The word “Trust” may have a lot of implications in our day-to-day lives and depends on the context. When it comes to Crypto, the Root of Trust (RoT) is a source that can always be trusted within a cryptographic system. For encrypting and decrypting data and generating digital signatures and verifying signatures, RoT schemes have a hardened hardware component. A principal example is the hardware security module (HSM) which generates and protects keys and performs cryptographic functions within its secure environment. Elementarily let’s delve into the Cryptographic Root of Trust, securing information and communication which involves the use of Secret Key Encryption.
Recurring Cases of Data Breaches
In the digital era, along with ensuring trustworthy relationships in an organization, there is a strong need for a cryptographic layer of trust to combat the data breaches we have witnessed lately. With most Indians moving to the digital bubble, data is a valuable asset of the knowledge age. In 2020, all the data breaches in India witnessed an increase of 37% in comparison to the first quarter of 2019. A study from IBM reported that the cost of the leaks in India has reached a value of Rs. 14 crores in 2020 – a statistic that puts India as one of the top countries in cybercrime. According to a digital information firm, 15 billion credentials are up for sale with the close of the pandemic spawned lockdown.
The e-grocery BigBasket data leak is guarded to be the biggest haul in Indian Cyberspace. Another six major breaches that bewildered users include Haldiram Snacks Pvt Ltd, PM Modi’s personal website – narendramodi.in, Bharat Matrimony and Indian Railways online ticketing portal, IRCTC. Dr. Reddy’s Laboratories and Paytm Mall also encountered cyber-attacks later in the year 2020. Air India, Domino’s, Facebook, Mobikwik, and Upstox faced major data breaches in India in 2021. A recent data breach in April 2022 was discovered by safety detectives and affected the users of CashMama, a money lending app. For any platform or product, there is a need to ensure the data storing entities are well protected with the exact cryptographic building blocks to authorize a cryptographic trust layer. This layer of trust will reassure the customer to submit data on that platform.
Cryptographic Authentication Process
Cryptographic authentication mechanisms are more reliable than people in a cryptographic context. Trust is derived from the authentication process which validates that the entity/person claims to be who they claim to be. Take a look at some of the properties cryptography allows us to achieve and how they are linked to the concept of trust.
Confidentiality is one of the core components of cyber security. Simply put, the Confidentiality or Secrecy of information ensures that the data cannot be accessed by an unauthorized entity.
In this context, Alice is trusting the channel/platform she uses to communicate with Bob is ethical and free of intruders. Such a channel can be a messaging app for example and confidentiality is typically established by means of end-to-end encryption.
Authentication as the name implies is building the authenticity of the entities involved. For example, an entity James would claim to be an investment banker. The process which validates the authenticity of James and signifies trust that he is an investment banker is called authentication. Typically in cryptographic terminology, such authentication can occur as a means of authentication protocol.
An entity is said to be of integrity if it has not been tampered with, as the term implies. A message, for instance, is described as having integrity when it is delivered to the recipient and is trusted to remain that way. Integrity can usually be established by means of authentication codes attached to the entity in question.
In particular, non-repudiation provides us with assurances of a message’s authenticity, ensuring that the entity cannot retract or deny a message’s contents. In the cryptographic sense, this is typically achieved through the use of Signatures.
It goes without saying that these properties are crucial in any cryptographic layer of trust.
Key Protection is the Basic Root of Trust
When it comes to security, a ‘Root of Trust’ can be entrusted to ensure that the entire system is secure. In cryptography, the building block of ‘Root of Trust’ is that cryptographic keys remain secure and are safeguarded from theft.
Encryption, signing, authentication, and authenticated key exchange are all cryptographic operations that rely on secret keys. If the secret key is disclosed by the attacker, the attacker is bound to perform all the things the legitimate parties can do. If the key is a signing key, then it can sign on any message, transaction, or document as the legitimate signer; if the key is a decryption key, it can decrypt the totality secured by the key; and if the key is for authentication of a person or a device, then it can enact that person or device at will. Moreover, the attacker can use these secrets in much the same way as the legitimate user, so identifying the attacker is challenging.
As a result, rightly implemented cryptography can provide high levels of security and assurance. On the other hand, if the secret keys are stolen, the entire system collapses and defense goes down the drain. The secret keys must be stored and protected carefully in any cryptographic deployment. The ability to protect the system effectively is the root of trust for the entire system and is therefore indispensable.
Rising To The Challenge
The question of how to build strong roots of trust in an organization’s cryptographic infrastructure cannot be answered easily. In some cases, a combination of solutions is even needed. Although this is true, it is imperative that organizations rise to the challenge and build a cryptographic skyscraper that is firmly rooted in solid foundations. With the complexity of building a strong Root of Trust, choosing a solution is crucial to building a clear threat model. Let’s decode Hardware Security Modules, Software Root of Trust, or Choosing Third-Parties Key management as the Root of Trust solutions in the upcoming chapter of Cryptographic Trust.