We use Internet-connected devices to access our bank accounts, move our transportation systems, communicate with our co-workers, listen to music, perform commercially sensitive tasks, and order pizza.
Digital security is an integral part of everyday life. And as our IT systems become more complex, the potential for vulnerabilities increases. More and more companies are being violated, which can lead to financial loss, disruption to supply chains and identity fraud.
The current best practice in building secure technology used by major businesses and organizations is the “Zero Trust” approach.
In other words, no individual or system is trusted and every interaction is verified by a central agency.
Unfortunately, absolute reliance is placed on the authentication system used. So violating this system gives the attacker the keys to the kingdom. To solve this problem, “decentralization” is a new example of removing any vulnerability.
Our work explores and develops the algorithms needed to set up an effective decentralized authentication system.
We hope that our efforts will help protect digital identities and enhance the security of the authentication processes on which many of us depend.
Never trust, always verify Zero trust system implements verification at every possible step.
Each user is verified and every action they take before execution is also verified.
Moving towards this approach is considered very important, as US President Joe Biden last year executive ordered all US federal government agencies to adopt Zero Trust architecture.
Many commercial companies follow this.
However, absolute trust (counter-intuitively) in the Zero Trust environment is placed in the certification and certification system, which in most cases is the Identity and Access Management (IAM) system.
This creates a trusted entity that, if violated, gives unlimited access to the entire organization’s systems.
The attacker can use a user’s stolen credentials (such as username and password) to pretend to be that user and do anything they can to authorize – such as opening doors, authorizing specific payments, or copying sensitive data.
However, if the attacker gains access to the entire IAM system, they will be able to do as much as the system can. For example, they may authorize themselves on the entire payroll.
In January, identity management company Acta was hacked. Okta is a single-sign-on service that allows company employees to have the same password for all company systems (large companies often use multiple systems, each requiring different login credentials).
Following Okta’s hack, large companies using its services have compromised their accounts – giving hackers control over their systems. As long as IAM systems are the focal point of power over organizations, they continue to be an attractive target for attackers.
Decentralization of trust In our latest work, we have improved and validated the algorithms we use to create a decentralized authentication system, which makes hacking even more difficult.
Our industry partner, TIDE, developed a prototype system using certified algorithms.
Currently, when a user sets up an account on the IAM system, they encrypt the system and select the password to be stored for later use. But even in encrypted form, stored passwords are attractive targets.
And while multi-factor authentication is useful for verifying user identity, it can be avoided.
If passwords can be verified without being stored like this, the attacker will no longer have a clear target. This is where decentralization comes in. Instead of relying on a single central agency, decentralization relies on the entire network and this network exists outside the IAM system using it.
The mathematical structure of decentralized power-based algorithms ensures that no single node works alone.
In addition, each node in the network can be managed by an independent entity such as a bank, telecommunications company or government department.
So it is necessary to hack several independent nodes to steal the same secret. Even when the IAM system is compromised, the attacker gains access only to certain user data – not to the entire system.
And in order to give them authority over the whole organization, they have to violate the combination of 14 independently functioning nodes. It’s not impossible, but it’s very difficult.
But beautiful mathematics and validated algorithms are still not enough to create a usable system.
From a concept, we still have a lot of work to do before we can take decentralized authority to a functioning network that keeps our accounts secure.