As soon as Niraj Butala opened his credit card history and saw a $600 Foot Locker purchase he never made, he knew something was wrong.
Butala, a fourth-year psychobiology student, said he realized instantly that his credit card number had been stolen, one of many cases of campus identity theft. These kinds of theft may soon become history because of a new data protection method recently devised by a UCLA professor.
Amit Sahai, an associate professor of computer science, along with Brent Waters, a UCLA computer science alumnus, have developed a new technology based on decades-old math problems that could significantly decrease hackers’ ability to access data.
Butala said when he found out an individual on the East Coast stole his identity, he resigned himself to the fact quickly.
“I wasn’t mad or anything,” he said. “I guess it happens to everyone.”
Sahai said he hopes to change this line of thinking with his new technology, which he said is useful now but is probably five to 10 years away from commercial production.
“There’s a battle between people protecting data and attacking data,” Sahai said. “Right now there isn’t a level playing field. Hackers have it much easier.”
His new method is based on a problem involving elliptic curves that has been worked on by mathematicians, but not cracked, for more than two decades.
Sahai compared the way networks currently manage access to their stockpiles of information ““ which can include things such as corporate employees’ mailing addresses and university applicants’ social security numbers ““ to a lock and key system.
Each piece of data has its own lock that may be opened by however many people are admitted to it; this sometimes leads an overabundance of keys.
“It’s a very complicated key management problem,” Sahai said.
His new approach allows each individual system user to have his or her own key that can open the locks to all data they are authorized to, and not more.
Sahai said these customized keys could stick into computers almost like USB drives and, in his vision, would be acquired from a physical office building. He compared this process to that of obtaining a BruinCard on campus.
The new method has received support from the computer science community and beyond.
“Previously, we either needed to rely on more trust or expensive interaction,” said Yuval Ishai, a visiting professor of computer science from the Technion in Haifa, Israel. “This new technology is the best of both worlds. You minimize the amount of trust and maximize efficiency.”
He compared the newly developed technology with the public key cryptography used for electronic commerce.
Though it was invented in the 1970s and took nearly 20 years to be put to use, it is now employed widely, Ishai said, adding that he could see Sahai and Waters’ method following a similar trajectory.
Sahai said his technology fixes flaws within the most-used data protection system, known as the trusted-servers model.
In this model, one or more servers are relied on to hold their entire network’s data and dole out access to this data to those with the appropriate authorization. He added that often, these keys are figuratively left right alongside the locks they open, letting intruders easily access data they desire.
“How (has this) improved security? Not a lot, fundamentally,” Sahai said. “It’s a dumb thing to do.”
But those behind the breakthrough noted that current technology that encrypts data, or turns it into code unintelligible to hackers, is powerful enough to protect data in today’s world.
“At its very core, we’re redefining what encryption is,” Waters said.
Experts say users are often too trusting of these outdated servers to protect their data.
“People are assuming that bad things that could happen won’t happen,” Ishai said.
But this view is not a correct one.
“In practice, this doesn’t work out (because) once the server is infiltrated, this info is in the clear,” said Waters, who now works as a computer scientist for SRI International.
Butala said he would like to see this technology utilized soon.
“I hope companies start using this,” Butala said. “(Dealing with identity theft) is a hassle. As students, we have other things to do.”
In the end, the mitigation of something as complex as identity theft could come from a couple of mathematical equations that continue to stump the highest experts.
“All the protection is coming from the math,” Sahai said.