Facebook Inc., Cloudflare Inc. and the Mozilla Foundation today detailed their work on Delegated Credentials, a new security protocol that they hope will make the web safer from hackers.

Delegated Credentials complements TLS, the ubiquitous encryption technology that sites use to establish a secure connection with browsers. TLS relies on a technique known as asymmetric encryption to work. It’s a tried-and-tested method of protecting data from prying eyes, but when it comes to delivering web content, the approach has certain shortcomings that Delegated Credentials aims to address. 

TLS’s asymmetric encryption scheme allows a browser to verify that a site is legitimate by requesting a digital certificate. That certificate, in turn, can be generated only by the real site operator using a unique private encryption key assigned to them. But if hackers somehow steal the private key, they can exploit it to impersonate the service and intercept user traffic.

That scenario is an especially big concern for large site operators such as Facebook. The social network is visited by billions of users every month and processes traffic with thousands of web servers, every single one of which has a copy of its private key. An attacker would theoretically need to compromise just one server to gain the ability to impersonate Facebook.

Enter Delegated Credentials. Rather than putting the private key on a company’s servers, the technology uses it to generate a set of new keys that are distributed to the servers instead. The private key is thus kept outside the reach of any attackers who might breach the network.

The keys distributed by Delegated Credentials can theoretically be abused too, but they have one big advantage: a shorter expiration date. Whereas sites today can change their private key only every few months or annually due to technical constraints, Delegated Credentials makes it possible to do so every few hours. That significantly shrinks the window hackers have to cause damage. 

“Certificates are valid only for a certain amount of time, after which they expire and browsers will reject them,” Facebook engineers Subodh Iyengar, Kyle Nekritz and Alex Guzman explained. “This way, we’ve limited how long a potential attacker could have access to a certificate before browsers reject it.”

Delegated Credentials has another, more strategic benefit: It might make it easier for companies to protect themselves from quantum encryption cracking. 

It’s believed that quantum computers will one day become powerful enough to overcome current cryptographic technologies like TLS. In response, researchers have started working on a new, more resistant generation of encryption algorithms. Delegated Credentials enables site operators to implement new encryption algorithms on their servers with less effort than what the task requires today, which could ease the internet’s transition to the quantum era.

Facebook, Cloudflare and Mozilla have contributed the protocol to the Internet Engineering Task Force to turn it into an industry standard. 

Photo: Unsplash