You may have been drawn to this article simply because of its alluring title, or perhaps it was the initial paper There Are No Secrets WHD 2015 Snowden Cross Examination that brought you here. Personal preference aside it would serve your digestion best if the latter of the aforementioned brought you here. This series intends to shed a dim yet distinct light on technologies, and solutions alike that perhaps most people thought of as an Illusionist Secret.
With news outlets, social media walls and business digest perpetuating the “Fear of the Day” I thought it prudent to expand upon one topic that bears a solutionistic inference. I will assume the reader has seen evidence of these dialogs whether it is be the latest “Breach” or “Hack of the Week” that is followed with Revelations. By revelations I mean the attractive headlines that typically follow the same recipe; a dose of conspiracy (Government Mass Surveillance), light hints of Corporate Scandal (Service Provider Insider Breach), baked to order with tones of your personal involvement (Facebook,Twitter, Cell Phone and Email Users), and served ice cold with illusions that it is impossible for you to avoid being affected by it.
All of this made possible by the “Hero”, a traitor, whistleblower or Do-Gooder who has come to light bearing Secrets. In the case of this article said Secret is “Zero Knowledge”. By the end of this article the reader will understand how Zero Knowledge works, and more importantly what it really is. I digress
Riding the backs of every Mass Surveillance, Big Brother campaign similar to something from George Orwells “1984”, a massive trend of the “Informed” has spawned. Eager to counter and outflank these massive campaigns, most blindly go wherever the Hero has directed them. In this case the trend has been finding the ever-so elusive Unicorn that protects your data from becoming a statistic, more commonly named as Zero Knowledge. Currently branded in your latest tech magazine as the “latest way to keep prying eyes from your data” Zero Knowledge as with most trends is a highly misunderstood concept and even more poorly adapted solution.
Lets now develop a scenario which best suits you the reader. Whether your a journalist with the latest and greatest story, or just a person who handles “data” in their day to day business operations data security is a concern to you. Data security at the end of the day should be a concern to us all. But if we lend an ear to the ____Leaks, and latest revelations of technological hacks and breaches, the ability to reach a solution that is immune to Big Brother, or some anonymous group of hacktivist seems like an unlikely goal. There always seems to be someone or something that has the technical capability to tear down the safeguards (house of cards) that are put in place and reach the latest news headlines almost as soon as they are developed. So IS there a solution? Is there a way to ensure that our data is not compromised when we put it up in the magical cloud?
Short Answer: Yes, there is and bits&digits will show you how.
Eagerly seeking a Fix All solution within a service provider who’s branding campaign is steered by a brainchild of MBA and Marketing Gurus will land you in the same place you started. Uninformed and a “follower led by the following”.
First, Zero Knowledge in the context of Data Security should be defined appropriately and clearly segregated from its cryptological origins. By true definition Zero Knowledge is “In cryptography, a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.” This is NOT what we are talking about here.
Zero Knowledge in the Data Security sense is the “inability for a Service Provider to read/access or offer others (Government, Rouge Employee, or latest hack group) the ability to read / access the data that you entrust with them.” So for the sake of simplicity take Flopbox (Flopbox is an example used for the sake of this article – I don’t believe it’s a real service) for instance. You snap a selfie, and want to store it in the “Flopbox Cloud”. Typically you would sign into your FlopBox app, upload said photo into “FlopBox” and now your photo is stored out of sight out of mind.
Conventional thinking would lead you to believe that because you have a User Name and Password for your FlopBox account, those same credentials would be needed for say the Owner of FlopBox to access your recently uploaded selfie. Its perfectly normal to assume that. You needed to login to get your information, so everyone else would need to do the same, with the same credentials to access it. Unfortunately this is just not true. When you uploaded that photo, it went to a “computer” that is owned by Flopbox. That computer is not YOUR computer, it belongs to Flopbox. Flopbox just allowed you to use a small portion of their HUGE computer for free. So its quite logical at this point for you to come to the conclusion that the Owner or Administrator of the Huge Computer has a set of Master Keys.
Now lets take a more realistic approach at drawing this picture. Take the above scenario and replace FlopBox with a Hotel. When you stay at a hotel, you are renting the use of the hotels room and services for a predetermined amount of time. Upon paying the clerk for the room, they in turn give you a set of keys to use that room. When you are finished with your stay, you return the keys and you go on with your way. However, do you think those keys are the only keys in the world that can access your room? No, they aren’t. The hotel managers and most likely all of the service staff have a Master Key that can access ALL of the rooms in that hotel. And unlike your key, those Master Keys do not have a programmed expiration date in them. Meaning when you check-out and your key doesn’t work, their key will still be able to open the door to your hotel. Or in an emergency Law Enforcement can have the staff open your door whenever such a situation presents itself to do so.
Unfortunately this is the same with most of the Service Providers that host your Email, Websites and Data Storage solutions. Master Keys are handy at all times for obvious and not so obvious reasons. Whether it be to perform maintenance (in the case of Hotels to conduct Room Service), or if the government requests access to investigate a crime. Master Keys are present because at the end of the day and simply put- its not Your computer. Logically it would be important for said Master Keys to be stored in a safe and access controlled manner to ensure that a rouge employee doesn’t run wild invading your privacy and peering into the “rooms” that your renting. Poor governance of these master keys results in your Selfi being exposed or reviewed by unauthorized individuals. Poor governance is also the reason for a majority of the breaches you hear about but its not the point of discussion here.
If you understand the above principle of Cloud Storage you might be wondering how is it possible to maintain a level of privacy when Master Keys are floating around. Besides the assurances offered by the Privacy Statements and Certification symbols at the bottom of these Service Providers websites assuring they “Maintain a level of integrity” that is accordance with “XYZ law”, and promise with Fingers Crossed that we won’t toy around with your data AND will only access your data for “Routine Maintenance”, in accordance with Standard Operating Procedures. What assurance do you REALLY have that your data, or more importantly your Identity + Your Data is confidential. You Don’t. Simple and plain, you just don’t have a measurable assurance that some employee, or data broker, or subcontractor will gain access to your data and use it for whatever reason they deem necessary.
That is of course the reality in most cases for your Email, Cloud Storage, Hospital Records, Cellular Phone records and just about anything else that you trust your data to be hosted on.
UNLESS of course your data is Encrypted. This simple, yet often avoided application is the “Secret Solution” that many companies simply don’t offer their customers with for reasons I will not elaborate on in this article. Applying an encryption layer to your data is the ONLY way to ensure prying eyes don’t read your sensitive data. But still, simply applying encryption doesn’t safeguard your data completely. Which Encryption standard you use and where you apply encryption is key to a sound assurance that your data is “pry proof”. The US Government has a name for this multi-layered approach its called Defense In Depth.
Funny enough there are international standards and recommendations that clearly suggest that service providers apply encryption layers to what is called “Data At Rest”. There are three categories of which these standards (NIST,PCI,HIPAA) suggest to implement encryption. There is Data At Rest, Data In Use, and Data In Transit. All should be fairly easy to identify. “Data At Rest” data that is stored and “resting” somewhere. Data In Use means the data is encrypted while being used by whatever program that processes it. Data In Transit means the data is encrypted via a secure tunnel. An example of Data In Transit is SSL or VPN secure tunnels. The data would be secured by the integrity of the tunnel it leverages.
Layers of encryption, applied at all stages of a data stream/segment lifecycle, end to end, with a valid and mathematically certifiable encryption standard such as AES (FIPS 140-2 -google it no time here to go into Crypto Standard Validation) is the Zero Knowledge “Pièce De Résistance”.
How many Service Providers actually deploy a End to End, Layered and Certifiable Encryption Scheme for its clients at ALL phases the data lifecycle? The only ones Ive seen are the ones I cant speak of in US Government systems, and of course the ones bits&digits has designed for its customers requesting it.
bits&digits Zero Knowledge “Casino Concept”
So, by now you may have arrived at the fact that Zero Knowledge application is not a simple Tag Line that you should run toward when some company in its rush to align itself with Popular Tech Culture decides to do so. Furthermore, lean NOT towards a companies claim of Zero Knowledge when you go the the “Create Account” and its first questions are Personal Information elements followed by a Recovery Questions page. Rule of thumb, through the “Eyes of Exploitation” if your identity is given/requested to establish the account, and your payment method is something that really identifies you (Credit Card, Paypal, etc) then rest assured there are ways your identity can be traced to the account. True Zero Knowledge implementation would reflect something similar to a Casino. You enter a casino without revealing your identity, you exchange your hard cash with a currency used in the casino, you play at the tables (service)without revealing your identity only leveraging the casino coins to play and bet. When you leave the casino(service provider) you exchange the casino money for cold hard cash and depart. Your identity, your activity and your privacy all in tact. If at any point in the above process you identity, associate and merry your identity with the service, you have blown the entire operation.
How many Service Providers actually deploy a End to End, Layered and Certifiable Encryption Scheme for its clients at ALL phases the data lifecycle?
The only ones Ive seen are the ones I cant speak of in US Government systems, and of course the ones Bits & Digits has designed for its customers requesting it.
How cost prohibitive is it to deploy or institute a Zero Knowledge environment that is effective enough to assure the integrity is maintained and the data is only accessible by its creator?
Marginal! Simply put, if designed correctly and with the Zero Knowledge concept applied in the development of the solution, there would be little deviation to initial development budget to institute a proper solution.
bits&digits dude, if its so simple to institute and not cost prohibitive to deploy, then why hasn’t all the Big Guys done it?
Loaded as the question may be there are many reasons. Depending on your appetite for conspiracy or technical justification the answer in the simplest of forms is; The security of your data in most legacy systems just wasn’t on the drawing board. The balance between Ease of Use, and Functionality probably pushed security out of the box way back in the day (6 or so years ago 🙂 Implementing a solution sound as we would all like it to be would need to be designed in the conception phase of the project. Facebook, Google, DropBox etc etc, they wanted to serve you a product that appealed to your appetite at the time. Back in the “concept phases” of these giants Security Breaches and Privacy just wasn’t on the design deck back then. Ahem..This is of course my most diplomatic assumption.