New protocol from Guardtime hopes to unseat RSA for authentication, digital signatures

Data integrity vendor Guardtime hopes its newly announced protocol will replace RSA for the purposes of authentication and digital signatures, touting it as easier to manage and less vulnerable to hacking.

Data integrity vendor Guardtime hopes its newly announced protocol will replace RSA for the purposes of authentication and digital signatures, touting it as easier to manage and less vulnerable to hacking.

Called BLT, the protocol name comes from the last initials of its inventors, Ahto Buldas, Risto Laanoja and Ahto Truu, just as RSA comes from the last initials of its inventors, Ron Rivest,  Adi Shamir and Leonard Adleman.

Rather than relying on public and private keys (PKI) as RSA does, BLT is based on hash-function cryptography, which requires no keys and so requires no issuing, updating or revoking of keys. As a result, it can scale to cover exabytes (1018 bytes) with little overhead, says the company's CEO Mike Gault. And there are no cryptographic secrets to be compromised.

In addition, the protocol, which is built on Guardtime's Keyless Signature Infrastructure (KSI) technology, invokes one-way hashes that cannot be broken, even under attack from the theoretical capabilities of quantum computers. The company points to its recently published mathematical proof of BLT's effectiveness to back up its claim with further proof here and here.

KSI is the technology on which the company bases Black Lantern system for ensuring the integrity of digital assets. It can be used to create a hashed signature of a digital asset when it is in a known good state. Based on constant monitoring of these time-stamped hashes, the system can verify that data, operating systems, applications and configurations have not been altered.

The hash signatures are reviewed every second, so any changes are caught almost immediately. The changes mean something about the asset itself has changed, and that might represent an attack that can then be checked out by third-party security platforms or security staff.

"That's the true value of it," says Phil Hochmuth, an analyst with Strategy Analytics. "It's a way to get rapid alert to a breach. It could be applied to the Internet of Things or any vastly distributed network."

Gartner Analyst Mary Ruddy says the distributed, scalable and light-weight nature of the system make it seem feasible for deploying on digital assets that it might otherwise not be economically viable to cover.

Like Bitcoin, Black Lantern uses an open-ledger system in which derived hash-value trees are maintained by Guardtime in order to monitor for changes. In the case of Bitcoin the values represent transactions; in the case of Guardtime, it's the hashed signatures of the assets being tracked.

Guardtime's technology also underpins a service being sold commercially by Ericsson that determines whether systems customers purchase have been altered after delivery, as well as to verify the integrity of operating systems, applications and configurations, says Jason Hoffman, head of technology and cloud systems for Ericsson.

He says it can be used not only to verify the integrity of, say, a sensor in a network, but also the data gathered by the sensor. That makes it possible to verify that the data collected matches the data delivered from the sensor.

Ericsson's service is being offered only to limited customers right now but will be rolled out generally to customers in North America and Europe next year, Hoffman says.

BLT will be available on Black Lantern gear this fall.

Based in Estonia, Guardtime was founded in 2006 and backed privately by Gault initially, but by other private investors since then. Gault, a former derivatives trader, met the Estonian researchers while he was a graduate student in Japan, heard about their scheme and relocated to Estonia to help with the company.

Guardtime says its annual revenue has grown from $100,000 in 2012, to $10 million last year. Revenues for the first quarter of this year were $20 million, it says.

Join the CSO newsletter!

Error: Please check your email address.

Tags security21rsa

More about GartnerRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place