British Root of Trust

I know this will sound so childish and boorishly American, but I always chuckle when a Brit rhymes the word privacy with give (as they might while sipping tea in Coventry) versus with jive (as I do while eating my pizza in Brooklyn). This goes deeper: It’s been my observation for many years that UK cyber security experts treat technical disciplines such as cryptography with grave intensity, and tend to demonstrate exquisite taste in design.

This lies in stark contrast to many in the cyber security community who blindly toss cyber blame at stupid users, or who ignorantly layer application-level protections on weak underlying foundational designs. Show me a learned Brit, in contrast, and I’ll show you someone who understands the security stack – and who will properly rhyme the word technology with aw (which sounds so nice) rather than ah (OK – I’m guilty).

I was thinking these across-the-pond thoughts while chatting last week with Dr. Shahram Mossayebi, CEO of Crypto Quantique, a unique cyber security start-up located in Suite 601 at 164-180 Union Street in London (sounds nice, doesn’t it). Mossayebi took me through the company’s concept of quantum-driven, end-to-end, root-of-trust-based security, and I did my best to try to keep up. Here’s what I learned:

“We’ve applied quantum physics to design chips that support advanced cryptographic key management,” explained Mossayebi. “We implement secure key generation and retrieval rather than storage, and this results in devices that cannot be cloned. The resulting quantum-driven secure chip (QDSC) is especially well-suited for application such as IoT where the underlying hardware can take advantage of our protection scheme.”

The Q part of the QDSC apparently enables secure generation and retrieval of cryptographic keys, which results in an underlying hardware-based root of trust that does not require storage of keys. While I must admit to not fully understanding the physics (and I have a degree in that topic – go figure), this property seems quite useful – perhaps even profound, especially for devices in highly sensitive or critical environments.

Embedding a secure root of trust into endpoints, mobiles, and IoT devices is recognized as a desirable goal in our industry – and the QDSC goes far beyond anything that one might expect with a trusted platform module (TPM) or subscriber identity module (SIM) card. Again, the Q part of the QDSC ensures that the chip cannot possibly be cloned (every QDSC is unique) and that it provides a tamper-resistant root in the end-to-end security chain.

I asked Mossayebi how applications can take advantage of the underlying secure base, and he pointed to their application programming interface (API). “Our chip allows devices to link back to their owner using our API,” he explained. “The API also enables management and administration, as well as export of cryptographically-secured information such as user credentials to software applications to ensure full end-to-end protection.”

One of the key underlying concepts addressed by the QDSC involves attestation of devices, especially ones deployed in the field with need to communicate back to a trusted owner. “Our technology supports installation of secrets onto the chip using random variations in the fabrication process,” Mossayebi said. “The installed secret then enables a cryptographic handshake to strongly establish identity with an application.”

As you would expect, our discussion went to IoT security, because hardware security solutions such as the QDSC are most easily integrated into the manufacture of new devices with intense security requirements. IoT thus seems the most likely business opportunity for this start-up company. But Mossayebi was quick to point out how the Crypto Quantique technology applied to any device in any environment – and this seemed reasonable.

But the business challenge for any hardware-based solution is that normal enterprise security teams have no possible means for directly taking advantage of the benefits. CISOs have neither budget nor means to upgrade the chips on their devices, so they must rely on their technology vendors to make this decision. I suggested that Mossayebi develop language that practitioners could use to request devices that are QDSC-enabled.

The bottom line here is that Crypto Quantique is miles ahead in this advanced notion of demanding a root-of-trust in the end-to-end security chain. That is, where most organizations would be delighted to see cryptographic credentials exported from their TPM, the QDSC uses quantum physics to ensure no weaknesses in this process. I would only expect such attention to cryptographic details from the Brits. (OK, the Canadians are pretty good too.)

If you are a device manufacturer with aspirations to improve your security – perhaps in some critical IoT environment, or if you provide services that rely on advanced protection of the underlying hardware base, then I highly recommend that you be in touch with Shahram Mossayebi and his team. Crypto Quantique looks to be the real deal in terms of elegant handling of keys, and I suspect they will impress you with their technology.

As always, please share what you have learned.