What is wrong with legacy encryption tools?
Technology and communication industry leaders globally are trying to solve the security challenges stemming from the new and multi-connected world of 5G and IoT. The currently used tools – including PKI and IPSec amongst the most prominent examples - are designed to provide protection in an environment where secure communication is principally a matter between two parties. The new world, however, requires “many-to-many authentication” with real time connectivity and fully secured identification between numerous entities This requirement needs to be met by a scalable solution in the dynamic 5G and IoT environment. All of this must be executed under economically and environmentally compelling terms following the strictest rulebook of the sustainable world.
Security and privacy are widely recognized as the crucial points in the advancement of IoT networks. As technical matter it is important to keep in mind that authentication process, which ascertains that an entity really is who it claims to be, is in the front end of the access control chain. All other security and data transmission operations follow the authentication process. The very same security requirement is applicable for every node which is connected to the network – be it any network elements, sensors, routers, data storages, cloud services, personal devices and any other end terminals in the system concerned. All of these must be linked with multi-party authenticated and encrypted connectivity.
The above discussed challenges have gained increasing attention in academic industry research, recent regulatory and strategy statements, and recent publications by the leading global telecommunication equipment vendors.
"The traditional methods of adding encryption and authentication to secure traffic in an IP/MPLS network typically include techniques associated with the IP security (IPsec) suite of protocols and related technologies. IPsec was originally designed to secure point-to-point Layer 3 traffic (IPsec tunnels) over an insecure medium, and did not initially target any-to-any communication for virtual private routed network (VPRN) services.
To adapt IPsec for any-to-any communication, an operator must establish a mesh of point-to-point tunnels between participating nodes. Scaling issues and the operational complexity of this solution are well known and have inhibited this approach from being adopted at a large scale to solve any-to-any communication using a point-to-point encryption approach." (Nokia White Paper)
Providing multi-party authentication for modern IP traffic is well articulated by the US DoD.
"Initial priorities included retirement of 20-30+ years old technologies, transition from point-to-point to network-centric cryptographic systems, and countermeasure actions in response to continued advances in computer processing power which enhanced adversary capabilities against DoD systems."
"The main purpose of identity management is to manage the life cycle of identities and provide identification, authentication and access control services for identities. There are various identities that serve different purposes in the IoT approach, but the main ones are for device and user identification. The others are used for management of devices, functions and services. Identifiers and keys are also used to sign data, including software and firmware. These different device identities are needed to identify the devices for connectivity within the access and network domains, and to identify device applications in the IoT platform and cloud domain." (DOD)
Rethinking Trust – Moving to “Zero Trust” Strategy
Trust, as cornerstone for security, is challenged at fundamental level in the present world. Governments and enterprises are adopting a “Zero Trust” operating strategy, whereby vendors and technologies are only trusted if they come with credible validation and/or audit - covering all hardware and software components. Recently emerged geopolitical tensions have reinforced the focus and requirement for this new trust model.
It is clear that trust must be redefined. Zero Trust is a the new requirement for the future - trust nothing and verify and authenticate everything. Uncompromised security is a key “license to operate” requirement and it is a cornerstone for technology design – it is not an optional extra. This message has reached government level actors and top enterprises on global scale.
US DOD strategy paper articulates this very clearly:
"Zero trust is a cybersecurity strategy that embeds security throughout the architecture for the purpose of stopping data breaches. This data-centric security model eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privileged access. Implementing zero trust requires rethinking how we utilize existing infrastructure to implement security by design in a simpler and more efficient way while enabling unimpeded operations." (US DOD strategy Paper)
The question is how to do this. How can we implement a solution which resolves this problem. This means that current legacy internet security technologies like IPsec, SSL, PKI, ECDH, VPN, etc. are not the answer. New technologies are needed. Solving multi-party authentication and encrypted IP traffic is also the vision of US DoD.
"Initial priorities included retirement of 20-30+ years old technologies, transition from point-to-point to network-centric cryptographic systems, and countermeasure actions in response to continued advances in computer processing power which enhanced adversary capabilities against DoD systems." (US DOD strategy Paper)
Multiparty Computation (MPC) based Multi-Party Protocol (MPP) to replace legacy technologies
The technology requirements of the new 5G and IoT world, and the adoption of Zero Trust strategy, have prompted a significant R&D investment globally to find a solution. Multiple efforts and “innovations” have failed the test.
MPP multi-party security protocol developed by Privecomms Oy has attracted the global interest of industry participants as it provides secure authentication for multi-party environments. MPP delivers shared secrets and security between numerous nodes in a defined group. MPP is capable - with one user-controlled trust anchor - to provide authentication and e2e encryption for all the nodes in an IoT or other IT system with compelling economics and significantly enhanced security.
As DoD sees, all the elements in the data transmission chain should be validated and authenticated. IoT systems, where critical data is handled, have the same requirements:
"The main purpose of identity management is to manage the life cycle of identities and provide identification, authentication and access control services for identities. There are various identities that serve different purposes in the IoT approach, but the main ones are for device and user identification. The others are used for management of devices, functions and services. Identifiers and keys are also used to sign data, including software and firmware. These different device identities are needed to identify the devices for connectivity within the access and network domains, and to identify device applications in the IoT platform and cloud domain." (US DOD strategy Paper)
Currently available authentication and security protocols provide only a “piece meal” solution – adding another isolated defense tool to the security box. MPP protocol, however, is a proactive solution delivering security in an integrated fashion.
Large scale IoT systems and 5G connectivity
5G networks are particularly well suited to serve connected low latency high data speed systems, like vehicles, critical medical systems, cloud and drone swarms, which are often automated or driven by artificial intelligence. Network slicing and multicast capabilities are recognized as important 5G features in critical communication environments.
The question is how to do authentication and encryption when the number of sensors can be millions and millions, and they need to have same shared information available with sub1ms requirement. There is simply no time to do the session key exchange millions of times between multiple sensors and authentication protocols – PKI and IPSec based solutions are not designed for this context.
Zero Trust requires authenticating all elements which have access to the underlying data – and secure connections have to be formed between multiple parties in real time. Same real time IoT systems require also multicast capable traffic. One node in the system will send information and multiple parties will receive it. Real time encrypted connections between multiple authenticated parties are vital – these can be effectively delivered by the MPC driven MPP protocol.
Legacy technology stack can not solve the current and future problems in security. MPC has extremely potential role solving these big challenges and objectives in cyber security.
Author: Privecomms Oy
Privecomms is a Nordic MPC technology company from Finland. Privecomms’ technology platform relies on open source and highly transparent software components and tool stack enabling security by design solutions with new encryption tool stack. https://xxlsec.com/mpp-protocol/
Industry references
- Nokia:
- Ericsson:
Regulatory references
- US Department of Defence
https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF
- NIST: Zero Trust Architecture