Apache incubating project promises new Internet security framework

The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

VANCOUVER, BC -- A new incubating project at the Apache Software Foundation (ASF) promises a more secure Internet that doesn't require monolithic trust hierarchies and centralized certificate authorities. And it could eliminate the need for complex passwords, too.

At ApacheCon North America in Vancouver yesterday, telecommunications juggernaut NTT Group, along with its Silicon Valley-based innovation center NTT i3 and cryptography and cybersecurity specialist MIRACL, joined forces to contribute their security and authentication code to a new open source project: Apache Milagro (incubating).

By eliminating the need for a central trust authority and the public key infrastructure (PKI) model built 40 years ago for a client-server world, the new incubating project aims to provide a better framework for blockchain applications, cloud computing services, mobile and containerized developer applications.

Dividing keys in threes

Milagro seeks to establish a new Internet security framework made of cryptographic service providers called Distributed Trust Authorities (DTAs) that independently issue shares of keys to application endpoints which have embedded Milagro cryptographic libraries and applications. In a DTA framework, the function of a pairing-based key generation server is split into three services, each of which issues thirds of private keys to distinct entities.

The shares of the three private keys, generated by cloud computing providers, their customers and dedicated trust providers, are received by Crypto App clients, which thus become the only audience that possesses knowledge of the whole key. Brian Spector, CEO of MIRACL, says that since key generation services are under separate organizational controls, current root key compromises and key escrow threats become an order of magnitude more difficult because an attacker would need to subvert all three (or more) independent parties.

No longer living in a client-server world

"What we basically came to over the last couple of years is that the current crypto systems in place today were really intended for a client-server world," Spector says. "As we move to a distributed cloud-based world, then you've got a fundamental problem you need to solve which the current class of crypto systems just can't do."

The DTA framework and crypto libraries are intended to make it easy to secure Internet platforms as well as Internet of Things (IoT) devices and the mobile application ecosystems they connect to by providing a positive alternative to the single authority certificate authority used today, Spector says.

Milagro includes code for building blockchain security applications, multifactor authentication and secure communications, all with data governance and compliance that meets the requirements for financial services, government and healthcare.

"This implementation is just the beginning of this," says cryptography expert Go Yamamoto, associate director at NTT i3. "The Milagro project has the scope to expand for everyone. Here's a world without certificates, without passwords, without single points of compromise. The reason why it's open source is so everyone can kick the tires, look under the hood and evaluate it for themselves."

Current contributions to the incubating project include the following:

  • The baseline Milagro Crypto Library (MCL), which enables developers to build distributed trust systems and select from a choice of pairing-based protocols that enable certificate-less key encapsulation, zero knowledge proof authentication, authenticated key agreement and digital signing
  • Milagro TLS, a pairing-based TLS library that enables encrypted connections with perfect forward secrecy between mobile applications or IoT devices and backend infrastructures without the need for certificates or PKI
  • Milagro MFA, a multifactor authentication platform that uses zero knowledge proof protocols to eliminate the password and thus the threat of password database breach; Milagro MFA includes client SDKs in JavaScript, C, iOS, Android and Windows Phone, as well as the Authentication Server for Linux

Kenji Takahashi, vice president, Product Management, Security, at NTT i3 notes the contributions all easily integrate with the Apache Web Server, allowing developers and security engineers to integrate with or build multifactor authentication solutions for their Web properties and Web applications.

"You can implement multifactor authentication within minutes," he says. "There are no hardware tokens required. It runs in a browser or an app."

While the technology is already robust — NTT is in the process of implementing a version of the Milagro MFA server and client that it will roll out later this year — Takahashi and Spector both say that building a community around the project is necessary to take it to the next level.

"From our viewpoint, we are trying to renew trust of the Internet," Takahashi says. "I call it 'IoT' — Internet of Trust. We cannot do it alone. We have to do it as a community. Trust, by nature, should be based on communities, people."

"Nowadays, if you're trying to fundamentally change the technology industry in a way that benefits all the participants, the way to do it is either the Linux Foundation or the Apache Foundation," Spector adds.

In the next few weeks, Spector says Milagro will issue its proposal for establishing the distributed trust ecosystem. Going forward, Takahashi says he would like to see the project address issues in IoT, connected cars, smart factories and smart grids.

Join the CSO newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts