Cointime

Cointime

Download App
iOS & Android

Cybersecurity: Medieval Witchcraft, Chimeras and the Hound of Hades

Validated Individual Expert

Let’s see if we can talk about medieval witchraft, chimeras, and the hound of hades, in a single article, and for you to have a better understanding of how digital trust can be properly integrated into our modern world. So, let’s start off with some chimeras and move on to the Hound of Hades.

Chimeras

Sometimes you hear the same old talk at cybersecurity events, and it’s the same old industry quotes from generic slides that have been created by the corporate PR team. So, I always love to hear people shooting from the hip. And, there’s no one better than Dr Ian Levy (ex-GCHQ). One of my favouriates of his is …

…world-plus-dog were trying to flog security defenses to tackle “advanced persistent threats,” usually you see photos of hoodie-cloaked blokes poised over a keyboard with Matrix -style green lettering in the background. But such figures — seen as untouchable, unbeatable, and untraceable — are chimeras, and it’s just “ adequate pernicious toe-rags” who are doing the hacking

And aimed his aim at those who sell snake-oil in the cybersecurity industry:

“We are allowing massively incentivised companies to define the public perception of the problem”

And one of my favouriate quotes is …

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘ you lot are too stupid to understand this and only I can possibly help you — buy my magic amulet and you’ll be fine.’

Superb … it takes a bit of gut to say something like that. And after we have spent so long in trying to articulate the problems in cyber security, and inform the general public about what cyber security is.

It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

And, when it comes to advanced persistent threats:

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination,

And for companies he wants “active security”:

… active as in “getting off your arse and doing something.”

Cerberus

So let’s move from chimeras to Cerberus.

One of the greatest challenges we face in cybersecurity is how we can properly integrate digital trust. Bruce Schneier defines the problem with:

Trust and cooperation are the first problems we had to solve before we could become a social species. In the 21st century, they have become the most important problems we need to solve — again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

And so, we have Bob and Alice, and Trent: the players in the basic cybersecurity model. Bob and Alice need mutual authentication of each other, and so need Trent to bind them together with a trusted connection:

So let’s look at how Cerberus can help them build trust.

Kerberos (or Cerberus) was defined in Greek and Roman mythology as, typically, a three-headed dog. It is often known as the hellhound that guards the gates of the Underworld, in order to stop those who have crossed the river Styx from escaping. As we’ll find both the description of the three-headed beast fits the three-way communication, and also that the protocol is a bit of a beast.

One of the best protocols for implementing this trust infrastructure is Kerberos. It is fairly complex in its implementation, but it supports both the security of the transmitted data between Bob and Alice, and also proves the identity of both Bob and Alice. So with the Kerberos protocol, Alice and Bob first deposit their secret keys and will define their unique identities (such as their email addresses). Trent will then be trusted to store these keys. What we need now is to generate a session key between Bob and Alice that they can use, and also to be able for Trent to prove Alice’s identity to Bob, and also Bob’s identity to Alice. An example is here:

https://asecuritysite.com/digitalcert/ker

The steps are:

Step 1: First Alice and Bob send their identity to Trent, who will then find the keys that relate to them.

Step 2: Next Trent creates a random key to be used for the session key, and creates a Timestamp (T), a Lifetime (L), which define the starting time for the trust relationship, and how long it will be valid for. He will then create two parts to send back to Alice:

EA(T,L,K,B) and EB(T,L,K,A)

where is the first part is encrypted with Alice’s secret key, and the other part is encrypted with Bob’s secret key.

Step 3: Next Alice will decrypt the first part, and can thus determine T (the timestamp), L (the lifetime), K (the session key) and B (Bob’s Identity). Alice now knows the session key (K), and now uses it to encrypt the Timestamp (T) and Alice’s Identity (A) to Bob, along with the second part of the message from Trent [EB(T,L,K,A)]:

EK(T,A) and EB(T,L,K,A)

Step 4: Bob will then decrypt the second part, and determines the session key (K), which can be used to decrypt the first part. He will then check Alice’s identity is the same as the one that Trent sent.

Step 5: Bob takes the time stamp and add one onto it, and sends back to Alice:

EK(T+1)

Step 6: Alice then decrypts with the session key, and checks the timestamp. If it checks with the expected value, then Bob has proven his identity. Bob and Alice and now communicate using the session key, and be secure, as only Trent will know the session key.

Here is the basic flow for Kerebos [here]:

So Bob and Alice trust Trent! The key fundamental element of this, is that Bob never has to communicate with Trent, as he knows that the only person who has his key is Trent, so he is the only one able to encrypt the information contained within the information sent by Alice. Alice then cannot change her identity, as Bob will be able to determine this by checking what Trent has said Alice’s identity is, with the identity that Alice produces, using the session key.

Conclusions

Okay. I started with snake oil and chimeras and ended with Kerberos. Underneath this, is the need to build trusted infrastructure for our devices and data, as our existing methods are not fit for a massive scale-up.

And, so, basically, the core of security on the Internet — PKI — is flawed. We need new ways to define trust. Kerberos can be rather difficult to set up on a system, but it provides a more scaleable way to implement trust. Having your own trust architecture is much better than relying on someone else’s, as it is one of the most fundamental parts of our data infrastructure.

Cybersecurity
Comments

All Comments

Recommended for you

  • South Korea’s Monetary Authority: Confirmed to include token delisting standards in the Virtual Asset User Protection Act

    The Financial Supervisory Service (FSS) of South Korea has confirmed that token delisting standards will be included in the "Best Practice for Compliance with the Virtual Asset User Protection Act" released in early June. An official from the Financial Supervisory Service stated in a conversation with Bloomberg on Tuesday that the upcoming "Best Practices for Compliance with the Virtual Asset User Protection Act" will not only include listing standards for virtual assets, but also provide guidance on whether to maintain trading of listed virtual assets. The guidance will provide a basis for cryptocurrency issuers to delist in the event of problems. The guidance will be released from the end of May to early June. Currently, the Financial Supervisory Service is developing guidelines to support self-regulation by cryptocurrency exchanges under the Virtual Asset User Protection Act before it is implemented in July. The plan proposes standards for virtual asset issuance, circulation, and trading support, prohibits the listing of virtual assets with a history of hacking attacks, and requires the release of Korean white papers and technical manuals when listing overseas virtual assets.

  • HKEX CEO: Virtual asset exchanges have become HKEX’s competitors

    On May 10th, Hong Kong Exchanges and Clearing Limited's new CEO, Nicolas Aguzin, stated in an interview with the Shanghai Securities News that HKEX faces competition not only from other securities exchanges, but also from external competitors such as virtual asset exchanges. In order to meet the rapidly evolving demands of customers and technology, HKEX must balance innovation and stable business operations, continuously expand its resources for listed companies, and improve its market services.

  • WOOFi attacker address has transferred 100 ETH to Tornado cash

    PeckShield monitoring shows that the address marked by the WOOFi attacker has transferred 100 ETH to Tornado cash. The WOOFi attacker has already transferred 2200 ETH (worth about $6.5 million) to Tornado cash.

  • Trump will hold a private dinner on the day of the court recess, inviting NFT trading card buyers to attend

    On May 10th, according to sources, former US President Donald Trump will host a dinner at his Mar-a-Lago estate on a day off, inviting NFT trading card buyers to attend. This event is part of Trump's series of non-campaign activities, aimed at balancing his White House campaign and legal disputes. After Stormy Daniels testified in Trump's trial on Tuesday, Trump expressed his desire for campaigning rather than being tied up in court. Despite no public campaign activities on Wednesday, Trump's schedule includes private political meetings.

  • Tether: Deutsche Bank’s analysis lacks clarity and substantive evidence

    According to a report on stablecoins released on May 7, Deutsche Bank analyzed 334 currencies linked to stablecoins and found that 49% of stablecoins had failed during their median lifespan of about eight to ten years. The analysts concluded that most anchored assets in the cryptocurrency field will experience significant "turbulence" caused by speculative sentiment and ultimately suffer some form of decoupling event. Deutsche Bank analysts also pointed out that Tether's reserve transparency was lacking and described the company's solvency as "doubtful".

  • Yesterday, Solana’s on-chain DEX transaction volume surpassed Ethereum, reaching $1.314 billion

    On May 10th, according to DeFiLlama data, the trading volume of Solana's DEX reached 1.314 billion US dollars yesterday, surpassing the trading volume of 1.297 billion US dollars on Ethereum's DEX.

  • US court orders seizure of 279 virtual currency accounts containing criminal proceeds from North Korean hacking

    A US court has ordered the confiscation of 279 virtual currency accounts containing proceeds from North Korean hacker crimes. US District Court Judge Timothy Kelly in Washington, DC approved the federal prosecutor's request for a summary judgment on these accounts and ordered their confiscation on May 8. This ruling means that these accounts are now under the control of the US Department of Treasury.

  • South Korea’s National Tax Service announced that it would collect 40 billion won in taxes from Bithumb users

    Bithumb has issued a preliminary notice of comprehensive income tax to some users who participated in activities held between 2018 and 2021, and announced full support for the related tax amount. The position of the National Tax Service is that rewards paid to users through various activities (including virtual assets) constitute taxable income. Bithumb does not agree with the National Tax Service's opinion, but explains that taxation is mandatory.

  • Cointime精选 ·

    Blockchain Life 2024 thunderstruck in Dubai

    Dubai, April 17, 2024 - The 12th edition of the Blockchain Life Forum, known as the leading gathering for global cryptocurrency leaders, concluded with an impressive turnout of 10,162 attendees despite the unprecedented storm that happened in Dubai.

    Blockchain Life 2024 thunderstruck in Dubai
  • Cointime精选 ·

    UNVEILING THE CELESTIAL MASTERY: TREVOR JONES’ CRYPTOANGELS PROJECT

    Renowned digital artist Trevor Jones, a visionary in the fusion of traditional art with blockchain technology, is set to transcend boundaries with his latest project, CryptoAngels. This ambitious initiative is not merely an art drop; it’s a comprehensive ecosystem encompassing physical and digital realms, games, and a vibrant community engagement, promising to be a cornerstone event in the NFT landscape of 2024.

    UNVEILING THE CELESTIAL MASTERY: TREVOR JONES’ CRYPTOANGELS PROJECT

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company