listen to this article:
We’ve taken the past couple of weeks to reflect on RSA and consider the many things we learned.
In addition to receiving socks, t-shirts, pens and iPads, attendees were genuinely interested to learn about the many new products and technologies exhibiting at the show. For all show hours, we answered questions and discussed our solution with the many passerby’s.
The highlight of RSA was the sessions by experts, where attendees hear industry leaders discussing the highest level of technological advancement, insight and scholarship in the industry.
We were proud that Prof. Nigel Smart, co-founder at Unbound presented on behalf of KU Leuven in Belgium and demonstrated once again the high-level mathematics on which Unbound’s technology is based.
Prof Smart’s presentation:
Key Management and Protection: Evaluation of Hardware, Tokens, TEEs and MPC
Prof. Smart began his presentation discussing the necessity of securing the keys that protect applications. If you don’t protect the key your application is no longer secure, and so mechanisms are created to try and protect the key. But we end up with a cat and mouse game where we jump through hoops trying to protect the thing which protects the thing which protects the key. And that still isn’t enough.
#1: Securing Cryptographic Keys in Dedicated Hardware
Traditionally, keys were secured with dedicated hardware such as HSMs, smart cards, key fobs—all which offer strong physical protection for this specific purpose. There are various ways to certify that this hardware is good: FIPS levels 1, 2, 3; Common Criteria, etc.
Hardware, says Prof. Smart, comes with significant challenges:
- They are subject to side channel attacks
- Hardware lacks agility. There are things we can’t anticipate, for example in post-quantum computing
- Different HSMs support different modes, so sometimes security protocols have to go to the lower common denominator, minimizing their effectiveness.
Key control also means that there can be incorrect uses of the key. There are a number of high-value applications where a single use of the key incorrectly can destroy a company.
Case 1: In a cryptocurrency exchange someone makes an unwise transaction and spends all the Bitcoin in the hot wallet. Game over.
Case 2: A software company is code signing and accidentally releases a patch on something that was the demo system not the production system with bugs in it. Game Over.
A mistake or fraudulent key use can be the end of a company.
#2: “Secure” Hardware
SGX, whose origins are from 1978, is a secure enclave within the computer. However, as recent events show there is a significant threat of side channels, especially cache attacks, speculative execution attacks and other side channels.
#3 Software has advantages, but it’s not foolproof
Prof Smart discusses the advantages to software, which are the ease to update and fix bugs and provide more agility. But, as he goes on to discuss the challenges with software, Prof. Smart goes into the impossibility of black box obfuscation and the lesser known white box crypto.
#4 New software approach: Multiparty computation (MPC)
With multiparty computation keys split into random shares which are put in segregated places. In most models, secure data in transport and data at rest is protected. MPC is the next frontier in which data is secured during computation.
MPC offers a mathematically proven guarantee of security. Strong separation achieves a high level of security. Different administrators can be assigned, shares can be placed on different cloud servers, and even on different continents. MPC supports authorization structures and can also protect client certificates.
MPC is changing the game of security with its many applications such as voting, GDPR, genomics, public policy, citizen privacy. MPC’s ease of use is that it offers all the benefits of software: Crypto and vulnerability agility, ease of management and relevance for endpoint and server.
The second part of Professor Smart’s presentation is a comparison of technologies: Software, TEE, Dedicated Hardware, and MPC. For a complete report on this comparison, check out this eBook.
Final RSA Impressions
MPC was a popular subject at RSA. We had strong engagement with attendees throughout the event and Prof. Smart’s session was well attended despite being held on Friday morning at the tail end of the event. Attendees were engaged and knowledgeable about MPC and as a world expert in the area, Prof. Smart’s session did not disappoint.
As far as pushing boundaries of the highest levels of security, Unbound is proud to be among the top with a solution powered by MPC.
Enjoyed Prof. Smart? Check out his vlog on our resources page
See Prof. Smart’s full presentation from RSA here: