February 25, 2013 - by This is a guest post by Mike Gault, CEO of GuardTime.
Recent events have shown again and again the challenge of using cryptographic keys to authenticate electronic data, Whether it is McAfee revoking keys for signing apps on the Apple store, stolen keys from Bit9 being used to sign malware or RSA/EMC losing its master private key leading to numerous attacks on US Government networks, key compromise is a headache every CSO wakes up to on a daily basis. But what if you could authenticate the entire planet’s dataset without relying on cryptographic keys at all?
Building a web-scale keyless digital signature system (i.e. using only hash functions) is the challenge that Estonian scientists took up in 2007. A quick history refresher: Estonian modern history began with independence from the Soviet Union in 1991. Free from any legacy IT systems and taking advantage of a recent invention called the Internet, Estonian government administrators and technologists were free to innovate without restriction. And innovate they did. Today, Estonia is a global leader in eGovernment that constantly ranks at the top of Internet Freedom rankings. It is the most wired country on Earth with 99.6% of banking transactions conducted online. The P2P technology that led to Skype was invented and built by Estonian engineers. The symbol on the right represents the Estonian Cyber Defense League, a type of Cyber National Guard that ensures individuals in the private sector are up to date on, and have experience using, the latest cybersecurity technologies. Indeed senior officials within the US Department of Defense were so impressed with the Estonian cybersecurity that NATO established a Cyber Security research center there in 2008. DARPA continues to fund fundamental cryptographic research by Estonian scientists.
Back to the challenge. In 2007 a team of Estonian Scientists led by Professor Ahto Buldas, Guardtime Chief Scientist and Chair of Information Security at Tallinn Technical University, posed the question: How can you rely on electronic data if you assume that your entire network has been compromised and nobody – not even the system administrators within your own organization -- can be trusted?
Although they didn’t realize it at the time, it turns out this question is exactly equivalent to “how do you use cloud computing if you cannot trust the people operating the cloud?” And the answer? An invention called Keyless Signature Infrastructure (KSI) – a technology that generates digital signatures for electronic data on a massive scale but uses only cryptographic hash functions, meaning there are no keys to be compromised or trusted humans in sight. The technology has since been commercialized and is currently used by governments around the world from Estonia to the Thailand, authenticating electronic data generated from the Smart Grid, the Connected Car, Networked Routers and Machines (either virtual or physical), basically any type of electronic data you can think of. Within the Estonian banking system today, every payment, whether Internet, ATM or Mobile, comes with a keyless signature ensuring that insiders cannot modify transactions intent on fraud. Indeed work is underway such that by integrating KSI technology into the rsyslog utility, every single system event across all Government networks can authenticated across the dimensions of time, data integrity and server identity.
As I write this blog post, a team of Guardtime developers are based in Joyent’s San Francisco office integrating this Estonian technology deep into Joyent’s public cloud allowing every virtual machine image, stored object and system event to be independently authenticated, limiting liability of the service provider and allowing consumers of cloud services a level of data security, auditability and provenance that could not be achieved even within their own networks.
Joyent customers can count on not just great performance, but a failproof degree of protection that has eluded even some of biggest companies in the security industry.