In August 1977 popular mathematician Martin Gardner introduced the concept of RSA cryptography in the pages of Scientific American. Developed by three researchers at Massachusetts Institute of Technology, the new algorithm would go on to dominate the securing of transactions over the Internet. Nearly four decades later, with cryptocurrencies and smart-device communications adding to a growing list of online transactions, the search is well underway for an even more secure and scalable replacements for RSA.
Conceived by Ron Rivest, Adi Shamir and Leonard Adleman, RSA cryptography enables Web users to conduct their business in relative privacy rather than having to send their sensitive information openly over the Internet. Enter your credit card into a Web site’s order form, for example, and that information is turned into a code that’s unreadable to anyone except for the vendor who processes your order.
A weakness with RSA, though, is that it was not designed to verify the identity of the person initiating the transaction. If someone were to intercept your online order and, say, change the information to have it shipped to a new address, it would be difficult for the vendor, or anyone, to know that the transaction had been tampered with until well after the fact. There is no way to authenticate you as the person who initiated the order, as opposed to the person who changed the shipping address. As Chris Christensen, an analyst at research firm IDC, put it in a 2006 paper (pdf) on the subject, “How does the receiver know that a message really came from the person who ‘signed’ it?”
When looking at information stored in the cloud, transferred between smart devices—the basis for the “Internet of Things”—and managed by businesses, there is no way to know that data has not been changed, says Mike Gault, CEO of Guardtime. His Estonia–based cybersecurity firm aims to replace RSA’s signature algorithm with one that uses a different type of encryption as well as a public ledger—a so-called blockchain—that records all transactions.
Blockchains have gained notice of late for their role in securing transactions involving cryptocurrencies such as bitcoin. These digital public ledger systems record information—including time stamps and other data tags—for all transactions that have been deciphered and validated. Once a transaction is entered into the blockchain ledger, it cannot be deleted or changed. Blockchains would enable a vendor to verify that you were the person who sent an order or that a second alteration of an original communication was made, raising suspicion. They are also appealing from a security and privacy standpoint because they rely on information stored across a decentralized network of computers. There is no central repository for cyber attackers to target.
Guardtime’s authentication and signature protocol is called BLT, after the company cryptographers—Ahto Buldas, Risto Laanoja and Ahto Truu—who invented it. The company claims that, unlike RSA, its cryptographic scheme “cannot be efficiently broken” even if an attacker uses quantum-computing algorithms.
Replacing a venerable technology such as RSA is no easy task, so Guardtime has partnered with Swedish wireless-network equipment maker Ericsson, whose new cybersecurity offerings are based on BLT. Estonia has served as a test bed for Guardtime’s technology over the past few years. The Baltic nation relies heavily on the Internet for banking and other crucial day-to-day functions and is loath to see a repeat of the crippling cyber attack that paralyzed the country in 2007.