The Moving Target Defense @ Storage Level
As quantum computing advances, scientists will create various algorithms with stronger and longer key lengths. In turn, quantum computers will become even faster and more powerful.
Obviously, this tug-of-war scenario will never offer any sort of long-term solution. It even places current data at risk. More precisely, hackers are extracting encrypted data with the expectation that future computing devices will be able to turn it into clear text.
This danger is compounded when data remains as a centralized, stationary target. Consequently, safeguarding stored (static) data will require making it a moving target. Which is exactly how a startup named CryptoMove conceptualizes its mission.
Mike Burshteyn, the startup’s CEO, founded CrytpMove based on two fundamental ideas: 1) all current encryption will inevitably fail and 2) all data will inevitably be distributed.
With that in mind, the startup created a software-defined storage system that shards user data, encrypts the data with (any) algorithm, and then continuously moves it among distributed nodes.
As Mike Burshteyn puts it, “entropy is derived as a function of time. As time goes by one piece moves (from) place and place, it gets re-encrypted, and it can mutate and change properties. So regardless of how fast your computer is or how powerful it is, you have to get the ciphertext.”
Thus, by shifting the attack surface, CryptoMove is attempting to gain the asymmetric advantage that attackers have over time.
Of course, selling a post-quantum storage system requires fully understanding the risk that quantum computing presents. Simply offering a product that can help a company if its encryption fails will hardly generate excitement. And when it comes to technological uncertainty, companies limit themselves to shorter-term priorities.
For Burshteyn, it was a tough sell,
Every question we got in the first year or so was ‘well why isn’t the current encryption methods we use good enough?’ and you know it’s actually pretty hard to overcome that question. When you’re competing with thousands and thousands of security startups and funded by millions of dollars in venture capital funding…
In the end, companies must weigh the cost of implementing such a system against the anticipated risk of a quantum-based intrusion.
While businesses will pay these costs if the risk is high, less immediate, medium-sized risks are a harder sell. According to Burshteyn, it’s not even possible to calculate the costs of implementing a post-quantum data protection system for a Fortune 500 company.
I can tell you right now that just from my personal experience in this industry, just the transition from on-premise data centers to the cloud and to things like microservices and Kubernetes are extremely costly and difficult and slow in many situations. And so that’s where we need some kind of a bridge.
Ultimately, Burshteyn came to believe that a more immediate, easily implemented solution was needed.
To survive, CrypoMove was compelled to find a more immediate and practical use case. Quantum computers simply don’t exist as a near-term threat to encryption yet.
So Burshteyn searched for a current use case that could serve as a bridge to a post-quantum future. One that moved beyond current data security solutions.
He reviewed current security breaches and noted that many developers were inadvertently responsible for them. In brief, since they found it difficult to use their API keys and authentication tokens at scale across multiple environments, they simply provided their HSM private key to each other via email or Slack.
CryptoMove moved to remedy this security issue with its CryptoMove Key Vault. As Burshteyn puts it, “we hid our post-quantum technology underneath this use case that is very pressing today.”
We have essentially a secrets vault where people can put API keys and tokens into CryptoMove…We split them up and encrypt them continuously, move them around across nodes, and that’s what we do. And it turns out that if someone’s using if they’re using Kubernetes which they are today — (rapidly) they really need a solution to this problem.
Thus, by reinventing itself as a ‘secrets management tool’, CryptoMove was able to resolve a very real security issue and help prepare for a future one.
Unlike other post-quantum solutions, CryptoMove does not rely on any new algorithm. Instead, the software has been developed as “a prototype of a file system integration”, one that could “potentially replace your BitLocker in the future.”
On the back-end, users would see their data gradually disappear from a folder. In reality, the data is being split up and encrypted before being moved continuously among nodes. If the user decides to open the folder, the data “recombines so the person that’s using this doesn’t know anything about a quantum threat to encryption or quantum computers”
CryptoMove’s software also pays heed to transparency, a critically important feature in the data security market. For instance, the software’s debugging log reveals how a piece of data moves throughout the system, splitting a hundred ways, making two copies for redundancy, and moving from node to node roughly twenty-eight thousand times a day (about every few seconds).
On the client-side, CryptoMove encrypts the data in AES 256, splits it up, and encrypts the log before distributing it to various TCP/IP servers. These data fragments are constantly changing and re-encrypting with cryptographic names. Thus, a quantum computer does not have enough time to retrieve and decrypt them fast enough.
Even if an attacker could freeze this movement, the data would be distributed elsewhere (and moving as well). Moreover, CryptoMove could even bring this data back with its distributed tracking system.
CryptoMove continues to receive prolific attention from the United States government (particularly DHS and US Customs) and the military. However, it’s also finding repeated use in drones, live streaming video, sensors, and Kubernetes. The company website has a page dedicated to showcasing how organizations use CryptoMove.
Also, the company recently announced that it had created a Chrome browser extension to protect passwords. And at present, the software has been featured in Fortune, Business Insider, and TechCrunch.
