Requirements used to define AKM

What if a Cryptographic Key Management System (KMS) had these Requirements?

Add a description about this category

Simpler methodology to share the Bulk Encryption Key between Endpoints

What if you could replace the asymmetric authentication phase with a much simpler solution that embeds the security credentials containing the Bulk Encryption Keys, seeds, and related secrets, within the endpoints?

No Shared Commonality Amongst Security Credentials like there is with PKI

What if, each set of security credentials was unique, with no association, either directly or indirectly, with any other set of security credentials and could be defined to represent a cryptographic security relationships of two or more nodes. Thus, enabling true, end-to-end, multipoint-to-multipoint encryption.

Endpoint Authentication

Authenticate the sender and the frame on every single frame, without sharing any secrets, creating a Zero Knowledge Authentication (ZKA) solution (but, do so without the need for a 3rd party observer, as is required in classic ZKA solutions).

Zero Latency for Session Establishment

Reduce to zero, any latency incurred during security session establishment

Updating/Refreshing Security Credentials

Refresh security credentials every single session, and with Perfect Forward Secrecy.

Autonomously Refresh Security Credentials

Automate the security credential refresh process while still maintaining uniqueness between sets of security credentials (hacking one set of security credentials, should not provide any information or insight that could lead to a breach of another set of security credentials).

No Man-in-the-Middle (MITM) Attacks

Eliminate Man-in-the-Middle (MITM) Attacks

No Replay Attacks

Eliminate Replay Attacks

New Sessions Triggered by Time and/or Events

Allow sessions to be established as both/either event driven and/or time driven events.

Use Existing Cryptographic Functions

Use existing standard, NIST approved cryptographic functions. Do not use proprietary, non-standard, cryptographic functions.

Create Security Credentials with Entropy Exceeding the Age of the Universe

Refresh security credentials with an entropy level exceeding the age of the universe as measured in seconds (must exceed 10**17).

Secure Network Communication Enclaves

Secure Communication Enclave is defined as a network of device endpoints securely communicating with each other, and where the device endpoints have all been organized in accordance with some aspect of commonality and shared purpose and common set of security credentials.

Overlapping Trust Relationships

Enable contextually defined relationships of trust between devices, VMs, Pods, or other logical entity, while allowing devices, VMs, Pods (or other logical entity), to have as many contextually defined trust relationships as desired. In other words, trust relationships may be defined amongst different endpoints (physical or virtual) that allow for and support delineation of communication based on the contextual attributes of the trust relationship (ex., endpoints sharing a "secret" attribute).

Small Code Footprint

Code Footprint of Endpoints can be implemented under 10Kbytes.

Eliminate need for specialized cryptographic hardware

Require nothing beyond linear complexity for its cryptographic functions. Meaning, no asymmetric encryption. Thus, no need for special cryptographic offload engines All cryptographic functionality capable of running in software within even small microcontrollers.

One-time Configuration

Trust relationships need only be configured once. The Endpoint Nodes within a Trust Relationship will run autonomously for perpetuity, refreshing security credentials every session without operator intervention for the life of the device. Hence, AKM can claim that close to zero maintenance is required.

Limited Threat Vector

Because nothing is ever shared of a specific Trust Relationship after it has been configured into a device endpoint, there is never another opportunity for a bad actor to breach the system. As all endpoints refresh their security credentials internally, and remain synch'd for the life of the AKM Trust Relationship.

100% Autonomous Operation (even for breach recovery)

Trust Relationships operate autonomously, and can automatically recover from a potential breach or problem, without operator intervention

Collect Analytics for Machine Learning

Collect analytics from all the nodes within an AKM deployed network, so that a network management device could collect and process those analytics to implement machine learning

Drastically Reduce need for Expensive Cybersecurity Personnel

Drastically reduce the need for expensive cybersecurity personnel, as a consequence of the autonomous methodology of AKM operation, including autonomously recovering from a breach or potential breach.

Protect Devices and Firmware from Spoofing

Associate specific devices to specific copies of firmware to protect against misconfiguration and spoofing, and in the process, authenticate the device. and its associated firmware.

Drop-in Replacement for PKI+TLS

AKM is created so that it can sit directly on top of the transport layer (either TCP or UDP), replacing and in lieu of, PKI+TLS.

Do you think such a system would displace PKI (if it did all of the above)?

Thiis set of requirements is what was used to define Autonomous Key Management