Would you hire a locksmith you don’t trust?

Picture this. Your home has been broken into repeatedly. Things have been stolen and damage has been done, leaving you and your loved ones feeling very vulnerable and terrified by the prospect of future, perhaps even more dangerous violations of your personal space. You know for a fact that entry to your castle hasn’t been achieved through sophisticated “Mission-Impossible “ schemes that has thieves dropping from skylights, or tunnelling into your home from nearby locations. You’ve got it all on security camera footage, and it’s shocking. The bad guys are entering your home the same way that you and your family you do - using a key to unlock your front door.

The police are called and the solution seems clear. Change your door locks. You do your homework, ask around, and read consumer reports in search of the best locksmith that money can buy. You find him, and guess what? The best locksmith on the planet carries the most secure locks in the world...but here’s the kicker.

The most secure locks in the world are the very ones that are currently protecting your home!

The locksmith tells you that the 2015 version of these locks are new and improved, and that he is confident that they will properly protect your home and family. You do some more homework, and learn that the 2015 version of the lock, being recommended by the world’s best locksmith, is improved. It now comes in several new colors. As for the rest of the lock, it’s identical – utilizing the same chunky pin-and-tumbler design popularized early last century.

Still, you are dealing with an expert in locks so he must know what he’s doing. Just as you are about to call the locksmith and arrange for the shinier ‘new locks’, your 7-year-old daughter asks, “Daddy, do you trust the locksmith?”

You reply, “Yes, he’s a very good man...”

“But do you trust what he’s telling you?”

Out of the mouths of babes...

You don’t, of course. You can’t possibly. How could you based on what you’ve learned? Yet, in today’s badly-broken connected world that is a virtual open door for cybercriminals, that’s exactly what we do every day. We trust what the world’s electronic locksmiths are telling us, and despite so much evidence that states that we shouldn’t, we blindly hire them to protect our interests. The party line from the massive e-security industry, including giants like Apple and Google, is that they use ironclad crypto. I can almost hear the collective refrain.  “Trust us...all is well.” 

All is not well. Not even close. It’s closer to tragic. Closer still to very dangerous. And if you’re not convinced that things are completely out of hand, read this compelling 2014 article in which Certicom (acquired by Blackberry in 2009) was called out by The Globe & Mail, Canada's national newspaper, for reportedly intentionally building vulnerabilities into its cryptography in 2005.The strange connection between the NSA and an Ontario tech firm

Security researcher, Bruce Schneier concludes the article by stating “…researchers are now questioning what other backdoors have yet to be discovered, and whether the NSA made similar payments to other companies to keep flawed algorithms in use. This is the poison of NSA action, they taint everything.”

A Reuters report in December 2013 revealed that the NSA had paid RSA Security $10-million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.

Certicom and RSA aren’t the only companies identified. Companies such as Cisco, Samsung and Symantec all reportedly implemented vulnerable algorithms in their products.

These mind-boggling articles beg the questions,

“If backdoors were intentionally built into earlier crypto schemas, do you think that this is still happening today?”

“Are the electronic locksmiths of the world saying trust me on the one hand, and handing the keys to their technology to national security agencies on the other?

I can’t answer these questions, but I have an opinion based on what I’ve read and discussed with others. It starts with my view that when it comes to cryptography, nothing has changed...

The Internet of Things

And now, here comes the next massive technology wave – one that will dwarf the Internet as we now know it, in terms of the number of connections, market size and lifestyle impact – the Internet of Things (IoT).

How will the electronic locksmith’s of the world protect us from the dark side of IoT? So far, it appears that they won’t. In many cases, they haven’t incorporated any security and when they have, they are relying on the very same broken technologies that have already been proven to be highly vulnerable to cyber criminals.

What’s their plan?

Polish it up. Embed it in a shiny new IoT “platform,” and say, “Trust me...”

Some ITsec companies are using Elliptical Curve Cryptography ECC for IoT, like Trustpoint (co-founded by a former Certicom co-founder and executives...hmm). TrustPoint has been selected as the security provider for the US Vehicle-to-Vehicle (V2V) communication crash avoidance system called Secure Credentials Management System (SCMS). A key component in SCMS is its PKI-based security schema, which uses Elliptical Curve Points (ECPs). Elliptical curves are certainly an improvement on SSL/TLS (unless they have a “back door” built in…) but they introduce a whole new problem. SCMS will become the largest ever Public Key Infrastructure (PKI) deployment - 45,000 times larger than the largest current PKI implementation (that should be easy to manage).

So, if SSL/TLS-based security should be avoided at all cost, and other PKI-based solutions like ECC – while more secure – introduce unmanageable solutions, what’s the answer? Identity-Based Encryption – something that I believe that HP realizes based on its recent acquisition of Voltage, which first commercialized IBE in the early 2000’s.

IBE doesn’t have the flaws inherent in other crypto-based solutions, and it’s perfect for securing enterprise applications like email (which I understand HP/Voltage uses to render JPMorgan Chase’s email service secure). What the HP version of IBE doesn’t do on its own however, is deliver the features and capability to scale to the levels required for massive IoT deployment. Fortunately, the recently-released IBE 3.0 added the critical components that IoT requires, such as authentication, and it’s now secure end-to-end, making it the ideal security schema for this emerging market. Further, IBE eliminates the need to manage keys because it generates new keys for each session, thereby bringing simplicity to what is today a looming massive IoT problem (imagine the cost and complexity of managing tens of billions of certificates and keys…). Complexity is the mortal enemy of IT security. This is a case where less, is more secure.

The Elephant in the Room

There’s another major issue when it comes to trusting the major IoT vendors. I know this from engaging with leaders and major IoT developers worldwide. Trust issues don’t only apply to trusting the technology, it’s also about trusting the people who provide it. Like it or not, since the Snowden revelations, entire nations do not trust each other - certainly not when it comes to importing crypto-based security technologies.

How does one address this situation? First, we can’t be naive about this. Some countries will mandate that a back door be integrated into crypto implementations that originate in country. But – remember the elephant in the room – these crypto providers (in my opinion) are going to face significant challenges and limitations when it comes to exporting their crypto schemas to other nations.

If you’re like me, you want to trust your locksmith - not only what he says, but also the technology that he is endorsing.

I changed my digital locks to IBE 3.0. Maybe you should, too.

IBE 3.0 is patented and the patents were acquired by VIBEcyber.com and re-branded to Verifiable Identity Based Encryption (VIBE) and while positioned as ideal for IoT, VIBE is a security ingredient that can be baked into any existing connected solution, replacing dated, broken key exchange and authentication technology. For more information on VIBE, please connect with me on LinkedIn.