Mr. J. Tate, Chief intelligence Officer in bits&digits, on Peerlyst.com, published April 2016.
You may have been drawn to this article simply because of its alluring title. Or perhaps it was the initial paper, There Are No Secrets WHD 2015 Snowden Cross Examination, that brought you here. Personal preference aside, it would serve your digestion best if the latter of the aforementioned brought you here. This series sheds a dim, yet distinct, light on technologies and solutions alike perhaps most thought as an Illusionist Secret.
With news outlets, social media walls, and business digest perpetuating the “Fear of the Day,” I thought it prudent to expand upon one topic that bears a solutionistic inference. I assume you’ve seen evidence of these dialogs whether it be the latest “Breach” or “Hack of the Week” followed with Revelations.
By revelations, I mean the attractive headlines that typically follow the same recipe. There’s a dose of conspiracy (Government Mass Surveillance) and light hints of corporate Scandal (Service Provider insider Breach) baked to order. Tones of your personal involvement (Facebook, Twitter, Cell phone, and Email Users) served ice cold with illusions relaying it is impossible for you to avoid being affected by it.
All of this made possible by the “Hero,” a traitor, whistleblower, or Do-Gooder who’s come to light bearing Secrets. In the case of this article, said Secret is “Zero Knowledge.” By the end of this article, you will understand how Zero Knowledge works and, more importantly, what it really is. I digress. Riding the backs of every Mass Surveillance, Big Brother campaign similar to George Orwell’s “1984,” a massive trend of the “Informed” has spawned. Eager to counter and outflank these massive campaigns, most blindly go wherever the Hero has directed them.
In this case, the trend has been finding the ever-so elusive Unicorn protecting your data from becoming a statistic. More commonly named Zero Knowledge is currently branded in your latest tech magazine as the “latest way to keep prying eyes from your data.” Zero Knowledge, as with most trends, remains a highly misunderstood concept and even more poorly adapted solution.
Let’s now develop a scenario which best suits you. Whether you’re a journalist with the latest and greatest story, or just a person who handles “data” in their day to day business operations, data security is a concern to you. Data security at the end of the day should be a concern to us all. But if we lend an ear to the ____Leaks and latest revelations of technological hacks and breaches, the ability to reach a solution immune to Big Brother or some anonymous group of hacktivists, seems an unlikely goal.
There always seems to be someone or something that has the technical capability to tear down the safeguards (house of cards) put in place and reach the latest news headlines almost as soon as they are developed. So IS there a solution? Is there a way to ensure that our data is not compromised when we put it up in the magical cloud?
Short Answer: Yes, there is, and bits&digits will show you how.
Eagerly seeking a Fix All solution within a service provider’s branding campaign steered by a brainchild of MBA and marketing gurus will land you in the same place you started. Uninformed and a “follower led by the following.”
First, Zero Knowledge in the context of data security should be defined appropriately and clearly segregated from its cryptological origins. By true definition, Zero Knowledge is “In cryptography, a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.”
This is NOT what we are talking about here.
Zero Knowledge, in the Data Security sense, is the “inability for a service provider to read/access or offer others (Government, Rouge Employee, or latest hack group) the ability to read/access the data that you Entrust with them.” So for the sake of simplicity take Flopbox (Flopbox is an example used for the sake of this article – I don’t believe it’s a real service) for instance. You snap a selfie and want to store it in the “Flopbox Cloud.” Typically, you would sign into your FlopBox app, upload said photo into “FlopBox,” and now your photo is stored out of sight out of mind.
Master Key Usage
Conventional thinking would lead you to believe because you have a User Name and password for your FlopBox account, those same credentials would be needed for say the Owner of FlopBox to access your recently uploaded selfie. It’s perfectly normal to assume. You needed to login to get your information, so everyone else would need to do the same with the same credentials to access it.
Unfortunately, this is just not true. When you uploaded that photo, it went to a “computer” that is owned by Flopbox. That computer is not YOUR computer, it belongs to Flopbox. Flopbox just allowed you to use a small portion of their HUGE computer for free. So its quite logical at this point for you to come to the conclusion that the Owner or Administrator of the Huge Computer has a set of Master Keys.
Now, let’s take a more realistic approach at drawing this picture. Take the above scenario and replace FlopBox with a Hotel. When you stay at a hotel, you are renting the use of the hotels room and services for a predetermined amount of time. Upon paying the clerk for the room, they in turn give you a set of keys to use that room. When you are finished with your stay, you return the keys, and you go on your way. However, do you think those keys are the only keys in the world that can access your room?
No, they aren’t. The hotel managers, and most likely all of the service staff, have a Master Key that can access ALL of the rooms in that hotel. And unlike your key, those Master Keys do not have a programmed expiration date in them. Meaning when you check-out and your key doesn’t work, their key will still be able to open the door to your hotel. In an emergency, law enforcement can have the staff open your door whenever such a situation presents itself to do so.
Unfortunately, this is the same with most of the Service Providers hosting your Email, Websites, and Data Storage solutions. Master Keys are handy at all times for obvious and not so obvious reasons. Whether it be to perform maintenance (in the case of Hotels to conduct Room Service), or if the government requests access to investigate a crime. Master Keys are present, because at the end of the day, and simply put, it’s not Your computer.
Logically, it would be important for said Master Keys to be stored in a safe and access controlled manner to ensure that a rouge employee doesn’t run wild invading your Privacy and peering into the “rooms” that your renting. Poor governance of these master keys results in your Selfie being exposed or reviewed by unauthorized individuals. Poor governance is also the reason for a majority of the breaches you hear about, but it’s not the point of discussion here.
Besides the assurances offered by the Privacy Statements and certification symbols of these Service Provider’s websites assuring they “Maintain a level of integrity” in accordance with “XYZ law,” promising (with Fingers Crossed) that they won’t toy around with your data AND will only access your data for “Routine Maintenance,” in accordance with Standard Operating Procedures, what assurance do you REALLY have that your data, or more importantly your identity + Your Data is confidential?
You Don’t. Simple and plain, you just don’t have a measurable assurance that some employee, or data broker, or subcontractor won’t gain access to your data and use it for whatever reason they deem necessary.
UNLESS of course your data is Encrypted.
This simple, yet often avoided, application is the “Secret Solution” many companies simply don’t offer their customers with & for reasons I will not elaborate on in this article. Applying an encryption layer to your data is the ONLY way to ensure prying eyes don’t read your sensitive data. But still, simply applying encryption doesn’t SafeGuard your data completely. Which encryption standard you use and where you apply encryption is key to a sound assurance that your data is “pry proof.” The US government has a name for this multi-layered approach its called defense in depth.
Funny enough there are international standards and recommendations clearly suggesting service providers apply encryption layers to what is called “Data At Rest.” There are three categories of which these standards (NIST, PCI, HIPAA) suggest to implement encryption. There is Data At Rest, Data In Use, and Data In Transit.
All should be fairly easy to identify. “Data At Rest” is data stored and “resting” somewhere. When the data is encrypted while being used by whatever program processing it, it’s “Data In Use.” “Data in Transit” means the data is encrypted via a secure tunnel. An example of Data in transit is SSL or VPN secure tunnels. The data would be secured by the integrity of the tunnel it leverages.
Layers of encryption applied at all stages of a data stream/segment lifecycle, end to end, with a valid and mathematically certifiable encryption standard such as AES (FIPS 140-2. Google it; no time here to go into crypto Standard Validation) is the Zero Knowledge “Pièce De Résistance.”
How many Service Providers actually deploy a End to End, Layered, and Certifiable Encryption Scheme for its clients at ALL phases the data lifecycle? The only ones I’ve seen are the ones I can’t speak of in US government systems, and of course the ones Bits & Digits has designed for its customers requesting it.
bits&digits Zero Knowledge “Casino Concept”
So, by now you may have arrived at the fact that Zero Knowledge application is not a simple Tag Line you should run toward when some company in its rush to align itself with Popular tech Culture decides to do so.
Furthermore, lean NOT towards a companies claim of Zero Knowledge when you go to “Create Account” and its first questions are personal information elements followed by a recovery Questions page. Rule of thumb, through the “Eyes of Exploitation” if your identity is given/requested to establish the account, and your payment method is something that really identifies you (Credit Card, Paypal, etc) then REST assured there are ways your identity can be traced to the account.
True Zero Knowledge implementation would reflect something similar to a Casino. You enter a casino without revealing your identity exchanging your hard cash with a currency used in the casino. You play at the tables (service) without revealing your identity only leveraging the casino coins to play and bet. When you leave the casino (service provider), you exchange the casino money for cold hard cash and depart. Your identity, your activity, and your privacy all in tact. If at any point in the above process you identify, associate, or marry your identity with the service, you have blown the entire operation.
How many Service Providers actually deploy a End-to-End, Layered, and Certifiable Encryption Scheme for its clients at ALL phases the data lifecycle?
The only ones I’ve seen are the ones I can’t speak of in US Government systems, and of course the ones Bits & Digits has designed for its customers requesting it.
How cost prohibitive is it to deploy or institute a Zero Knowledge environment effective enough to assure the integrity is maintained and the data is only accessible by its creator?
Marginal! Simply put, if designed correctly and with the Zero Knowledge concept applied in the development of the solution, there would be little deviation to initial development budget to institute a proper solution.
bits&digits dude, if it’s so simple to institute and not cost prohibitive to deploy, then why hasn’t all the Big Guys done it?
Loaded as the question may be, there are many reasons. Depending on your appetite for conspiracy or technical justification the answer in the simplest of forms remains.
The security of your data in most legacy systems just wasn’t on the drawing board.
The balance between Ease of Use, and Functionality probably pushed security out of the box way back in the day. Six or so years ago :). Implementing a solution, sound as we would all like it to be, must be designed in the conception phase of the project. Facebook, Google, DropBox, etc., etc., they wanted to serve you a product that appealed to your appetite at the time. Back in the “concept phases” of these giants Security Breaches and Privacy just wasn’t on the design deck back then. Ahem… This is of course my most diplomatic assumption.