Apache incubating project promises new Internet security framework

The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

internet security

VANCOUVER, BC -- A new incubating project at the Apache Software Foundation (ASF) promises a more secure Internet that doesn't require monolithic trust hierarchies and centralized certificate authorities. And it could eliminate the need for complex passwords, too.

At ApacheCon North America in Vancouver yesterday, telecommunications juggernaut NTT Group, along with its Silicon Valley-based innovation center NTT i3 and cryptography and cybersecurity specialist MIRACL, joined forces to contribute their security and authentication code to a new open source project: Apache Milagro (incubating).

By eliminating the need for a central trust authority and the public key infrastructure (PKI) model built 40 years ago for a client-server world, the new incubating project aims to provide a better framework for blockchain applications, cloud computing services, mobile and containerized developer applications.

Dividing keys in threes

Milagro seeks to establish a new Internet security framework made of cryptographic service providers called Distributed Trust Authorities (DTAs) that independently issue shares of keys to application endpoints which have embedded Milagro cryptographic libraries and applications. In a DTA framework, the function of a pairing-based key generation server is split into three services, each of which issues thirds of private keys to distinct entities.

The shares of the three private keys, generated by cloud computing providers, their customers and dedicated trust providers, are received by Crypto App clients, which thus become the only audience that possesses knowledge of the whole key. Brian Spector, CEO of MIRACL, says that since key generation services are under separate organizational controls, current root key compromises and key escrow threats become an order of magnitude more difficult because an attacker would need to subvert all three (or more) independent parties.

No longer living in a client-server world

"What we basically came to over the last couple of years is that the current crypto systems in place today were really intended for a client-server world," Spector says. "As we move to a distributed cloud-based world, then you've got a fundamental problem you need to solve which the current class of crypto systems just can't do."

The DTA framework and crypto libraries are intended to make it easy to secure Internet platforms as well as Internet of Things (IoT) devices and the mobile application ecosystems they connect to by providing a positive alternative to the single authority certificate authority used today, Spector says.

Milagro includes code for building blockchain security applications, multifactor authentication and secure communications, all with data governance and compliance that meets the requirements for financial services, government and healthcare.

"This implementation is just the beginning of this," says cryptography expert Go Yamamoto, associate director at NTT i3. "The Milagro project has the scope to expand for everyone. Here's a world without certificates, without passwords, without single points of compromise. The reason why it's open source is so everyone can kick the tires, look under the hood and evaluate it for themselves."

Current contributions to the incubating project include the following:

  • The baseline Milagro Crypto Library (MCL), which enables developers to build distributed trust systems and select from a choice of pairing-based protocols that enable certificate-less key encapsulation, zero knowledge proof authentication, authenticated key agreement and digital signing
  • Milagro TLS, a pairing-based TLS library that enables encrypted connections with perfect forward secrecy between mobile applications or IoT devices and backend infrastructures without the need for certificates or PKI
  • Milagro MFA, a multifactor authentication platform that uses zero knowledge proof protocols to eliminate the password and thus the threat of password database breach; Milagro MFA includes client SDKs in JavaScript, C, iOS, Android and Windows Phone, as well as the Authentication Server for Linux

Kenji Takahashi, vice president, Product Management, Security, at NTT i3 notes the contributions all easily integrate with the Apache Web Server, allowing developers and security engineers to integrate with or build multifactor authentication solutions for their Web properties and Web applications.

"You can implement multifactor authentication within minutes," he says. "There are no hardware tokens required. It runs in a browser or an app."

While the technology is already robust — NTT is in the process of implementing a version of the Milagro MFA server and client that it will roll out later this year — Takahashi and Spector both say that building a community around the project is necessary to take it to the next level.

"From our viewpoint, we are trying to renew trust of the Internet," Takahashi says. "I call it 'IoT' — Internet of Trust. We cannot do it alone. We have to do it as a community. Trust, by nature, should be based on communities, people."

"Nowadays, if you're trying to fundamentally change the technology industry in a way that benefits all the participants, the way to do it is either the Linux Foundation or the Apache Foundation," Spector adds.

In the next few weeks, Spector says Milagro will issue its proposal for establishing the distributed trust ecosystem. Going forward, Takahashi says he would like to see the project address issues in IoT, connected cars, smart factories and smart grids.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Get your IT project the recognition it deserves.
Submit your CIO 100 Award application today!