Silk Fibers Used to Generate “Unbreachable” Secure Keys

A group of researchers at South Korea’s Gwangju Institute of Science and Technology (GIST) have used natural silk fibers from domesticated silkworms to build an environmentally friendly digital security system that they say is “practically unbreachable.” The Korean researchers take advantage of the diffraction of light through the natural microholes in silk to create a secure and unique digital key for security solutions needing a unique identifier.

Physical Unclonable Functions (PUFs)

Physical Unclonable Functions or PUFs are needed when a security device is creating a unique security key or identity marker. PUFs must be unpredictable or random in order to serve their purpose. Researchers discovered that these silk microholes contain microscopic differences easily recorded and identified by electronic equipment making them well suited for the creation of unique identifiers (cryptographic keys).

In other words, PUFs are non-algorithmic one-way functions derived from uncopiable elements to create unbreakable identifiers for strong authentication. Over the years, PUFs have been widely used in smartcards to provide “silicon fingerprints” as a way of uniquely identifying cardholders based on a challenge-response authentication scheme. To understand how this new technology works, GIST researchers put the diagram below together to explain.

Should such a system be deployed for user authentication using a smart card, the researchers said that faking an authentication key generated from the module through a brute-force attack would take as long as 5 x 1041 years to crack it open, making it cryptographically unbreakable even with the specter of quantum computing threatening current best practices in cryptography. Put simply, silk PUFs may provide relief from theoretical attacks by quantum computers on current cryptographic hashes.

What Does This Mean For Your MSP or SMB?

Proving identities is a critical function in any business. Understanding identity and access management in your SMB is important. How you accomplish that won’t be with PUFs but is done with existing technologies such as single-sign-on, federated identities, and tools like Azure AD and Okta. These are all readily attainable by an MSP or SMB.

Encryption and cryptography are important to SMBs or MSPs in order to protect the confidentiality and integrity of critical and sensitive information. SMBs or MSPs may fall under legislative controls such as HIPAA or PCI which require specific forms of data (Health Records, Credit Card PAN information) to be protected from disclosure (confidentiality) or manipulation (integrity).

One strategy for SMB’s to deal with industry compliance requirements is NOT to have such data in their possession to begin with. For example, PCI compliance obligations can often be avoided by partnering with online Web Services that perform the Credit Authorization outside of your Website or store and simply provide the SMB or MSP an authorization code back. However, in cases where an SMB/MSP must collect and store critical and sensitive data, then they must protect it with encryption. Today, that means using the Advanced Encryption Standard (AES) encryption, currently the most powerful algorithmic way to produce one-way functions to protect your data from compromise and exposure.

SMBs/MSPs should encrypt laptops and tablets with Microsoft’s BitLocker or Apple’s FileVault to protect the critical and sensitive data they contain from compromise. This limits a stolen or lost device to a financial loss or cost instead of larger financial fines from a breach of regulated critical or sensitive data (HIPAA records, PCI, or NPPI).

As with physical keys, logical key management is important. Be certain you store decryption keys in a secure place, not on the device for which the key decrypts the data itself. That’s like hiding the key under the mat.

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO services.

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store