Security in the digital world is nowhere near as tight as we tend to think, which is why ETH researchers are looking to develop a fundamentally new security architecture for data exchange that people can trust. A donation from the Werner Siemens Foundation is helping to finance the project.
In our society, trust is paramount. The decisions we make, for example, to buy something from someone or share our personal data, depend in no small degree on whether we trust the other party. Now that we do increasingly many activities online, it is becoming more important for us to be able to navigate the digital world safely and securely. Did this confidential e-mail actually come from our boss’ Is the website we are making our online payments on really from our bank? Can we be sure that the card machine in the supermarket charges us only for what we have purchased?
Banks, authorities and online traders are now going the extra mile to win their customers’ trust. Encrypted websites, certificates of authenticity and two-way authentication are just some examples of instruments designed to ensure secure data transfer. However, on closer inspection, the digital world is nowhere near as secure as we think.
Getting to the root of the problem
ETH professors David Basin, Peter Müller and Adrian Perrig are working with Matthew Smith, a professor at the University of Bonn, to close security gaps in the transmission of sensitive data. In a large-scale project initially scheduled to run for eight years, they plan to lay the technical groundwork for creating a secure and consequently trusted environment in which to carry out digital transactions in the future.
The Werner Siemens Foundation has donated 9.83 million Swiss francs to finance the Center for Digital Trust research project. "ETH Zurich has a wealth of expertise in the field of cybersecurity," ETH President Joël Mesot explains, continuing: "This generous donation from the Werner Siemens Foundation means we can apply our research to help make the digital world more secure in a fundamental way." Hubert Keiber, Chairman of the Board of Trustees at the Werner Siemens Foundation, adds: "Information security is one of the major challenges of our time. The pioneering nature of this project fits in perfectly with the ethos of our foundation."
Fragile security system
Information security professor David Basin firmly believes that the internet needs a fundamentally new security architecture, stating: "The certificates used to sign digital data today are issued by over 1,400 authorities all over the world. Whether this system is really reliable is in serious doubt." And it is no wonder given that certificates are repeatedly manipulated to attack internet company’s and users.
Some approaches to mastering the problem are already being explored, such as Google’s Certificate Transparency project or authentication using geographical information. But in the opinion of the ETH researchers, these do not go far enough. Peter Müller, Professor of Programming Methodology, believes that the answer lies in taking a "completely new direction." As he explains, "The system we currently use was developed back when the internet was in its infancy and so no longer meets today’s needs."
A model based on the real world
In their project, the researchers are aiming to transfer the same properties that instil trust in the real world to the digital world. "If we are in the service area inside a bank or meet someone face to face, it helps establish a sense of trust," explains Müller. One way to transfer these elements to the virtual world could be to use "mobile handshakes" to supplement the conventional handshake when greeting someone. The idea would be for two people who meet in real life to exchange electronic keys via an app, which are then used to encrypt and authenticate data. "This way, both parties know that the messages they exchange are genuine," explains Adrian Perrig, Professor of Network Security.
Accounting for the human factor
The new project has two key elements. First, the new systems will be designed in such a way that their security can be demonstrated mathematically. And secondly, the researchers will account for the fact that humans are not infallible in how they operate. "We have to adapt the technology to people and not the other way around," Basin maintains, "and that is exactly why we brought Matthew Smith’s group on board." Smith, Professor of Usable Security and Privacy, will use case studies to examine whether the technologies developed are actually used as intended or whether security problems arise from the behaviour of those involved.
But is implementing a fundamentally new security architecture of this nature actually feasible? "Our technologies don’t require any global changes to the internet and can be used alongside today’s infrastructure," explains Müller, adding: "Scince our goal is to make the internet fundamentally more secure, we are naturally looking for the outcome of our project to find widespread use."
A long-term partnership
The Werner Siemens Foundation’s contribution to funding the "Center for Digital Trust" marks its fifth donation to the ETH Foundation. Back in 2004, it supported construction of the flexible auditorium (the Werner Siemens Auditorium) in the HIT building on ETH’s Hönggerberg campus. In 2013, it provided kick-start funding for a new professorship in the field of geothermal energy, to which Martin O. Saar was appointed in 2015. A 2017 donation financed the establishment of the Center for Single Atom Electronics and Photonics, which is directed by Jürg Leuthold. And in 2018, major funding from the Werner Siemens Foundation helped build the Bedretto underground laboratory for studying the physics of earthquakes. The lab is headed by Domenico Giardini.