Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

9 ways developers can rebuild trust on the Internet

Peter Wayner | July 23, 2015
Public keys, trusted hardware, block chains -- developers should use these tech tools to help secure the Internet for all

This process won't be perfectly secure for many reasons, but it's more secure than using the less guarded public key repositories, and it may be more secure than trusting a random Web page to deliver the correct public key. The last time I checked, there were some keys affiliated with my name on public PGP servers that had nothing to do with me. Facebook is definitely a step up from the volunteer services running on random servers.

We will still need to worry about fake accounts and the security of the link between Facebook and us. However, there's no doubt that a steady stream of status updates from a person you know makes it easier to trust the key.

Will other services start distributing public keys? Will they start building a web of trust? Banks and credit unions would be good starts. The tellers and the branches already know their regulars, and they could add trust to the public key repositories. Schools and universities that know their students for some time might be another option. Anything that can move us closer to the web of trust that PGP creator Phil Zimmerman imagined so long ago would be good for everyone.

Build better random number generators
All of the encryption in the world can't help you if the attackers are able to guess your keys. One of the traditional ways to prevent this is to use random keys chosen by a random number generator. But can this random number generator be trusted?

This isn't merely a theoretical attack. After two Microsoft researchers discovered a potential backdoor in Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) in 2007, the industry stopped using it as frequently. Finally, after years of questioning, the National Institute of Standards and Technology stopped supporting the algorithm in 2014.

Still, it can be difficult to find backdoors and dangerous to assume that good researchers will take up the task. How can we be sure our random number generators are safe? By increasing the complexity using a cryptographically secure hash function to further scramble the random values produced by the generator, for example.

Any scrambling could also add extra data that would be hard for an attacker to control -- for example, the exact time or some global value downloaded from the Web, such as the current hash at the top of the bitcoin block chain. This would prevent an attacker from controlling the inputs to the random number generator.

As more and more algorithms use encryption, we need more random keys than ever. Assuring a stable, non-guessable mechanism for generating random keys will go a long way to creating a strong foundation.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.