How two “holy grails” of cryptography can make the cloud safe everywhere

This is not what SSL keys look like, but you get the idea.
This is not what SSL keys look like, but you get the idea.
Image: Reuters/Akhtar Soomro
We may earn a commission from links on this page.

The cloud can be a scary place, whether you’re a celebrity with risqué photos or a bank with $10 billion in assets.

But it’s also the most efficient place for businesses to do their work online, thanks to lower costs and more adaptability. Take the wave of cyber attacks on US banks in 2012, supposedly launched by Iran. They were “denial of service” attacks, which use repeated requests to overload a website, blocking others from using it, and effectively taking it down.

After the attacks, some of those financial institutions came to Cloudflare, a network optimization and security company, looking for assistance. But, Cloudflare CEO Matthew Prince says, they found themselves between a rock and a hard place. Websites whose data is distributed on servers around the world—in the cloud—can handle these attacks more easily, since there’s no single server to overload. But that also means sensitive data is dispersed around the world—most importantly, the company’s private SSL key, the critical information needed to access encrypted data. (“Secure sockets layer” is the primary web encryption protocol, the one that makes the little lock symbol appear in the URL bar of your browser when you log into a secure site.)

For a major bank, controlling access to that information is vital—and failure to do so wouldn’t just be a security breach but a regulatory disaster. Consider, for example, the Heartbleed exploit found last April, which allowed hackers a peek into a public server’s most recently-accessed memory, potentially allowing them to scoop up a private key. Fears of attacks like that have banks and other security-focused enterprises keeping their data on more secure servers, which are both more expensive and more vulnerable to denial of service attacks.

Until now, Prince says: He says his company has cracked “the holy grail of cloud computing” by developing procedures that allow a company to distribute its encrypted data across the cloud, while keeping its private key on a single secure server. When users want to access the website, Cloudflare issues them a temporary ”session key” that is unique to their machine, keeping the private key away from public eyes. While this might sound simple, Prince says the technicalities—and the need to execute these exchanges safely 10 million times each second—make this a major innovation. One of the first customers is Goldman Sachs.

Security experts who reviewed the software ahead of its launch, including Jon Callas and Phil Zimmerman, compare it to PGP, the gold standard of personal encryption, which also relies on users maintaining a private key. They know what they are talking about—Zimmerman invented PGP.

And this “keyless SSL” isn’t just good for security firms who want their cloud and security, too; it’s also good for internet expansion in places such as Africa and China, where so-called “tier 4” data centers for critical operations, with redundant climate control systems and retinal scanners, are few and far between. Now, companies can distribute their data to less-secure centers in developing countries without worrying about their global security.

But it turns out there’s a next holy grail. I asked Prince about Craig Gentry, a cryptological researcher at IBM who was awarded a MacArthur “genius” fellowship earlier this week. “Keyless SSL is like the baby holy grail of cryptography,” Prince says. “What he’s working on is the real holy grail of cryptography—can you put data up in a cloud-like environment, encrypt it in a way that the cloud provider doesn’t know what’s in it, and still be able to run things like searches against it?” That is, the data remains encrypted, even to the host, but still can be accessed by a user with the right credentials.

Gentry’s work is still largely theoretical, but Prince says progress is on the march. “The challenge is that it’s still 1,000 times too slow—but in computer science, anything that’s 1,000 times too slow, that’s five years.”