Trust within the single point of failure
Recently, it has been rewarding to see that more and more people are following our lead on the issue of trust management in the interconnected world. The idea is simple – distribute your trust. You really can’t trust a single point of potential failure. There is always safety in numbers.
As a species, we are in general, quite trusting. For most of us, our default reaction is to trust complete strangers. Of course, very occasionally that trust is betrayed, but we learn from our mistakes and get to recognise untrustworthy types.
Enabling trust to bad actors
But the internet provides a swamp-like, nearly ideal environment within which such untrustworthy types can practice their craft without being so easily identifiable. They don’t have to meet their victims face to face, and if found out, they can simply adopt a whole new persona. Millions of potential victims can be conned simultaneously.
And even well-meaning entities can let us down if they themselves have been compromised by their own flawed trust policy.
It helps to see things from the bad actors’ point of view. For them, the big prize is not a successful attack on a single individual, but an attack on a whole community. So most won’t go after your individual password; they will go after that server-side database that contains everyone’s password. More bang for the buck. Crack a significant single point of failure and reap the rewards. And the typical bad actor is willing to spend a lot of unpaid time and effort if the reward is big enough.
So how are the good guys to survive? Who and what can you trust?
A new solution for data trust
The solution is already out there, although in “real life” we rarely need to deploy it. The trick is to never ever place your trust in a single point of potential failure that, if compromised, could reap irreparable damage. Always have a “back-up” plan in case plan A fails. If you keep all your valuables in a safe, use a safe which requires two keys to open it, and keep those two keys in separate places. If writing a controversial last will and testament, copy it to multiple friends.
With the Internet, ideas like these come into their own. We all know that two-factor authentication is a good idea. It’s a good idea because if one factor is lost to a crook, they still can’t get at your stuff. It is not fully understood how frustrating it is for that crook to have gone to all that effort to solve one challenging problem, only to be faced with the prospect of having to do it all again to solve a second, completely different, problem.
Unlike legacy authentication architectures, our authentication solution at MIRACL has no single point of failure. A client secret is issued in pieces by multiple independent trusted authorities all of which would need to prove untrustworthy for the system to fail. The client adds the pieces together to get the full secret – and then instantly tears it apart into two pieces; one a PIN number, another a large blob of data. If the authentication server is compromised and its secrets revealed, the system still does not fail, as the attacker would also need that blob of client data.
Getting this to work wasn’t easy. Existing methods of cryptography do not lend themselves to such distributed architectures, and must be coerced into functioning in this way, using complex methods of multi-party computation. Instead, we use a technology that natively lends itself to the distribution of trust.
Now you might say that a system based on an important single point of failure may, in practise, be trustworthy if that single point is protected and managed by a large corporation, like say Microsoft. Think again!
Consider this story - Hackers somehow got their rootkit a Microsoft-issued digital signature | ZDNet
Trust is often delegated. I trust you, and you trust Fred. Therefore I am willing to trust Fred. This is how the PKI (Public Key Infrastructure) works. A big trusted organisation like Microsoft endows third parties with its approval by issuing them digitally signed certificates, which they can use to digitally sign their software products. Anywhere that software product goes the consumer will check the signature and conclude that “this stuff is OK – Microsoft says so”.
The big single point of failure here is Microsoft’s Certificate Authority – the entity which issues digitally signed certificates on its behalf. And this is what got hacked. Microsoft unwittingly approved a malevolent rootkit. So this rootkit can insinuate itself into everyone’s systems, and there is not a whole lot that can be done about it. According to the story, Microsoft “revoked the signature”. So that’s OK then. Well no, it’s not. PKI’s dirty little secret is that no-one actually checks certificates for revocation, so potentially this problem could linger for years to come.
So distribute trust. Identify your own single points of failure and eliminate them.