Cointime

Download App
iOS & Android

Cybersecurity: Medieval Witchcraft, Chimeras and the Hound of Hades

Validated Individual Expert

Let’s see if we can talk about medieval witchraft, chimeras, and the hound of hades, in a single article, and for you to have a better understanding of how digital trust can be properly integrated into our modern world. So, let’s start off with some chimeras and move on to the Hound of Hades.

Chimeras

Sometimes you hear the same old talk at cybersecurity events, and it’s the same old industry quotes from generic slides that have been created by the corporate PR team. So, I always love to hear people shooting from the hip. And, there’s no one better than Dr Ian Levy (ex-GCHQ). One of my favouriates of his is …

…world-plus-dog were trying to flog security defenses to tackle “advanced persistent threats,” usually you see photos of hoodie-cloaked blokes poised over a keyboard with Matrix -style green lettering in the background. But such figures — seen as untouchable, unbeatable, and untraceable — are chimeras, and it’s just “ adequate pernicious toe-rags” who are doing the hacking

And aimed his aim at those who sell snake-oil in the cybersecurity industry:

“We are allowing massively incentivised companies to define the public perception of the problem”

And one of my favouriate quotes is …

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘ you lot are too stupid to understand this and only I can possibly help you — buy my magic amulet and you’ll be fine.’

Superb … it takes a bit of gut to say something like that. And after we have spent so long in trying to articulate the problems in cyber security, and inform the general public about what cyber security is.

It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

And, when it comes to advanced persistent threats:

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination,

And for companies he wants “active security”:

… active as in “getting off your arse and doing something.”

Cerberus

So let’s move from chimeras to Cerberus.

One of the greatest challenges we face in cybersecurity is how we can properly integrate digital trust. Bruce Schneier defines the problem with:

Trust and cooperation are the first problems we had to solve before we could become a social species. In the 21st century, they have become the most important problems we need to solve — again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

And so, we have Bob and Alice, and Trent: the players in the basic cybersecurity model. Bob and Alice need mutual authentication of each other, and so need Trent to bind them together with a trusted connection:

So let’s look at how Cerberus can help them build trust.

Kerberos (or Cerberus) was defined in Greek and Roman mythology as, typically, a three-headed dog. It is often known as the hellhound that guards the gates of the Underworld, in order to stop those who have crossed the river Styx from escaping. As we’ll find both the description of the three-headed beast fits the three-way communication, and also that the protocol is a bit of a beast.

One of the best protocols for implementing this trust infrastructure is Kerberos. It is fairly complex in its implementation, but it supports both the security of the transmitted data between Bob and Alice, and also proves the identity of both Bob and Alice. So with the Kerberos protocol, Alice and Bob first deposit their secret keys and will define their unique identities (such as their email addresses). Trent will then be trusted to store these keys. What we need now is to generate a session key between Bob and Alice that they can use, and also to be able for Trent to prove Alice’s identity to Bob, and also Bob’s identity to Alice. An example is here:

https://asecuritysite.com/digitalcert/ker

The steps are:

Step 1: First Alice and Bob send their identity to Trent, who will then find the keys that relate to them.

Step 2: Next Trent creates a random key to be used for the session key, and creates a Timestamp (T), a Lifetime (L), which define the starting time for the trust relationship, and how long it will be valid for. He will then create two parts to send back to Alice:

EA(T,L,K,B) and EB(T,L,K,A)

where is the first part is encrypted with Alice’s secret key, and the other part is encrypted with Bob’s secret key.

Step 3: Next Alice will decrypt the first part, and can thus determine T (the timestamp), L (the lifetime), K (the session key) and B (Bob’s Identity). Alice now knows the session key (K), and now uses it to encrypt the Timestamp (T) and Alice’s Identity (A) to Bob, along with the second part of the message from Trent [EB(T,L,K,A)]:

EK(T,A) and EB(T,L,K,A)

Step 4: Bob will then decrypt the second part, and determines the session key (K), which can be used to decrypt the first part. He will then check Alice’s identity is the same as the one that Trent sent.

Step 5: Bob takes the time stamp and add one onto it, and sends back to Alice:

EK(T+1)

Step 6: Alice then decrypts with the session key, and checks the timestamp. If it checks with the expected value, then Bob has proven his identity. Bob and Alice and now communicate using the session key, and be secure, as only Trent will know the session key.

Here is the basic flow for Kerebos [here]:

So Bob and Alice trust Trent! The key fundamental element of this, is that Bob never has to communicate with Trent, as he knows that the only person who has his key is Trent, so he is the only one able to encrypt the information contained within the information sent by Alice. Alice then cannot change her identity, as Bob will be able to determine this by checking what Trent has said Alice’s identity is, with the identity that Alice produces, using the session key.

Conclusions

Okay. I started with snake oil and chimeras and ended with Kerberos. Underneath this, is the need to build trusted infrastructure for our devices and data, as our existing methods are not fit for a massive scale-up.

And, so, basically, the core of security on the Internet — PKI — is flawed. We need new ways to define trust. Kerberos can be rather difficult to set up on a system, but it provides a more scaleable way to implement trust. Having your own trust architecture is much better than relying on someone else’s, as it is one of the most fundamental parts of our data infrastructure.

Comments

All Comments

Recommended for you

  • Hong Kong Financial Secretary: The Hong Kong government is promoting the development of virtual assets and is working with the Hong Kong Stock Exchange to strengthen its ties with the mainland through

    Hong Kong Financial Secretary's Deputy Secretary Huang Weilun stated that in recent years, the Hong Kong government has focused on promoting innovation in the financial industry, including promoting the development of virtual assets and financial technology. Therefore, they are cooperating with the Hong Kong Stock Exchange to enhance their connection with the mainland through the mutual market access scheme, achieving a win-win cooperation relationship in investment product scope and opportunities.

  • Nomura Securities Subsidiary Laser Digital Plans to Issue Japanese Stablecoin

    Nomura Securities announced its cooperation with its digital asset subsidiary, Laser Digital, and the parent company of stablecoin issuer GMO-Z, GMO Internet. The two parties plan to jointly explore the issuance of US dollar and Japanese yen stablecoins in Japan, and provide stablecoin-as-a-service solutions in the Japanese market. It is reported that GMO-Z has a New York State (NYDFS) trust license, and its stablecoins GYEN and ZUSD can be used on Ethereum, Solana, and Stellar blockchains.

  • South Korean media: The Ministry of Justice will crack down on market manipulation and fraud in the virtual asset market

    According to Korean media Digital Asset, the Korean Ministry of Justice stated that "the virtual asset crime joint investigation team of the Seoul Southern District Prosecutor's Office is working hard to crack down on market manipulation of virtual assets, unreported virtual asset exchanges, and virtual asset deposit fraud." The Ministry of Justice selected the PICA fraud case of 90 billion Korean won, illegal exchange business of 5800 Korean won, and the Haru Invest deposit fraud case of 1.4 trillion Korean won as representative examples of the three crimes.

  • Argentina Securities Commission in Talks with Salvadoran Authorities on Bitcoin Adoption

    According to reports, a high-ranking official from the Argentine National Securities Commission (CNV) met with the head of the Salvadoran National Digital Asset Commission (CNAD) last week to discuss the issue of adopting Bitcoin.

  • Argentine Regulators in Talks with El Salvador Authorities on Bitcoin Adoption

    The regulatory authorities of Argentina and Salvador held talks on the issue of adopting Bitcoin. A senior official from the Argentine National Securities Commission (CNV) met with the head of the Salvadoran National Digital Asset Commission (CNAD) last week. The two sides discussed cooperation agreements related to digital assets, and Argentine officials hope to learn from Salvador's experience in making Bitcoin a legal currency and plan to sign a cooperation agreement.It is reported that the purpose of this dialogue is to strengthen cooperation between the two countries in the regulation of Bitcoin and encrypted assets, and to promote the development of Argentina in this field.

  • Ethereum L2 TVL jumps to $46.5 billion, a new all-time high

    According to L2BEAT data, the current Ethereum Layer2 TVL has reached a historical high of 46.533 billion US dollars, with a 7-day increase of 17.16%. The top five TVLs are:Arbitrum One TVL is 19.25 billion US dollars, with a 7-day increase of 18.55%;

  • Elon Musk's AI company xAI completes $6 billion Series B financing, with participation from a16z and others

    Elon Musk's AI company xAI has announced the completion of a $6 billion B-round financing, with participation from Valor Equity Partners, Vy Capital, Andreessen Horowitz (a16z), Sequoia Capital, Fidelity Management & Research Company, Prince Alwaleed Bin Talal, Kingdom Holding, and others. This round of financing will be used to bring xAI's first batch of products to market, build advanced infrastructure, and accelerate future technology research and development.

  • Brazil CBDC pilot delayed to 2025 due to inefficient privacy solutions

    The Brazilian central bank recently stated that due to the inefficiency of the privacy solution provided by drex for the CBDC project, its pilot has been postponed until 2025. The new pilot phase will begin in July and end in 2025, allowing third parties to implement new features including smart contracts.

  • Crystal Clear Lattice

    Inside the mind of a $100 million fund manager.

  • Genesis Global secures court approval for $3B payout

    According to Judge Lane, any available funds for distribution by Genesis are being exhausted by creditor claims, which take priority over DCG’s equity stake.