From mismanaged encryptions keys and system errors to eventual crypto cracking, Public Key Infrastructure (PKI) encryption has increasingly become more difficult to maintain as the needs for these encryption services exponentially increase.
Security adviser Roger A. Grimes has been installing PKIs for private and public companies for more than two decades. In a 2015 CSO article, 4 Fatal Problems with PKI, he discussed why PKI has too many moving parts. Even when it works perfectly, it doesn't solve the biggest security problems. Eventually it will stop working forever.
The complexities of these systems require the deployment and management of certificates, registration authority, directory management, digital signatures, key protocols and key validation. These systems are so complex that they are seldom installed properly and have so many errors that system operators often ignore them.
In addition, Internet of Things (IoT) security providers are finding that PKI may work in Web applications but clearly were not designed for IoT devices. IoT processors are often so small that they don’t have the ability to update key certificates or embed any type of encryption at all. With encryption file sizes constantly increasing and the number of IoT connections reaching the billions, PKI encryption is effectively dead for IoT.
With recent advances in quantum computing, there needs to be a focus on developing encryption that will not have its algorithms cracked, opening up a Pandora’s box of hacking.
The National Institute of Standards and Technology (NIST) has been studying this problem and is focusing on post-quantum encryption solution proposals still open in its Post-Quantum Cryptography project. Although it is great to see NIST understanding the urgency of this potential crypto-cracking dilemma, there are industry experts that disagree with their approach.
Recently there was an interesting debate among security industry professionals on the respected blog Schneier on Security. It was in response to a post about a research paper on RSA cryptography after quantum computing.
The researchers’ answer: Just make the encryption key algorithms bigger, more complex and more costly. How big? Using the calculations of the readers, a one-terabyte public key. Since IoT hardly has space for kilobytes, this is just not the direction to go. Not only will these resources hogging crypto-algorithms take valuable processing space, they will also use network resources and take longer.
Over the years I have reviewed hundreds of cybersecurity companies. The people that normally have the best solutions are the ones that already know the problems coming from current technologies. Sadly, they often need to wait until the problems come before they can get people’s attention and offer different solutions.
The real problem in current cryptography is the very thing that makes the technology work. A hacker can identify and exploit the encryption repeating processes to crack the system and take control. Today’s encryption algorithms are static in nature, repeating processes over and over. Their behaviors are expected. Patterns are anticipated. In fact, hackers today are using artificial intelligence to quickly define these patterns. This is why quantum and super-computing can hack current cryptology.
There is a solution to this problem. Successfully accomplished, patented and deployed by a company called MerlinCryption, the Anti-Statistical Block Encryption (ASBE) leverages dynamic algorithmic complexity and employs stochastic randomization in many aspects of its encryption process. Because all output is variable, there is no static behavior to monitor.
The key word is variable. Even a quantum computer cannot crack this encryption that protects data as it is created, viewed, edited, shared, stored and moved across any communications channel or in the cloud. The key then vanishes after use, leaving no trace of the encryption process.
Authentication is also an important part of security. Most authentication factors are based on something you know, something you have or something you are. Attackers can imitate the authentication rights of employees or systems to gain access and control. MerlinCryption has innovated a new fourth category of authentication factors using information that is temporary and always unique. These factors are not deterministic, but stochastic in nature.
Finally, MerlinCryption offers true end-to-end, person-to-processor and processor-to-processor encryption and authentication. Its smallest key is more than 10522 stronger than AES’s 256 bit key. There’s good news for IoT providers too. It offers a 58 KB Low Overhead Platform with a 284 KB Embedded Encryption Platform that can fit in the smallest microprocessors. Oh, it’s cheaper too. Not bad.
I seldom focus on encryption solutions because, as we are aware in the cybersecurity business, it addresses only a part of the problem. The potential of breaking all authentication and encryption is serious though. Allowing cyberattackers a wide-open cyberdefense without minimally hardening our systems would be catastrophic. It would allow cyberattackers to strike at will.
It’s nice to end an article discussing all the problems in a specific area of cybersecurity and then detailing immediate solutions available. The warnings we are getting from both the private and public sector in IoT security issues is chilling. I will be speaking at a major IoT convention about this very issue. The question is: Are we going to talk about it, or do it?
Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors. He will be speaking at the IoT Evolution Expo in Orlando, Fla. on Thursday, Jan. 25, 2018 from 10-10:55 a.m. discussing IoT security strategies.