The concept of shared secrets and the concomitant trust have been the core of the security paradigm since before the fall of Troy. Historically, the shared secret was a password that two parties could use to identify each other as a measure of trust. While these shared secrets might change from time to time, they were durable enough to last from the time they were shared until they were used. The passwords only functioned as long as they were kept secret. The parties that shared the secrets were typically known to each other in some way or otherwise vouched for. The use of the challenge and response password enabled trusted parties to be identified in the dark or through the use of a trusted, shared secret. Trust could be conferred to another person by the authorized sharing of the secret.
More recently, the development of a digital environment has enabled a vast expansion in rapid communication and information transactions, among other things. The old paradigm of the shared secret has been incorporated into the digital environment in numerous ways—from usernames and passwords, to secure communications between users and systems. For example, this concept is foundational to the Secure Socket Layer and Certificate Authority information security infrastructure.
However, the digital environment is one in which secrets are difficult to keep beyond a short period of time, and once secrecy is lost the formerly secret information may be proliferated rapidly and with complete fidelity. The digital environment is also one in which shared secrets have become target of “hacking” that has transformed many “secrets” (e.g., passwords, digital certificates, private information and other types of authentication data) into a commodity freely traded on the gray and black markets, destroying the benefit of such secrets for securing digital exchanges. Yet, the underlying security mechanism of the digital environment depends upon the operational, but now often false, assumption that the secret is still secret. The new dynamic of the failure of the shared secret paradigm and the trust dependent upon it requires a radical change in operating assumptions.