“All things of value are helpless” is a famous line from a poem by the multitalented Dutch artist Lucebert. It’s even more true if you know where to look. Back in the old days, you just picked a suitable bank if you wanted to rob money. Nowadays, you would hack IDs: passwords, creditcard numbers, etc… conveniently, via email providers. To do this on a large scale, you would for instance attack a CA, a Certificate Authority.
Security Collapse in the HTTPS Market
In 2011, Comodo was hacked and so was DigiNotar, a Dutch commercial CA. This heist led to massive email hacks and other security violations. Trustwave was targeted in 2012. These are just a few examples of a widespread practice in many guises that keep stirring up emotion and analysis. The whole system of Trusted Third Parties, CAs, Public Key Infrastructures and protocols like HTTPS seems compromised, and this is no news as there is ample evidence since 2000 and before.
In October 2014, Communications of the ACM featured the article ‘Security Collapse in the HTTPS Market’ by experts from the Dutch University TU Delft that concluded: “Widely reported security incidents — such as DigiNotar’s breach, Apple’s #gotofail, and OpenSSL’s Heartbleed — have exposed systemic security vulnerabilities of HTTPS to a global audience. Then came Edward Snowden. HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.”
The rigorous answer to this ‘System Error’ is a mix of append-only decentralization and replication. Luckily, we have a new kid on the block that listens to the name ‘Blockchain.’ This basic mechanism can provide a solid chain, so to speak, without an obvious weak link that begs to be broken. Just visit the website blockchain.info to see the system in its full glory, displaying the mining of the so-called ‘Bitcoins’ from the public transaction database. Everything open, honest and traceable.
Now, if we for a moment forget about the money, since the Bitcoin application is only a simple proof of concept demonstrating that the Blockchain mechanism is very much able to do its trick, then it would be quite conceivable for the Blockchain to be the foundation of economic transactions in general, based on well secured identity management. This is how Fromknecht, Velicanu, and Yakoubov, all from the Massachussetts Institute of Technology, described the potential in November 2014, related to the dire state of the TTP/CA/PKI/HTTPS system:
“Public Key Infrastructures (PKIs) enable users to look up and verify one another’s public keys based on identities. Current approaches to PKIs are vulnerable because they do not offer suffciently strong guarantees of identity retention; that is, they do not effectively prevent one user from registering a public key under another’s already-registered identity. In this paper, we leverage the consistency guarantees provided by cryptocurrencies such as Bitcoin and Namecoin to build a PKI that ensures identity retention. Our system, called Certcoin, has no central authority and thus requires the use of secure distributed dictionary data structures to provide efficient support for key lookup.”
The Internet of Things
We keep connecting so many different digital devices — from toothbrushes to turbines, smart homes, production plants, phones and connected cars (aka “smartphones on wheels”) — that there are terms for it: the Internet of things (IoT) and the Industrial IoT (IIoT or Industrial Internet). Therefore IBM and Samsung created their new Adept platform that for example allows a machine or system to detect a failing part and order a replacement. Adept is built on the distributed blockchain database as a fast and (more) secure way to connect physical objects. So apart from things of value being less helpless and overcoming the fundamental flaws of TTP/CA/PKI/HTTPS based systems, blockchain also may well be the missing link to multi-billion (more) secure IoT/IIoT connections.
- PKI Considered Harmful (2000-2008)
- Security Collapse in the HTTPS Market (Communications of the ACM, October 2014)
- A Decentralized Public Key Infrastructure with Identity Retention (MIT, November 2014)
- The Cloud is Dead, Long Live the Cloud (Fortune, May 2015)
- Blockchain Scalability (O’Reilly Radar, January 2015)
This article was previously published in the SogetiLabs Blog
Jaap Bloem is in IT since the PC and now a Principal Analyst at VINT, the Sogeti trend lab, delivering Vision, Inspiration, Navigation and Trends.