for our adversaries to digitally attack us. The ramifications could be more severe than any economic downturn in history. Imagine if the hydro electric grid where you live was knocked out of commission for days, weeks or even months. What if we had to ground all commercial aircraft globally, to retrofit them with appropriate ITsec measures. I wonder how long that could take?
People have patriotic feelings about whether privacy is more important than security. This has polluted the discussion on whether increased government surveillance of digital communications, and their intentionally weakening popular security systems, is okay or not. Forget about cell phones and email communications for a minute and try thinking about it with communications that are not person-to-person, but rather smart device to smart device e.g. connected cars, smart meters, commercial aircraft, your children’s toys (IoT)… You’ll probably agree with tech companies, prominent technologists and civil society groups who have said again and again that strong authentication and encryption is mandatory for all of our safety. Hidden back doors leave us all susceptible and less safe, it’s a fact.
With connected car programs, we learned earlier last year that IT security hadn’t even been built-in! To me this is amazing. It’s as if they neglected to install door and ignition locks. US Senator Ed Markey issued a report saying that car makers are not doing enough to protect your safety and privacy. In reaction to their cars being hacked and stolen, this year some car makers rushed to implement SSL certificate based security. Apart from the fact that using certificate based security that has been proven to be flawed and is long past its best before date, the inherent complexity of certificate and key management, renders it totally impractical and unworkable for these large, machine-to-machine applications. Also, how will the connected car of the future communicate with the road, infrastructure and other cars using this antiquated solution? SSL is at best, a temporary Band-Aid.
Last year it came to light that smart meters (which are connected to the grid), are lacking security and this time it’s because the Open Smart Grid Protocol (OSGP), developed by the Energy Service Network Association (ESNA), went it alone and tried to reinvent the wheel, as opposed to working with experts such as Professor Buchanan at Napier University in Scotland. Professor Buchanan published a story on this last week and it’s worth a read. (Full disclosure, at Connect In Private we work with Professor Buchanan and his team, to tailor CLAE solutions for large clients.)
A Security Researcher was kicked off a United Airlines flight last year, after tweeting about security vulnerabilities in its system, and claiming he had previously taken control of an airplane. Apparently, while on an airborne aircraft he used Ethernet and plugged in under his seat. After defeating a rudimentary login system, he gained access to the entertainment system and from there he gained access to the aircrafts’ control systems. #OMG You have to ask yourself, what team of Einstein’s designed onboard entertainment systems and their configuration, being interconnected with the cockpit control systems? Unbelievable! I’m sure you will agree with me when I say that this simply should not be possible and must be rendered impossible quickly.
The Internet of Things (IoT), or as Cisco puts it ‘The Internet of Everything’, is just that, many things which were never before connected will soon be connected. When we think of this, normally we think of thermostats, coffee makers and appliances. My friend Rebecca Herald ‘The Privacy Professor’ published a story on IoT Privacy Harms and in it, she describes a case study where the ‘thing’ being connected, is a children’s toy doll. “…This new doll will be smart; built to interact with the children playing with them, and connected within the Internet of Things…” and she lists the things that can and probably will go wrong. Unlike connected cars, smart grid/meters and aircraft where we have to play catch up in a hurry because they have already deployed, IoT is new. With IoT we have the opportunity to stop and think before we make the same mistakes we’ve been making repeatedly with respect to lack of digital security and privacy.
All of the systems vulnerabilities I’ve mentioned and more can be strengthened and hardened through the use of our asymmetric Certificate-Less Authenticated Encryption (CLAE) schema.
In the case of connected cars, since cars travel they will need to securely interact with trusted centres for smart cities and other cars in more than their own country.
Smart meters require a light weight, low power security solution to securely transmit data and authenticate. There are smart meter companies with tens of millions of smart meters and certificate-based solutions won’t suffice.
Commercial aircraft operate out of a specific country and each country will want their aircraft protected as though it was sovereign, much like an embassy. We thought up a perfect scenario for this whereby we can use CLAE to create trusted centres on each plane. This way each plane has control over its onboard communications as well as the ability to securely communicate with air traffic control and other aircraft. - Mobile Trusted Centres.
For IoT we can look to a scenario like the one I outlined in my previous blog story on Restoring Trust In The Public Cloud: A Global Balancing Act and design a system like that wherein IoT devices are designed with CLAE in mind and users can choose the Trusted Centre of their choice. IoT is global after all. Part two of this will be to also harden our routers, since all of our IoT devices will communicate through them.
Technically speaking, in traditional PKC, there are two mechanisms for generating and distributing the public keys throughout the system: Generated by a trust center (TC), which would then distribute them remotely over a secure channel to the users in the system or generated locally by the sender for every recipient. In Identity Based Encryption, an encryption key is created via an arbitrary string such as an email address or a telephone number. The Encryption key is constructed using the identity of the recipient and the public key of a trust center (TC). The entire security of the IBE scheme relies on the security of the this public key, if a different key is introduced (e.g. spoofed, man-in-the-middle attack) the security of IBE is entirely compromised. Additionally for both PKC and IBE, a secure channel between a user and the public key is required for transmitting the private key on the joining the system, as one can imagine, this introduces an entire new set of challenges and complexities to the system.
CLAE adds authentication to IBE, greatly simplifying the authentication process, and adds a level of agility to the entire system no other encryption schema can match. Public-keys can be locally generated using the identity strings, eliminating the need for the complexities of managing the public keys, hence certificate-less encryption. The sender can choose the TC to which the recipient has to identify itself, before any message is encrypted. If this TC does not meet the senders identification criteria, for any reason, the sender can choose another TC on the fly, without the end-user even being aware. This adds a level of security and agility to the system, unmatched by other encryption methodologies.
Authentication of the sender is integrated into the deciphering process (the sender’s identity can be checked locally using the private-key received from the trusted authority). Remember CLAE can protect and exchange the keys for any standard our clients decide to use. CLAE is an asymmetric encryption algorithm which enables our clients to use recognized symmetric encryption standards in conjunction with our asymmetric CLAE. This does away with digital certificates and greatly simplifies key management, is simpler to setup, maintain, and is computationally more efficient. CLAE is an asymmetric encryption algorithm which provides a level of security and simplicity beyond what any other encryption schema can offer.
At Connect In Private Corp. we are excited to be engaged with many large companies and even countries, working together to explore how our technology can help them with some of the challenges I listed above. If you are struggling to secure large systems and you want to explore how CLAE can enhance and simplify your project, contact or connect with me on LinkedIn.
This article was originally posted on LinkedIn.