Thursday, May 23, 2013

Key Management Is the Problem...

In any system for transmitting messages using encryption, the security of the system boils down to the security of the encryption key.  This key security often isn't electronic at all – you need a secure way to distribute keys to authorized message senders and receivers.  If that key is stolen or misplaced, your key distribution process and ensure that no real messages are sent with that key – as the bad guys might have it.  This process is called “key management”, and it's hard.  Almost always there's a flaw in key management – anything from a minor and unlikely vulnerability to a gaping security hole you could drive an aircraft carrier through.  All of this is well understood by anyone designing a security messaging system.

So...how do you make a secure key management system?

Well, Roarke Horstmeyer at the California Institute of Technology and some others think they have an answer.  For their “key” they use a slab of special glass whose microscopic structure is random, unpredictable, and readable.  To set up a secure system, they make two slabs of glass – one for each side of the messaging system.  They then read the random data in each key and combine them to make a public key.  This public key can be safely published to the world, as it's contents can't be used for anything by itself – you have to possess one of the two glass slabs to make it useful.

Let's say we have two parties: the traditional Alice and Bob, each of whom have one of these special glass slabs.  The combination has been published.  Now Alice wants to send Bob an encrypted message.  She figures out how long her message is (“n” bits) and then takes the next “n” bits of her key (read from her glass slab) and uses them to encrypt her message.  She sends the message to Bob.  Bob takes the next “n” bits of his key (read from his glass slab) and subtracts it from the published combined key, yielding Alice's key – which he then uses to decrypt her message.  Straightforward and as secure as a one-time pad.

Really the glass slabs are just a memory – a very reliable, physical and tangible memory that (today at least) could not easily be copied.  Even just reading it would take a considerable amount of time, which means that security protocols (processes) could detect the fact that someone was reading it.  There's nothing special about the glass per se; it's this combination of characteristics that make it attractive.  A thumb drive could store data for a key, and be used the same way as the glass – but copying the thumb drive takes only a few seconds, and it's easy.  A thumb drive (or any other electronic store) would be vulnerable to any such attack.

The trouble with the glass, though, is that almost certainly there's a technical attack – some way that a bad guy could quickly read it.  Any conceivable storage mechanism for a key has this problem...

No comments:

Post a Comment