In 2016, Intel introduced a new instruction set called the Intel SGX. The main engine of this new product was cloud computing, and the architecture developed by Intel allows users to run any program in a protected way, called an enclave. When this feature is enabled, the running program is protected by hardware from a number of attacks, including attacks from the operating system or other applications running on the same station. ARM has developed a similar technology called the ARM Trust Zone, and the solution proposed by AMD is called the AMD Platform Security Processor.
Starting from these methods of creating a secure environment for the execution of applications, we started the implementation of the SABOTORE project, a project through which we aimed to protect data at the time of execution. Specifically, when the user operates on an infected computer, any keystrokes can be observed by the attacker before reaching protected mode. Similarly, data stored on dedicated devices or data from the network will first go through the compromised operating system and then be processed in protected mode. Because of this problem, there is no guarantee that the data is correct and that it has not been altered by an attacker.
In the SABOTORE project we built a dedicated hardware device that would provide a secure communication channel between a USB device and the TEE protected environment.
The MASSA (Advanced Security Mechanisms for Autonomous Systems) project aims to develop new security systems that will enable smart autonomous devices to communicate in a secure manner while maintaining the authenticity, integrity and confidentiality of the information exchanged.
The project objectives consist in developing a PKI system for intelligent transport systems (C-ITS) to authorize the access of vehicles to various infrastructure services and communication security, creating technical components for the extension of the proposed PKI system to be compatible with other categories of autonomous systems and using data science for transport planning and traffic optimization.
Another domain addressed by this project is that of autonomous drones. Although today we are no longer surprised to hear a hum at a height, each of us having the opportunity to use a drone, very few have the problem of securing these devices and especially the communication between them and other devices. With the MASSA research project, we set out to address this issue as well, drawing a parallel between intelligent transportation systems and these IoT devices.
The Advanced techniques for epidemic management in the community (TAMEC) project, carried out by the Central Military Emergency University Hospital ”Dr. Carol Davila” in partnership with certSIGN, aims to develop the ”Coronavirus COVID-19 Romania” application, which will create a map of the spatial distribution of all SARS-CoV-2 confirmed cases, a statistic showing the evolution by days, information on hospital infrastructure, population density, but also relevant details of each case.
The solution that certSIGN has patented and which will be implemented in this project is the homomorphic encryption, a method that allows a third party to process and handle data in an encrypted format without having access to the data in clear. In other words, this method allows a server to perform calculations directly on encrypted data without the possibility of decrypting the result and without being able to decrypt the initial data.
ECHO (the European network of Cybersecurity centers and competence Hub for innovation and Operations) is a European research project whose objectives are the development of innovative solutions for the safety of the European Digital Single Market, training of cyber security professionals, development of a new certification scheme and a governance model. The joint venture works on developing the ECHO Multi-Sector Assessment Framework, the ECHO Early Warning System, the ECHO Federation of Cyber Ranges, the ECHO Inter-Sector Technology Roadmaps, ECHO Cyber Skills Framework, ECHO Cybersecurity Certification Scheme. Our company is actively involved in the development of the Early Warning System (EWS), a software system designed for the coordination and synchronization of relevant cyber information in near real time, which could potentially serve all the network competence centers in Europe.
As the cloud era is growing, identity shifts from the physical ID card (which Romania still uses) to digital identity. Digital identity is not just a change of the physical card, so that it contains an electronic chip that allows interaction with governmental services for the purpose of authentication and digital signature. Digital identity should be considered as the sum of user attributes that uniquely identify the user and could include user’s identity in social media/networking. In addition, online identity also involves the user’s ability to securely authenticate to various online services, including government, banking, but also the ability to securely demonstrate to any party that the person behind the transaction is the same with the one who has the electronic identity.
Furthermore, a bold direction is identity decentralization, so that the owner has full control. It also means that the end user will not be able to pretend to be someone else and at the same time is better protected against identity theft. certME is a project that came to live in the certSIGN research incubator and has further evolved into a product that implements decentralization of user identity using a distributed application that runs the Ethereum public blockchain.
A constant concern of ours, since the beginning of our business, was to involve talented students, thus supporting the research, through various programs, right from college years. INCOGNITO is a project addressed directly to young graduates of technical universities through which during a year of work, with the support of the European Commission, they become acquainted with an international work environment and are supported to deepen technical fields from the perspective of industrial research. According to the requirements of the Marie Skłodowska Curie European Research Program, the main goal of this project is the exchange of experience between private companies and European universities by supporting young researchers in learning new technologies and in implementing them in new or ongoing innovative projects.
With INCOGNITO, we have chosen to continue the ReCRED project, with the aim of combining state-of-the-art technologies in a platform that allows users to easily understand what is needed to access online services in terms of their privacy and to be able to prove certain attributes of their identity or their full identity. INCOGNITO starts from the structure developed within ReCRED, where we use advanced mobile software to convert online and physical proof of identity into validated and cryptographically strong proofs of identity, which can be used to access online services.
In the early days of the World Wide Web, data accessibility was so limited that encrypting it was not a priority. As the Internet evolved mainly towards cloud computing, with the online storage of information, the need for data encryption became a mandatory requirement. The issue was partially solved through secure communication protocols (e.g. SSL, TLS) and by securing data stored online through encrypted hardware of software containers, yet the data used was still prone to problems. The early stages of Homomorphic Encryption revealed a theoretical possibility to safely store information in the cloud, in an encrypted form and still being able to transform it, without disclosing the secret encryption key, by applying a special set of transformations right on the encrypted data. With certFHE we started researching innovative encryption algorithms.
The first goal of the ReCRED research project was to simplify the process of authenticating users to the online world, to the point of removing passwords from the life of the end user. The project did not innovate or discover new technologies, but used existing ones: delegated authentication, asymmetric key authentication, biometric authentication of end-user, machine-to-machine authentication, attribute-based access control and integrated them into a new and innovative platform. The second goal of the project was to bring together industry and academia from the same project, in a partnership governed by European rules, with the shared goal of improving the experience and security of the end user in online.
Throughout the course of the project, the goal was to preserve users’ privacy in the authentication process, so there is no need for them to disclose their identity more than necessary, by implementing two concepts that were often overlooked by service providers namely “unlinkability” and “untraceability”, which in fact mean that a user cannot be tracked online, not even when service providers share information with each other. For example, if a user has an account on a social network and another account on a messaging network, the two services belonging to the same company that chooses to share information from the two services, this company will never be able to associate the two accounts as belonging to the same user and will not be able to track his online activity, in the two services.