Trust the math and nothing else, even then double-check your proofs.
It’s incredible that in this world there is any trust at all. You need only watch a nature documentary or CNBC to know deceit, treachery and malfeasance are rife. Yet, here we are. The vast majority of our transactions are secure and successful. Our passwords remain confidential, usually. Our data's integrity is preserved, more often than not.
How? By assuming the worst. SecOps sees a world where bears naked short-sell and dodgy investment firms tear into salmon with their teeth and claws. Strike that, reverse it.
Cryptography creates trust by assuming its absence and that no one is trustworthy. It’s interesting that TLS uses the term ‘handshake’ when establishing a connection between two computers. A handshake is an ancient tradition, possibly Roman, whose purpose was to demonstrate that your sword hand was empty. Some historians have argued that the up and down of the clasped hands was intended to show there were no hidden weapons up the sleeves of the hand-shakers. In a TLS handshake, the interlocutors are establishing the grounds by which the exchange can be trusted by verifying their identities, agreeing on the encryption algorithms and the session keys.
Instead of the impossible task of determining whether the other person is trustworthy, cryptography defines scenarios and circumstances where an instance of communication can be trusted. That’s it. No one is worthy of trust. The claim for trust is actually even more tenuous than that. Trust is limited to the guarantee that communication preserves the confidentiality of the data exchanged, establishes the authenticity of the identity of the participants, verifies if the message has retained its integrity (i.e. has not been modified between the sender and receiver) and that ensures that the sender cannot repudiate having sent the message. The other might still have malintent, but they won’t be able to manipulate the communication to exercise it.
Cryptography aims to define protocols of communication that remove the possibility or the value of malicious activity, and to do it in such a way that claims made are provable and demonstrable. Cryptography is about mitigating risk while acknowledging its inevitability. A ‘Trusted key’ is shorthand for a cryptographic key that can be used because it hasn’t yet been proven to be compromised, because the mathematics to prove a protocol are usually built on assumptions such as ‘a malicious actor does not have access to the private key, because a developer hardcoded it as an expediency’.
Kerckhoff’s Principle is another example of how trusting less makes things more trustworthy. By making cryptographic algorithms public rather than trusting one third-party’s proprietary solution, the algorithm’s faults are found and fixed, enabling people to see for themselves if it can be trusted. The alternative is to trust a third-party will never become untrustworthy or compromised. History repeatedly teaches us how that goes.
The best SecOps teams thrive on their suspicion, ensuring regular checks of digital signatures, MACs verified and identities confirmed by certificate authorities. They define strategies and use tools to deal with then the trusted becomes untrustworthy. Tools like <analyzer> are used to constantly review the multiplicity of cryptographic objects to ensure algorithms, keys, certificates, protocols are secure and up-to-date. They’ll have seen once trusted algorithms such as DES and RSA become compromised. So it will go for algorithms they are currently using, especially in light of advances in quantum computing.
Why All The Fuss About Trust?
I’ve been told by the editor I’m allowed one metaphor per article. So here it goes. Trust is the oxygen of commerce. Only when it is removed does its importance become understood. Like oxygen, it’s there all the time. It has to be. Centuries upon centuries since the code of Hammurabi, a framework for trust has been built, including the consequences for breaking it. In our hyper-connected world, cryptography continues to keep the lungs of business full. Okay, I’ll stop now. It’s easy to take it for granted, but how quickly a company squanders a hard earned reputation, built by decades of trusted interactions, with this simplest of lapses. For example, certificates, which we talked about at length in a previous post, are just simple files. They're easy to forget about or ignore. Yet, that certificate is so much more than that. It borders eloquence how such a simple file provides that tentative and fleeting trust for communication in a world of eavesdropping, spoofing and bears. It is why they have become so ubiquitous. And yet, time and time again, companies learn the hard way how a single certificate outage can destroy not just trust in that one instance of communication, but the reputation of the entire organization and, at the very least, cost millions of dollars from lost revenue, time wasted and potential subsequent compliance penalties.
Cryptosense gives SecOps teams the tools they need to simplify the management of their organization’s cryptographic objects, at the scale required for the business to preserve its reputation, and to identify when trust has lapsed and address it before it becomes a problem rather than after.