Disappearing Keys Can't Be Stolen: the Case for Ephemeral Credentials

hand reaching for a shiny gold key with black background

One of the reasons we have so many identity-related data breaches is that today's security infrastructures rely on static credentials that can be exploited. Certificates and keys must be stored and managed, which is why certificate-based environments continue to suck up more and more of the security team's resources. Many digital transformation initiatives that could be future-focused end up patching old tech.

There are many moving parts that make up an effective secure machine identity authentication process. When setting out to solve this problem, we focused on ephemeral credentials. It was clear that working harder to build higher fences around static credentials wasn't going to be the solution. Instead, why not use "disposable credentials" that do their job and then disappear. There would be nothing left behind to steal!

QWERX Uses Ephemeral Credentials for Secure Network Authorization

In a QWERX-protected enterprise, ephemeral credentials are generated according to a pre-set automated rhythm, multiple times per minute. Our console enforces continuous authentication of every device on the network, every single time. The credential exists only for the moment in time when it is authenticating the device. It is never used twice and is never exchanged or stored anywhere to be found, stolen, and exploited by an attacker. Contrast this approach with the established PKI protocol where a static credential is used and stored locally until it expires.

Security Built on Chaos

Not only are QWERX credentials ephemeral, but the means of assembling them is ephemeral. Our patented technology is a security architecture that controls almost any underlying cryptosystem.  It constructs single-use cryptographic keys built on random, chaotic data from nature. Neither the keys nor the key material comprising random information can ever be guessed, even by a quantum computer. Our operating assumption is that an attacker has perfect knowledge of our system, and we operate in such a way that even though the attacker has perfect knowledge, it does them no good!

We are frequently asked “What if an attacker has obtained a copy of your entropy matrix, which functions as a database of random information from which keys are constructed? Can’t they use that to break your system?” It is analogous to an attacker having a dictionary and being able to produce the works of Shakespeare on their first try because the dictionary contains all of the words.

Every component in the QWERX system is variable and the order of magnitude of those combined variabilities is roughly on the order of magnitude of all of the atomic particles in the known universe. We also change the sequencing of the information in the system multiple times a second. Our real advantage is that time is always on our side. For the first time, defense is faster than offense and it is the attacker that is playing catch up in a game in which the cards and the rules are heavily stacked against them.

Leave a Comment