IBE Retrospective

IBE Retrospective

The initial research that led to the 2001 invention of Identity Based Encryption technology was funded by the US Department of Defense (DoD). Created by Stanford University professors, Dr. Dan Boneh and Dr. Matt Franklin, IBE was a breakthrough in cryptography that enabled users to use an identity, such as an email address, to secure business communication. IBE allowed for elimination of the digital certificates that a traditional X.509 based public key infrastructure (PKI) relied upon, and afforded its practitioners numerous operational and financial benefits.

Following this successful project, an additional DoD contract was awarded to Voltage Security to and develop and deploy the technology required to implement and support the Boneh-Franklin IBE cryptosystem. The DoD-funded initiatives proved highly successful, enabling the Boneh-Franklin IBE invention, and facilitating Voltage Security’s 2004 commercialization of the technology, and eventually finding a niche market for its IBE cryptosystem in securing both email communication and selected financial transactions.

Since then, however, network communication has exploded, presenting new security challenges that existing public key cryptosystems like IBE (and the more popular and pervasive PKI) cannot address. Once again, there is a need for a “next-generation” secure system – one that can accommodate a networked world that is today largely mobile, can protect created data that has grown from .01 zettabytes in 2005 to a projected 163 ZB in 2025, and can stand up to the daily threats that stem from cybercrime.

Additionally, the next-generation cryptosystem has to easily scale to any level, and economically secure an unlimited number of connected things.

Verifiable Identity-Based Encryption (VIBE) vs Identity-Based Encryption (IBE)

Offered by VIBE Cybersecurity International (VCI), VIBE is a next-generation cryptosystem that greatly improves upon the Boneh-Franklin IBE invention that was commercialized by Voltage. Designed to address the myriad challenges our connected world faces today, VIBE has developed numerous, unique, features that render it ideally suited to economically and easily protect nations and the citizens they serve. Specifically, relative to IBE circa 2005, VIBE addresses the following challenges:

The Challenge

The VIBE Solution

Why It’s Important

IBE cannot viably validate the sender of a message.

VIBE Authenticates/Validates the sender of a message.

Without validation, the sender cannot be trusted, and the entire system is rendered vulnerable to 3rd party attacks.

IBE is susceptible to Man-in-the-Middle attacks on the Public Parameters.

VIBE eliminates the need to protect the public parameters, thereby making Man-in-the-Middle attacks impossible.

When the public parameters are changed, a common occurrence in a dynamic IBE environment, there is no way of verifying that they haven’t been altered, placing the entire IBE system at risk.

IBE systems require re-issuance of all keys in a group should a Private Key (PK) be lost or compromised, which is a practical limitation (and operational nightmare).

VIBE enables dynamic re-issuance of a user/device Private Key without the need to change the user’s/device’s basic identity or the group’s master key, and by doing so, avoids the need to re-issue all the private keys of a group.

Dynamic Private Key re-issuance becomes an easy, economical task, and ensures superior security system wide.

In an IBE system, an assumed-trustworthy, third-party Key Generation Centre (KGC) is responsible for generating Master Keys for the user. A KGC misusing its power can be disastrous, however, and this known vulnerability point in (IBE) is commonly referred to as the Key Escrow problem.

VIBE solves the Key Escrow challenge by generation and distribution of the Private Keys to two (2) Trusted Centers, which are operationally separated from each other (split ownership). The PK generation is initiated under the control of the requesting user and delivers two masked partial keys, which are transformed to a working Private Key at the user’s node/device. 

Breaches from “inside jobs” or hackers become virtually impossible with VIBE, as there is no single point of attack.

IBE requires a 1:1 Signing Requirement

VIBE enables Digital Signing (DS) resolving the existing IBE 1:1 signing requirement, thus enabling the technology to displace various PKI usage scenarios, such as Key Distribution, X.509 certificate replacement (TLS) and VPN’s.

VIBE is able to address a much larger market, and can eliminate the security threats inherent in PKI-enabled protocols like TLS.

With IBE, key reissuance and key revocation are possible, but the associated processes are highly impractical. In IBE a System Administrator would have to re-key the entire group by changing the master key, or the key requiring re-issuance has to change its identity (i.e. change its unique characteristic, such as a device serial number which is not possible).

VIBE’s key management technology provides “secure on-the-fly dynamic key re-issuance”. 

Key reissuance and key revocation processes are simple to use, do not require re-keying or re-issuance of all keys within a given group (e.g. IoT devices associated with a particular application), and can accommodate time or session-based key revocation (e.g. keys revoked immediately after communication transaction is completed).  

In today’s world, the ability to rapidly revoke and/or re-issue keys significantly reduces vulnerability.

IBE is incapable of effectively securing inter-group communication, given its inability to authenticate the sender of a given message.

VIBE is designed such that users/devices registered in the same Trusted Center (or circle of trust) can be authenticated and allowed to securely communicate with registered/devices in other Trusted Centers, subject to rules-based approvals.   Envision and organization’s departments, agencies, contractors and other partners each having their own secure network, with a master encryption key known only to them, and their respective users having the ability to securely communicate, peer-to-peer, with other VIBE-secured entities based on the organization’s defined rules.

Secure, authenticated communication between and among Trust Centers eliminates known vulnerabilities (e.g. breaches which originate with supply chain systems).

IBE cannot authenticate.

VIBE allows for authentication and encryption at the application layer.

Application layer authentication and encryption reduces the surface attack area,  meaning, if one application is compromised, the entire system does not become at risk.