PETITION (3 of 7) - Worldwide Secret Key Meta-Infrastructure - Supplemental FAQs

PETITION (3 of 7) - Worldwide Secret Key Meta-Infrastructure - Supplemental FAQs

Maria Gallant-Daigle, MEng Maria Gallant-Daigle, MEng

Maria Gallant-Daigle, MEng

Cybersecurity/software/electrical engineer ?? Security specialist with a hand of steel, in a velvet glove

发布日期: 2019年3月5日
+ 关注
At first glance, the Worldwide Secret Key Meta-Infrastructure recommended by this petition probably seems complex, but it is quite the opposite. Compared to the security tools on which we are currently pinning our hope, the underlying concept of this infrastructure will be easy to understand, even for great aunt Gertrude.

This article is the third in a series of 7 documents:

Note 1: The main document of this petition refers to a Universal Device Authentication Infrastructure (UDAI), which is a subset of the Worldwide Secret Key Meta-Infrastructure (WWSKMI) discussed in later documents. The UDAI is recommended in the phase I, and its goal is to bind tamper-resistant unique identities to connected devices, to allow universal zero-trust security.

Note 2: To facilitate the reader's experience, the term "secret key" will be used to refer to "high-entropy, tamper-resistant symmetric cryptographic key", throughout this document. Furthermore, for the sake of conciseness, the word integrity will be used to represent authenticity (proves that a device is who it claims to be) as well as integrity (proves that a received message is the same as the message that was sent).

Note 3: By default, this document refers to the WWSKMI provided by device manufacturers (MFGSec). The reader should keep in mind that secret keys from other independent organizations (e.g.: OSSec provided by commercial operating systems) could be concatenated, to increase the trustworthiness of the overall services (see FAQ #11, #12).


FAQ #A - What is the problem to be solved?

Recently, I realized that my teenage son had found a way to bypass our home Wi-Fi parental controls. In order to gain Internet access on a 24/7 basis, he used a well known attack called "MAC spoofing". I am a parent, as well as a cybersecurity professional, and I have mixed feelings. Should I be proud, or distressed? 

Various spoofing attacks exist. These are widely used by professional fraudsters, as well as by inexperienced hacking enthusiasts (such as my son, and maybe yours too). The concept behind them is simple. Because the identity of the sending device is not "protected", it can be tampered with. My son's MAC spoofing attack is illustrated below. Despite the fact that the manufacturer has tagged the device's hardware with a unique MAC address, nothing prevents applications from lying, and using a false identity in order to gain access to something that should normally be out of their reach.

No alt text provided for this image

Spoofing vulnerabilities (IP, DNS, ARP, MAC, ...) are ubiquitous, because the identity of the majority of our network-connected devices is not protected with secret keys. This is true for all device types, including computer assets (servers, desktops, laptops, thin clients, tablets, smartphones, ...), networking devices (routers, switches, ...) as well as the myriad of existing network-connected IoT devices.

Protecting only high-end computer assets from spoofing attacks is not sufficient to solve our cybersecurity problems. Our network-connected systems are only as safe as the weakest link in the chain. Basic security services need to be provided, without any extra charge, for all network-connected devices, worldwide.


FAQ #B - Which technology do we have at our disposition, to prevent spoofing attack?

Various approaches can be used to thwart the spoofing attack described previously.

Anomaly detection approach

With this strategy, a security tool tries to distinguish a normal behavior (e.g.: after 10pm, nobody in the house surfs the Internet, because everybody is sleeping) from unusual behavior (e.g.: all of a sudden, unusual IP addresses are used to surf the Internet until 2am).

Remember the tiny needles in the huge haystack metaphor? When using data analysis approaches, malicious hackers are successful if they manage to find a single needle (vulnerability) in the haystack, while we, on the defense side, have to find all of them (attacks) on a real-time basis, to keep our systems safe. In other words, intuitively speaking, it is not feasible to protect the security of our cyber-assets with an approach based on anomaly detection.

Approaches that use secret keys

We know that using secret keys is the most efficient (to use the least resources) and effective (to reach the goal) way to secure network communications. To get an intuitive feeling of how secret keys can be used to protect the integrity of those communications, please refer to FAQ #H.

Meanwhile, if we decide to use secret keys to prevent our teenagers' spoofing attacks, we have two options: solo-mode vs collaboration-mode.

Solo-mode (custom local solution, based on secret keys): Option 1, which is illustrated below, would be the fastest way to prevent my son's spoofing attack. No need to spend countless hours trying to convince others. This is basically what our organizations are currently doing, and it has a major flaw. The majority of devices connected to our worldwide networks can lie about their identity (spoofing attacks). They can hijack others' communications (MITM attacks). They can lure unsuspecting legitimate devices to support their malicious schemes (DDoS attacks). Communication integrity is not enforced by secret keys, and the result is like a box of chocolates. You never know what you are going to get.

No alt text provided for this image

Collaboration-mode (universal approach based on secret keys and inter-organization collaboration): This is illustrated in option 2 below, and it is what this petition is recommending. Rather than using a custom and local solution to ensure network communication integrity, device manufacturers become security brokers. The integrity verification uses an alternate route which involves the help of manufacturers. When this scheme is used, only a sample of the packets sent between two communicating devices have to be verified. The sampling rate depends on the required statistical confidence, and this ensures that the overall communication has not been tampered with.

No alt text provided for this image
A Worldwide Secret Key Meta-Infrastructure is a feasible solution that will prevent our corporations from losing millions of dollars annually, because of security breaches.


FAQ #C – From a management point of view, which improvements would the Worldwide Secret Key Meta-Infrastructure provide?

This petition is asking corporate executives to provide us with a Worldwide Secret Key Meta-Infrastructure. Here is a list of what they will get in return, if they decide to go along with this venture:

  • Chief Financial Officer (CFO): Unless we rethink our approach, cybersecurity spendings are going to continue rising, indefinitely. Reaching the goal is not feasible with our current approach, because malicious hackers have access to the same technology as we do. With a Worldwide Secret Key Meta-Infrastructure, cybersecurity costs would be more easily predictable, just like when we need to build a school, or design the prototype of a new product that will eventually be released on the market.
  • Chief Human Resource Officer (CHRO): When security breaches occur, that is usually when the finger pointing process starts. Using a non-feasible approach to reach a goal is bad for employee morale, especially for those who do their work with integrity, and are truly committed to helping our organizations strive for excellence (this is the majority of employees, agree?).
  • Chief Technical Officer (CTO): These are the techie members of executive teams. They are constantly on the lookout for new technologies that will allow their organizations to be more profitable. Once the Worldwide Secret Key Meta-Infrastructure reaches its maturity stage, choosing the right technology to ensure cybersecurity will be much easier, for most organizations. The secret keys will already be embedded in devices at the time of purchase, and the local/remote commodity services will be used by commercial software to provide a turn-key solution, which will seamlessly protect the basic security of all cyber-assets.
  • Chief Operations Officer (COO): Operational teams, who are the bread and butter of our businesses, are under constant pressure to reduce costs, while spendings related to cybersecurity keep rising. This is somewhat unfair, to say the least. Once corporations regain control of cybersecurity, it will be easier for management teams to honor and reward good work, in a more fair and equitable manner.
  • Chief Executive Officer (CEO): Every ship needs a captain. This role is glamorous in fine weather, but becomes challenging when a storm strikes. Hopefully, this petition will help them guide their crew, towards the SAFEST harbor.


FAQ #D - This petition refers to "loosely-coupled layers of security". What does this mean?

The concept of loose-coupling is widely used by information technology professionals. It allows them to break down large projects into smaller pieces, and deliver quality work that is easier to maintain afterwards.

Loose-coupling used to help manage the Software Development Life Cycle (SDLC)

Software developers considerably benefit from using this approach, especially when working on larger projects. In their jargon, the opposite is referred to as "spaghetti code". An image is worth a thousand words.

As mentioned previously, layer C of the MFGSec model is meant to be the playground of software developers. In the illustration below, this layer has been split into other loosely-coupled layers.

No alt text provided for this image

The software developers who work at the upper C-5 layer would not have to do anything to benefit from the WWSKMI. This is because their applications use the services from lower layers (C-1, C-2, C-3, C-4), to take care of network communications.

For example, web applications (in layer C-5) use the services of web servers and web browsers (in layer C-4), which in turn use the services from layer C-3 (e.g.: Microsoft Windows network drivers, Linux network stack, ...). In other words, only middleware and lower-layer networking software would need to be updated to use the MFGSec Commodity Services.

This petition recommends an infrastructure that is feasible. Once device manufacturers establish the WWSKMI, software developers involved with middleware and networking drivers will be able to start using it, to add an extra layer of security and protect our worldwide cyber-assets.


Loose-coupling used by network professionals

Professionals specialized in computer networks also use loose-coupling to help them work more efficiently and effectively. In particular, they use the TCP/IP model. This model helps us visualize how packets are wrapped, before being sent from one device to another, using a network. Our corporations currently use highly specialized technology, to secure each layer of the model, within their organization (intra-organization).

A Worldwide Secret Key Meta-Infrastructure would allow security enforcement that would span beyond the boundaries of our corporations (inter-organization), as illustrated below.

note: Depending on their specialization, IT professionals use different terminology and models to refer to the same thing. In the TCP/IP model displayed below, the "application layer" would be associated to the C-4 and C-5 layers shown in the previous illustration. The OSI model has more layers, and its session/presentation layers could be associated to the C-4 layer above.

No alt text provided for this image


FAQ #E - This petition refers to "high-entropy" crypto keys. What does this mean?

Entropy is a technical term used in a variety of fields such as physics, biology as well as information theory. In the case of the latter, it has a mathematical definition which allows us to measure how unpredictable a system is. When dealing with crypto keys, unpredictability is very useful.

A high-entropy crypto key can also be called a hard-to-guess secret key.

Once we have a Worldwide Secret Key Meta-Infrastructure at our disposition, even if malicious hackers have access to cutting-edge technology such as machine learning and artificial intelligence, our cyber-assets will be out of their reach, because they will be protected by our hard-to-guess secret keys.


FAQ #F - Would a WWSKMI help reduce the costs related to IT controls and compliance management?

Probably not.

But it will significantly reduce the risk of security breaches, and is sure to have a positive impact on employee morale.

No alt text provided for this image
No alt text provided for this image


FAQ #G - Why don't we already use more symmetric cryptography (two identical keys) to secure our cyber-assets?

This is because asymmetric cryptography (one private key and one public key) provides a turn-key solution, with much less effort, compared to its symmetric counterpart (two identical keys). In the case of asymmetric crypto, the owner of the private key has power and control, because the public key can be broadcasted to all, without restriction. No need to spend countless hours explaining and trying to convince decision-makers. On the other hand, symmetric cryptography requires greater care, because both keys need to be kept secret.

With time, our community of cybersecurity specialists seems to have developed the belief that technology alone will solve our cybersecurity problems. If we break free from this paradigm, and decide to establish a Worldwide Secret Key Meta-Infrastructure, we could use snail mail to transfer MFG-to-MFG secret keys between manufacturers. Some corporate executives might even be happy to hand-carry a few of them, if this is the price to pay to avoid being in the news because of a security breach.

Extra details:

Techies will state the fact that symmetric cryptography (two identical keys) is widely used to protect our cyber-assets. They are referring to popular protocols such as SSL, PGP and SSH, who use symmetric session keys to secure the major part of transactions. However, we must not forget that the initial handshake of those protocols is secured with a private and public key, and therefore asymmetric crypto is at the foundation of their security.

No alt text provided for this image


FAQ #H – Secret keys can be used to ensure the integrity of network communications. Can you explain how this works and give an example to illustrate the idea?

Using a signedMAC to ensure the integrity of a transmitted message:

When two network-connected devices have the same secret key in their possession, they can use it to detect if a message has been tampered with, during the transmission process. Here are 3 steps that describe this process:

Step 1 - The sender uses the message and the shared secret key to generate a new signedMAC. Both the message and the signedMAC are sent to the other device, using an untrusted network such as the Internet.

Step 2 - The receiver uses the message and the shared secret key to generate a new SignedMAC.

Step 3 - If the two versions of the signedMAC are identical, this is the proof that the original message has not been tampered with.

Using a metaphor to visualize how cryptography is used to ensure integrity:

Let's say Alice wants to send a message to Bob. The message contains the day and time of their next date. Alice doesn't expect the message to be kept private, but she wants to make sure that the content is not tampered with, before reaching its destination. She knows that their friend Rufus (which rhymes with jealous) has recently been trying to interfere with their relationship.

Trying to understand cryptographic algorithms can be mind-boggling. Let's use a fictitious 3D maze to illustrate the underlying concept that would allow us to ensure the integrity of a transmitted message, using secret keys. The prototype is illustrated below.

No alt text provided for this image

Here is how it works:

  • Aliens have built the huge 3D maze, which is equipped with billions of input/output doors, each assigned with a unique number. Everybody can use the maze, but nobody has access to the blue-print (the aliens destroyed it).
  • When we enter the maze through an input door (identified with a unique number), and we follow a predetermined maze path, we will exit the maze through a specific output door (identified with another unique number).

This 3D maze, as well as the shared secret maze path, will allow Alice and Bob to communicate messages between each other, with the assurance that any tampering will be easily detected:

  • Alice and Bob both agree on a "secret maze path" to be used. This is their shared secret key.
  • The message to be sent contains a number (the day and time for their next date), and can be associated to a unique input door of the maze.
  • Before sending the message to Bob, Alice uses the 3D maze to identify which output door is reached, when following their shared secret maze path (secret key).
  • Alice sends the two numbers to Bob (input and output door numbers), confident that any tampering will be detected by Bob.

Rufus (which rhymes with jealous) will not be able to tamper with the message, without being detected:

  • If he modifies the day and/or time of the message (input door number), Bob will immediately realize that the output door number is not the correct one.
  • He cannot identify the correct output door number associated with the new day/time, because he doesn't know the secret maze path (only Alice and Bob know the secret key).

Using a giant 3D maze, such as the one described above, is obviously not feasible. Luckily for Alice and Bob, cryptographic algorithms that use secret keys to ensure integrity do exist. We should use them more often, to protect the integrity of communications sent over untrusted networks, such as the Internet.


FAQ #Y - What is the most important thing to remember from this petition?

Secret keys provide a lot of power, and a lot of control. Let's use more of them to pave the road towards the SAFEST world, for generations to come.


FAQ #Z - Why was this petition written?

Some think that cybersecurity is like Russian roulette. Chess is a better comparison. When things go wrong, you can always learn from your mistakes, and start a new game.

If you want to go fast, go solo. If you want to go far, go together - African proverb

Please sign this petition: 

#LetsTalkAboutThis
No alt text provided for this image
If you made it to the end of this article, please consider leaving a trace of your visit.
That would be great.
Thank you.
No alt text provided for this image

This article is the third in a series of 7 documents:

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了