Blog   |   February 11, 2020

Security Isn't Only Encryption. There's More to It.

by Axel Kloth

Encryption and decryption allow secure communication between two people. The problem is if you are the recipient of information, you don't really know who the sender is. As long as this person cannot authenticate himself or herself, then you may talk to somebody who is an adversary. Therefore, you have perceived security through your encryption, but have no actual security because you don't know who it is that you're talking to.

That’s called authentication and it is the most misunderstood part of security, even by experts. Authentication for a long time was facilitated by using a media access control (MAC) address, the hardware address of a network interface card. Because servers don't usually have a unique ID, most software companies relied on the MAC address and its uniqueness to issue licenses. That was the beginning of authentication and it delivered the promise of authenticating both sides of a transmission.

Then the network interface companies made the MAC address programmable because network devices occasionally failed and had to be replaced. You couldn't always change the MAC address in the network management centers, so you had to clone a MAC address to replace a server with another identical one because the administration of the change took time and money. That made the MAC address completely useless as a means of authentication. The more people tried to think about what they could use as a unique identifier, the more it became obvious that we need to return to a one-time-only, never changeable, immutable address that acts as an authenticatable ID for a device, be it a server, be it anything on the internet.

It doesn't matter what device it is, but the address and the unique ID cannot be and must never be changed. Now that alone isn't good enough because ultimately if you have an ID that is unique, it still doesn't tell you who it is. Ideally, this would be combined with the hashed unique ID being present in a database that says one hashed ID corresponds to “Person A” and the other hashed ID corresponds to “Person B.” When that is stored in your database you can make an association between the hashed ID and the person or the device you're talking to. That is a basic type of authentication available on some systems.

There are many companies trying to solve the problem of authentication in this manner, both in hardware and software, including Intrinsic ID, Okta, Akamai and Microsoft. The problem with using a database is that it can be attacked, and if it’s attacked, then of course you don’t have genuine authentication from an ID that has been hashed to a person or a device. There are more advanced schemes of this, but in general, the idea is you have a unique ID on the device. Its hash is going to be available in a database for mutual lookup, so any user who wants to know if a hash of a certain device or a person is in say an Akamai database, then this lookup would return that information.

That’s all easily securable if there’s one authority capable, and legally allowed to do that. Remember in the old days when you had a phone and your entry in the phone book was only facilitated by the phone company after they authenticated who you were? They verified who you were and what your address was and that was used to authenticate the entry in the Yellow Pages. But that doesn’t work if there are multiple authenticators providing different versions of the Yellow Pages.

Who authenticates the authenticators? That’s not just a problem with authentication, but with certificates as well. There are root certificate authorities, but they now issue a license to a secondary certificate authority. If those secondary authorities are not audited and certified themselves, you cannot really bank on the fact that whatever comes from a secondary certificate authority has been vetted properly.

There have been many examples of where certificates that were issued were in fact invalid. They were obtained through fraudulent use. They were obtained through breaches. They were obtained through nefarious activities at either the certificate authority or the issuing certificate authority. It’s a huge problem.