In today’s interconnected world, we can rely on all kinds of connections – from typical use at home, where we have computers, smartphones, and household appliances, to enterprises, where there are servers containing sensitive customer data or a multitude of controllers that are mission critical for manufacturing or provide revenue-generating services.
For all these examples, we rely on our devices to know whom we are communicating with and that we have the assurance of data integrity and confidentiality – again, be it the schedule of turning on our smart home devices or instruction to the factory floor machine what it should do, and everything imaginable in between. Our modern life depends on how much we can trust the systems and devices we rely on to make our lives more comfortable, perform specific tasks, and make our society work more efficiently in many ways.
As usual, I reflect on the core of all this stuff: mathematics and applied cryptography. For some folks, it is scary stuff. But for others like me, it is a passion I like to spend my time on, 30+ years and counting. Nevertheless, the important thing for all of us to remember is that many talented people have developed the concept of digital trust over the past four decades. These folks, the cryptographers, have developed algorithms and protocols that create the fabrics of trust and several security mechanisms that most of us use every single day, sometimes knowingly/intentionally, while many times it is all done for us automatically and “it just works.” Funny, math sometimes allows us to imagine things that are yet impossible to implement – back in the day, computers were computationally too weak, and we did not have developed infrastructure that would allow us to connect to just about anyone, anywhere.
The emergence of trust from browsers to identity cards
We who were born before the emergence of smartphones, before Google or Facebook even existed, remember the last decade of the 20th century when it all started to be put into practice.
It all started with browsers. As people started to use browsers to consume information available on the internet, it became imperative to ensure that we could trust what we saw in the browser and that others could not easily know what we were looking at. The browser that changed the world was Netscape, where a team led by brilliant cryptographer Tahel El Gamal gave us the capability to provide security in internet communication. It was called SSL protocol, and the modern-day iteration is called TLS. The SSL protocol is based on the use of so-called digital certificates and public key cryptography. This invention gave users on the internet the capability to connect securely to websites, thus providing trust in the internet, and it is safe to say it was one hugely important contributing factor towards the digital transformation of our societies. For instance, e-commerce was practically non-existent before this innovation.
The first implementations of “public trust” and services associated with trusted systems were awkward, were not user-friendly at all, and often failed to achieve the intended ambitions. Simply, the products were still immature, and like most all good intentions from the public procurements, most all resulted only in taxpayers’ money wasted.
Slowly but surely, some successes and valuable lessons emerged. The B2C services were introduced by some banks, given that the banks, by the very nature of their business, knew the importance of confidentiality. While good for the time, these systems did not scale well. The users would need to have a special device connected to a computer (smart card reader). It was nothing short of a nightmare to (re)install the driver software every time your Windows was upgraded.
Some governments had bold ambitions to provide G2C services. In addition to the technical difficulties, we also got country-specific “standards” and regulations that at best protected national or preferred suppliers and at worst were insufficiently secure. However, we learned a lot – while the initial government-issued ID cards with “smart chips” were failures 20+ years ago, today we have wonderful examples where the majority of the population is using electronic ID cards to access both government and business services.
Living in Sweden, it is almost impossible to imagine how the world was working before BankID – we access all kinds of services on a daily basis using this service. Another example is the digital identity cards in Estonia, which are widely considered a model of success. Both examples have more than a decade of wide-range use, work for most of the population, and provide society with services that save tons of money for taxpayers.
The challenges of digital trust as technology scales
Yet as the technologies improved, so have misuse and “attacks” followed along. The problem of scaling to a large number of users is multifaceted, and I will just mention a few examples here.
To validate that a single certificate is valid is simple, but having millions of issued certificates means that each party needs an efficient way to ensure that it communicates with the intended and approved counterpart. Even for the simplest system, with only one trust hierarchy, this means large data transfers only to equip everyone with current validation information.
Furthermore, our browsers have built-in 100+ trust hierarchies, and a common user has no chance of validating themselves on all of them since it would be an enormous task. Incidentally, some of these trust anchors, so-called public certificate authorities, were targets of malicious attacks and subsequent abuse. If such a system is compromised and it has millions of users, then the task of re-instating the trust may be virtually impossible.
Improvements were made, and today, we have technologies that allow for on-demand validation of certificates, and rules and inter-industry regulations have evolved that control how the public trust certificates are issued. Is it perfect? No. Does it work? Yes. The debate is never-ending – new methods of attacks need to be addressed constantly.
Here in Europe, we have mostly abandoned country-specific standards and gone towards at least Europe-wide. This opened much important competition between the vendors but also the possibility that a citizen of country X can use services in country Y. But the world does not end up in Svalbard nor in Malta – we need to communicate with “everybody.”
For the good of mankind (mostly), the big tech companies played a significant role in pushing for technologies that are working everywhere (where it is not prohibited or controlled by specific governments). Yes, it was in their self-interest, but so what – it works (mostly)!
One example that has been fairly successful is the 3GPP consortium, which brought a bunch of standards within mobile telecommunications. The trust model (related to the digital trust and use of PKI) from the 3GPP standards is arguably one of the best developed and has been used for almost 20 years now worldwide.
There are so many details that I omit here, but it would be unfair to forget the contributions of companies and individuals towards the creation of the open standards that allow us to enjoy the benefits of the fabric of trust. When the cryptographers come up with some brilliant new discovery, then the engineers make it work in a consistent, interoperable manner. That is so much easier to say than do. The engineers who work on standards must look both back to allow the new systems to work with the old and ahead to allow for future improvements in a field that is rapidly evolving. The unsung heroes of the last 25+ years are the engineers who contributed towards interoperable standards. If I was to pick one organization, then it would be the IETF, where contributors from many companies delivered hundreds of de-facto standards without which the digital age we enjoy would be digital “wild west.”
Check back next week for a look at three trends impacting the evolution of digital trust. In the meantime, explore our white paper.
Subscribe to The Source, Keyfactor’s identity-first security newsletter, to get helpful resources and insightful perspectives from cybersecurity leaders delivered to your inbox every month.