Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid • Gideon@AGSgo.com
Cryptographers often make this boast about the cipher they have installed for you: “It’s nearly impossible to crack the secret key, and it’ll take of thousands of years to break a single key.” While this mathematical resistance to hackers is very impressive to academic cryptographers, it’s almost irrelevant for security officials on the front line.
The reality on the street is that keys are stolen, not broken. And this has been true in recent years more so than ever before. Human-resources officials, for example, find it increasingly difficult to keep tabs on the honesty of people who have access to confidential material. The result is an increased level of insiders’ breach of trust.
Cryptography per se is quite powerless against this risk because cryptography in its very essence distinguishes between a key holder and a non-key holder. It cannot distinguish between the rightful holder and a thief. And yet, a solution was found. And it works beautifully and conclusively.
The underlying premise is simple: You cannot steal what does not exist. Consider Alice and Bob, two top corporate executives. Normally, Alice and Bob would exchange a bilateral secret key and use it for their top-secret communication. That bilateral key is kept by Alice and Bob (each keeping a backup copy, just in case), as well as by the chief security officer and his staff, and it’s accessible by anyone who can hack into any of the computers holding the key.
Now that stealable key is of no use until the very moment Alice and Bob decide to have a confidential conversation. So, why not come up with a cryptographic solution where the secret key is generated just in time, only when it is needed? If we do that, then insiders and hackers of all sorts will be left empty-handed. Again, you cannot steal what does not exist. And if the key is erased right after the exchange, there is also no key to steal afterwards.
But how do we accomplish that? As it happens, there are new procedures coming down the pike that allow any two people who just met to establish a robust secret communication channel over a public data highway. Their shared secret is not vulnerable to mathematical shortcuts that threaten one-way functions, which is so common today.
But even today, one could use a one-way function crypto-solution to engineer a cryptographic exchange where the keys are generated just before they are used. When a customer executes a transaction with an online store, her security is often assured by a procedure known as Diffie-Hellman (DH). DH works by letting Alice and Bob exchange some information in the open, pre-key. Based on this pre-key, both Alice and Bob make a random choice, and use this choice to establish a shared secret key.
Let’s recall that, in essence, a random choice is an unpredictable choice—a piece of data that is not copied from anywhere, not pre-stored on any media, and not susceptible to theft before the randomization act gives birth to it. Hence, the cryptographic key that is generated in this procedure resists theft. It is immunized against prowling hackers.
So here is the solution: Alice and Bob agree not on a secret cryptographic key, but rather on a secret pre-key, and then use this pre-key, combined with instantly generated random data, to create the communication key just for that conversation.
So good-bye hackers, right? Not exactly. It’s true that hackers will not be able to steal the key used by Alice and Bob for their confidential exchange. However, hackers could potentially steal the pre-key and use it to pretend to Bob that they are Alice, and vice versa.
There are ways to counter this risk, but I am running out of space. So let’s just summarize: Instead of safe-keeping the actual communication key that would give its thief total visibility into confidential content, communicating parties should secretly share a pre-key that is used to generate just-in-time, theft-resistant session keys. This is not only more secure, it’s also more convenient. A group of executives could all share the same pre-key, yet achieve bilateral confidentiality because the actual crypto key they use is unique to their particular conversation.
A field note: the hardest part in getting companies to adopt this solution is the sense of overconfidence that our keys are so secure, no hacker will ever come close. What can I say? Human nature rarely changes with life experience.
