Computable Encryption is one of the holy grails of cryptographic research—many things that we wish to do to data in databases or documents doesn't work well when you first encrypt that data. Given the less than trustworthy nature of many systems (such as the Cloud) when it comes to data storage, many people WANT to be able to perform these actions on large amounts of data, without having to store them insecurely.
The difficulty increases depending on how MUCH processing you are wanting to perform. If you are storing a number, you may wish to simply find if that number is present (basic search) or if there is more than one number per record, you may wish to know which records have all of a set of numbers (a composite search). Further, you may wish to compare numbers (is the number in this record larger the one in that one, or this number I have as a threshold?) or even calculate (for example, if the numbers in the record represent a count of elements plus a value per element, calculate an encrypted total by multiplying the two encrypted numbers).
So, there is a great deal of interest in the invitation-only presentation announced by StrongSalt, a company founded and run by Ed Yu, one of the original founders of the FireEye security company. StrongSalt claim to have a blockchain-based fully managed encryption solution with a RESTful API, able to encrypt a wide range of document types, and perform composite text searches across the encrypted documents. They do this by providing an API, that means the encryption solution can be used "as a service" by other programs, rather than being a program in itself, a rather useful property. (See a previous Venafi blog on why APIs should be protected in the same way as other machine identities.)
We don't have access to the content of the new product yet (and the website doesn't give much on it) but it turns out that StrongSalt actually have a reasonably long history, so we can perhaps see where they have come from, and so gain clues as to where they are heading.
GitZero—the encrypted storage repo
A little way back in 2016, a "stealth mode" startup called Overnest came out of hiding and presented their new product at TechCrunch Disrupt Startup Battlefield. This Ed Yu led company had secured $1M in seed funding over the prior year, and now had something to show. GitZero was a github-like web service with the wrinkle that not only was the repo fully encrypted, but it would automatically build an encrypted index of keywords from the uploaded files. Now, over the previous years, Microsoft Research had published heavily in this field—and one key document was the 2011 Structured Encryption and Controlled Disclosure. This math-heavy paper proposed the idea of an encrypted index, where each entry was encrypted with a different key, and a composite key supplied to the searcher; while the full composite key could be used to query all entries in the database (and decrypt all documents) by removing parts of the key, you could prefilter which index entries (and which documents) a given key holder could access.
Here was a real-world, patent-pending, practical implementation of the MSR paper(s). For a modest fee ($35/month for 10 developers and 10 repos, and of course scaling up from there) and a certain amount of trust in Overnest themselves, you could have access to multiple repos with fine grained permissions, compatibility with the standard git utilities, and... well, that's about it really. According to the Wayback Machine, GitZero was still around as of May of this year, but the Wayback Machine doesn't have any record of it after that date (nor can I find it anywhere else).
Enter StrongSalt
In 2018, a "parked" domain suddenly came to life, entitled "StrongSalt by Overnest." By 2019, they were ready for a product launch—StrongVault. Interviewed at Re:Inforce in June, Ed Yu was promoting his new product, Blockchain based (but blockchain agnostic) searchable storage in the cloud... but available only via a mobile phone app for android or ios. The whitepaper that is present on the site around this time is quite interesting; the blockchain stores (amongst other things) an immutable transaction log of searches performed against the indexes, and in a modular fashion, storage providers and apps can "plug into" the StrongSalt platform, along with various types of distributed messaging and "mining" nodes... Because all of this is fueled by a "gas" utility token called Strong, which is also the proof-of-stake buy-in needed by modules to take part in the ecosystem.
StrongVault is an "app" member of this ecosystem; there is also a RESTful API available that gives much of the same limited feature set as the StrongVault app. As an administrator, you can add or remove users, see, search, or remove all documents, share any document with specific users, and promote/demote users to/from admin status. As a user, you can see your documents (and documents you have had shared to you), remove or share your own documents, and both encrypt new documents or decrypt existing documents (with the odd wrinkle that the API version of encrypt returns the encrypted document to you to store yourself, and the decrypt requires you to supply it, as it offers only indexing and encrypt/decrypt, not storage.)
So I don't believe this is the same as the API recently revealed at the presentation; I would suggest the new API will access the ecosystem directly, meant for full member modules, rather than the more limited Vault feature set. The website (but not the white papers) mention "pro edition" features such as cloud storage, self-management of keys and permissions, and so forth, things clearly not offered by the API documented on their site.
But whatever it is, they need to get it to market fast; there are a number of competing offerings just coming to market. For instance, pixek.io, by some of the Microsoft Research engineers whose papers StrongVault borrows from, uses machine vision to generate "tags" and stores those tags as the encrypted, searchable index for those images. Invite Only "soft" launches might build a certain amount of hype, but only if you aren't pipped at the post by someone who buys ads on Facebook.
Further reading
If you are interested in the subject and would like to explore it further, then I suggest you start with these three research papers [1 [eprint.iacr.org]][2 [eprint.iacr.org]][3 [cs.brown.edu]] (fair warning - NOT light reading), the StrongSalt White Papers [1 [strongsalt.com]][2 [strongsalt.org]] and API reference [api.strongsalt.com], and if that isn't enough, there are also the three now-issued patents you can read via google - [1 [patents.google.com]][2 [patents.google.com]][3 [patents.google.com]]
Find out why you need machine identity management
Related posts
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.