This one may be familiar: Wide receiver and cryptographer walk into a bar and … set the data security landscape on its ear. No? Haven’t heard that one, hmm?
Since sports analogies abound in all corners of writing, try this one on for size: blocking and tackling — the digital kind. The kind that defends sensitive data against bad actors and leaves their best efforts crumpled on the field. Who knows blocking and tackling better than Lewis Neal, defensive end of the Dallas Cowboys? Turns out he has some insight into stopping the opposing team in its tracks in a whole different arena — that of data and the protection.
The interest is not merely academic. Neal himself had been hacked while in college and became interested in data security and technology. His further pursuits led to him being the first-ever NFL rookie with a patent pending for his own innovations related to 3D image capture.
Networking is a fortuitous thing. When pursuing his patent application, Neal encountered Dane Butzer, founder of HyperSpace Security, a company that leverages a game-changing and now-patented concept that took Butzer decades to develop. Neal saw the potential of the idea and joined the company as a member of the Board of Advisors and as an equity member.
The HyperSpace team is now coming to market with that game-changing idea, rendered across APIs and hardware. To hear them tell it, tokenization — the way it’s being done right now — is no winning play in that eternal scrimmage against cyber hackers. Butzer and Neal point to a hole in the defensive line, tied to master keys, which are created whenever encryption is used to mask data or documents. The keys are used both to encrypt and decrypt the sensitive payload.
But what if the bad guys get a hold of those keys? All sorts of havoc is in the offing across companies, payment systems, even blockchain. Keep the key untouchable, then the end result is enhanced security across any number of avenues.
HyperSpace is well-keyed to the concept of key management — but with a twist: call it key shadowing. Neal and Butzer told PYMNTS' Karen Webster that key shadowing can also be a boon against the looming threat of quantum computing, where common crypto efforts are cracked like eggs with lightning speed. The overarching theme is one where keys are created ... and destroyed.
Amid The Shadows: Keys Created, Destroyed, Reborn
Between the alpha and omega, along the way, a number of steps come into play. As Butzer explained to Webster, the key that is created serves to protect data or give the go-ahead to a transaction. Then a shadow — or shadows of the key (stretching across 10 or 1,000 or any number of shadows) — is created across coordinates and the hyperdimensional space. Of that potentially massive pool of shadow keys, several shadows — as many as four — are required from authorized parties to regenerate the key after its destruction. The regeneration takes place only when an event or resource needs to be occasioned or accessed. After regeneration and use, the key is destroyed again.
Beyond the rough mechanics of the process, Butzer said key shadowing has its roots in a simple caution — one he learned after being hacked 20 years ago, falling victim to a scheme that bilked small dollar amounts from his and others’ bank accounts. The hacker who gets into a computer, network or payments ecosystem owns all the data harbored and spirited across devices and rails, including, of course, sensitive financial information.
Now, the mantra, where the key is key to the data: “You create the key, you use the key, you shadow the key and then you destroy the key,” said Butzer. “The keyword here,” he said, with a nod toward the intended pun, “is that the key is never persistently stored” as the shadows are dispersed.
The data? Well, that can be anything, represented as data so often is via computer — that is, numerically — up to 1 million bits, spanning information across personal identifiers and credit card activity.
When asked where the shadow keys can reside, Butzer stated they can be harbored on computers or devices and accessed through familiar means, such as user passwords and other protections, as various stakeholders come together to authorize an event or transaction.
Want a real-world application?
Butzer posited a scenario where, in setting up a bank account, the shadow keys could be dispersed to not only the account holder, but the bank, and even a CPA — and enough parties must work in conjunction to validate a transaction coming into or out of an account, across a range of devices, from mobile to laptop to desktop.
“The process takes milliseconds, and does not impact the user experience,” said Butzer, “and there is no way to go from a shadow to a key by itself ... as the key is never persistently stored.”
This last point is especially important. As under the extant model of encrypted data across public and private keys, a user who loses a private key cannot authorize new transactions (thus, the stories of people who have lost access to millions of dollars stored in bitcoins likely rendered forever inaccessible).
Also, noted Butzer, it is possible for a bad actor to derive a private key from a public key.
Sacking Quantum Computing Threats
That’s a real danger, noted Neal, as quantum computing seeks to crack codes in seconds or hours. Blockchain, thought by many to be bulletproof, is surprisingly vulnerable to such attacks.
“That is one reason the government is interested, as well,” said Neal, who pointed toward recent meetings with the Federal Reserve and the Department of Homeland Security. “We are quantum-resistant.”
Butzer and Neal said the meetings are part of the roadmap toward certification (a several-month process) that will, in turn, allow HyperSpace’s RESTful API and appliances to find entrée at the government level, and eye eventual presence in consumer-facing applications. As would be germane to payments, said Butzer, in the payments ecosystem “you can take all your payments processing people, all your POS people, they get a shadow, and there is a shadow that goes to a customer. There’s a shadow that goes to the bank or the credit card processors … they come together and give authorization.”
An old radio serial once asked decades ago: “Who knows what evil lurks within? The shadow knows.”
The question/answer seems apropos for the 21st century, but we will amend the quote, a bit: “Who knows what evil lurks within an enterprise, computer or payments system? The key shadowing knows … and is a new way to protect your data.”
The threats are real, growing and faster than ever, and Butzer stated that education (even of CISOs and CIOs) remains key when it comes to key management. Research company Gartner has consistently noted the threat of insider attacks — and whoever holds the key to the keys, seals the fate of the firm.
“We do not claim to solve every security problem,” Butzer said of key shadowing as a practice, “but we solve a whole heck of a lot of them.”