Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised.
I have written about this fundamental shift in a recent issue of IEEE Security and Privacy Magazine. It impacts:
- How products are designed to better resist Advanced Threats
- How technology providers secure their development environment to ensure the integrity and authenticity of the software they develop
- How technology providers manage their own supply chain to avoid counterfeited or tainted components.
RSA’s newly announced Distributed Credential Protection (DCP) is a perfect illustration of the innovative design that helps build software that better resists Advanced Threats.
For almost 40 years, multiple generations of security architecture for distributed systems have been built around the concept of a Trusted Third Party, a server trusted by all parties involved in the secure communication exchange. Examples include the key server in the Needham–Schroeder Symmetric Key Protocol or in Kerberos as well as the Certification Authority in Public Key Cryptosystems.
With Advanced Threats, trusted third parties have become a “single point of security failure.” If attackers control the trusted system, the game is over.
We need new security designs for this new world. Split-value cryptographic authentication, as implemented in RSA Distributed Credential Protection exemplifies an Advanced Threat-resistant security design. It was invented by RSA Labs several years ago as a way to store and verify authentication secrets in a way that cannot be compromised even if any one of the systems involved in the authentication process is compromised. The principle is pretty straightforward and involves the use of random numbers and XOR transformations:
- Before it is stored, the password is transformed with a random number. The random number is stored in one server (“red” server) and the transformed password in a different server (“blue” server). Compromising one server is not sufficient to compromise the password.
- At regular time intervals, a new random number is generated and both servers are updated with the new random number value, adding a time-based layer of protection: Both servers must be compromised at the same time for the password to be compromised.
- When an application needs to verify a password, the claimed password transformed with a new random number is sent to the “blue” server while the random number is sent to the “red” server. Each server can execute a new transformation involving the stored data and validate whether the claimed password matches the stored password without exposing the legitimate password
Split-value cryptographic authentication opens new opportunities to software developers worldwide to start developing Advanced Threat-resistant software.
This is just a start. Advanced Threats are changing our trust assumptions and have technical and operational impact on how we approach security. In the area of secure application design, we should expect more innovations like split-value cryptographic authentication to emerge to help build Advanced Threat-resistant software.