A firm phoneshake
Developing a new IT security architecture for the exchange of sensitive digital data is a complex undertaking. At the Centre for Cyber Trust of ETH Zurich and the University of Bonn, IT professors believe the physical world offers the safest path—because when communicating face to face, identities can be guaranteed. In future, online communication should also be this secure.
Why are cybercriminals so successful these days?
Peter Müller: Scammers often go to great lengths to ensure that the average internet user can’t detect their schemes.
David Basin: When hackers fake a certificate, they can control the server and cause internet browsers to identify a fake website as authentic. Even experts can’t detect such attacks.
Peter Müller: If just one single certificate authority is compromised and wilfully or negligently issues a false certificate, then the whole security system collapses.
How do you want to stop such attacks?
David Basin: We want to develop new methods for the authentication process. Our aim is to use attributes from the physical world to guarantee the authenticity of objects in the digital realm.
Peter Müller: We want to use physical attributes that can’t be easily manipulated, such as the location of a bank branch. This will help to put trust in digital data on a more solid footing.
What will this trust be based on?
Peter Müller: When clients visit a bank branch to deposit money, they don’t ask to see the employment contract or ID card of the clerk behind the counter—the building and behaviour of other people are reason enough for them to trust the employee. It’s precisely these relationships of trust from the physical world that we want to transfer to the digital world. But relationships of trust can also be revoked, which is another complex problem that we’re aiming to find a secure digital solution for.
In what ways can relationships of trust be transferred to the digital world?
Peter Müller: One way is to use attributes such as geographic proximity. For instance, we envision that two people who want to start exchanging important digital data meet not to shake hands, but to “shake phones”. The synchronised movement of the two mobile phones would allow a common digital key to be exchanged between the two parties. Here, trust has been established by the fact that the two individuals are at the same location and know for sure with whom they “shook phones”.
David Basin: This kind of key would suffice to establish secure communication. After shaking phones with someone, I still know in future—even when the other person isn’t present—with whom I’m communicating. But we could apply the same principle to authenticate objects in the physical world, too. For instance, a bank could sign letters to clients by affixing a code, similar to a seal. The recipient can then use an app to decrypt the code and verify the identity of the sender.
Wouldn’t this key be digitally stored and still at risk of theft?
Peter Müller: When, for instance, the IT system of a bank is hacked, information such as keys can be stolen, but the obstacles to hacking are much higher than forging a letter. It would also be possible to store the key offline—for instance on a smart card—which would make it very difficult to hack.
Why is such a large project necessary for these new security measures?
David Basin: Our task is nothing less than redesigning today’s public key infrastructure—because the entire system for issuing, distributing and verifying digital certificates is vulnerable to attack. A great deal needs to be done if internet-based communication is to be made truly secure.
Peter Müller: First of all, we want to technically implement our principles of trust in a newly developed infrastructure. We need solutions for administering keys—and for revoking them when necessary. Then we need to develop actual applications for secure email correspondence with banks, the distribution of voting documents and other transactions. But it’s only after achieving these two major steps that things will really get going. In practice, technical systems don’t always work, usually due to technical or human failure, and we want to exclude both types of error. Technical errors can be prevented to a great extent using mathematical methods that can help to guarantee that technologies and their applications in software really do have the desired attributes.
And how do you plan to exclude human error?
Peter Müller: That’s what Matthew Smith, our partner at the University of Bonn, is working on. He’s researching the security of the human interface using methods from behavioural science and by conducting experiments. In one experiment he gave programmers a task and observed their approach to solving it—and thus identified potential gateways for hackers. But it isn’t just software developers who can inadvertently or deliberately compromise a system: system administrators and end users are also susceptible to error. When designing security architecture, every form of human error needs to be minimised by taking into account the behaviour of programmers, administrators and users right from the outset.
Are you aiming to replace today’s entire system of certificate and authentication authorities?
David Basin: We want to offer better alternatives and develop prototypes for commercial applications in technology firms. Whether the world wants to use these to replace the current infrastructure remains to be seen. First we want to develop advanced prototypes that prove it’s possible to make the digital world more secure. But in principle, the old and new systems should be able to coexist.
These cybersecurity problems have existed for a long time. Why are the solutions only coming now?
Peter Müller: There are five central IT topics in this project that have been developing since the 1970s and that have just now advanced far enough—thanks in part to our own research—that authentication issues can be solved. Five years ago, that would have been impossible.
Text: Sabine Witt
Photos: Frank Brüderli