21 June, 2017 - 12:15 By Kate Sweeney

Cambridge startup Enigma Bridge and UCL team up to present an implementation of their practical security system at two major IT security events in Las Vegas in July.

They showcase their technology at the BlackHat computer security conference in Mandalay Bay from July 22-17 and DEFCON, the largest hacker convention, at Caesars Palace from July 27-30.

Founded in 2015, Enigma Bridge’s core technology includes a cloud encryption platform providing what it calls “unparalleled security against hacking or snooping.”

The platform has a simple web-service API for quick and secure integration into on-premise and cloud applications with powerful control capabilities.

UCL, Information Security Research Group, formally set up in 2006, is a constituent part of the University College London, Department of Computer Science (UCL-CS).

Its research addresses key technical aspects of information security and privacy, such as cryptography and system security. It also works with colleagues in software systems engineering and systems and networks to deliver end-to-end security solutions and address broader human, economic and societal aspects of security, privacy and trust.

Enigma Bridge CEO Dan Cvrcek told Business Weekly: “We have developed our own hardware platform for maximum control over processors with high physical security. The importance of digital signing is constantly increasing, as it becomes one of the main mechanisms protecting us against viruses, malware, or ransomware attacks.

“Digitally signed documents and applications show their origin and whether we can trust them for use on our computers and smart phones. While there are academic discussions about security of particular types of signatures, practical aspects of use of encryption and signing is much more critical.

“Who controls the keys to sign documents and new version of smart phone apps? How many times have these keys been used? Can we remove access to a particular key from someone leaving our company? These are all very practical questions with hard solutions.

“We also argue, that our protocols protect users against backdoors and malware (trojans) whether they are inside your operating system, or inside your laptop processor – whether through malice or mistake – as was the case of a recent remote access vulnerability in a range of Intel processors.

“Multi-party signing and decryption provides a very strong basis for implementing proper governance and audit procedures to ensure that hackers can't attack our computers through trusted software or service companies.

“Multi-party encryption protocols require a number of parties to co-operate to produce a valid digital signature, or to retrieve encrypted data. Our implementation allows customers to mitigate threats of bugs on the processor level (the most recent incident affected a whole range of Intel processors).

“While our encryption and signing protocols have unique security properties, they are also practical and can be used in a number of use-cases. Just digital signing is used in a number of applications – from code-signing to validating legal documents (especially in the EU), or distributed ledger and blockchain updates (each blockchain update is technically a digital signature).

“In the blockchain use case, the technology allows to shift the distributed ledger updates to the moment of signing. It means that all ledgers will show new transactions at the same time.

“Also, our new signing algorithm has a constant-time, regardless of the number of parties and it is suitable for blockchain schemes with a large number of distributed ledgers.

“We are really excited about the potential for code-signing too. Code-signing is mandatory for all mobile phone apps, but it is also important for secure distribution of packages for servers and desktop computers.

“The simplest implementation would involve just two parties – computer of the developer (responsible for signing new apps’ versions); and cloud-based (on-premise or in public cloud) service.

“The developer initiates the signing process and requests the cloud service to contribute its part of the computation. The cloud service logs all signatures (as requests to its secure processors), and provides these logs to (project or risk) managers responsible for correct use of code-signing keys.

“The cloud service can also be used to introduce ‘release time-windows’, i.e., developers can only sign and publish new software versions in certain release days. The ability to control when new signatures can be created further reduces impact of developers’ and users’ computers and mobile devices being stolen, taken over by malware or similar situations.”

• PHOTOGRAPH SHOWS: Enigma Bridge CEO Dan Cvrcek