Apple’s Use of Tokenization for Encryption
One small step for Apple…
There are moments when technologies break into popular discussion. Often it takes a big company incorporating something new into a product launch. Using their brand and their voice, they introduce the world to a concept that technologists have known about for years.
Apple did that last week. They may, in fact, have done it a few times last week. But they definitely did it for the concept of “tokenization.” In outlining the security and privacy features of Apple Pay, Apple SVP Eddy Cue introduced the average consumer to the idea that our personal information, including our payment information, can be handled in a new and different way. Namely, our information can be altered and adapted so as to be dynamic and situation-specific, instead of saved in static form on servers far and wide. Tokenization achieves this by substituting situation-specific information for static personal data. Your credit card number, for example, is stored not in its raw form but in a modified form that makes it relevant only in a very limited way.
To the Bitcoin community, concepts like this will feel commonplace. Tokenization is one of a series of tools in the family of cryptographic processes that are gaining popularity. Public key encryption, for example, is also a member of that family and is so fundamental to how Bitcoin works that the word ‘tokenization’ popping up in the media’s coverage of Apple Pay will not seem particularly noteworthy. But for cryptography generally, this was a watershed moment. More people are aware of a cryptographic process now than probably ever before. And that awareness will only grow from here, and that’s a good thing.
The math behind tokenization and other cryptographic processes is incredible and worth thinking through. Imagine you have a secret number, a number that you can use to identify yourself and even authorize the payment of money from your bank account. You want to keep that number somewhere, and you want it to be safe. You almost wish you could change the number in a way that obscures it from anyone who happens upon it. Turns out mathematics has made that (and many complicated variations of that) possible.
Just to give you an example of what this looks like, imagine you have a secret number that you use to identify yourself – almost like a password. Let’s say that number is “123456.” A math system that has become more popular of late called “hashing” could take that number and spit out this:
Amazingly enough (and you’ll have to understand more math than I do to understand why), if instead of “123456″ your secret number had been every number in the phonebook strung together, you would still get a unique 32-digit string. And here’s the catch: it is mathematically impossible to reverse the 32-digit string created by this process. So if you store it somewhere, no one could ever find it and figure out what your secret number is. They would have to ask you to re-enter your secret number and run it back through the same process to establish a match. This is not the exact process that Apple is using, but it is an important foundational example of how mathematics is allowing us to alter and adapt information, the impact of which is an overall decline in the transmission and storage of information in its raw form.
Geeking out over the amazing math behind this aside, the implications are clear:
- This is not complicated technology at this point, and it does a lot to keep your information safe. We should all demand that businesses that save our information save it in a more modernized way. Apple understands this and has taken a big first step in getting cryptography into the vernacular. There is no reason, at this point, that our passwords, credit cards, social security numbers or any other piece of personal information should be stored in a way that is not (i) encrypted generally and (ii) encrypted in a situation specific way, moreover. If you see any service ever send you or display to you your raw information, your antennae should stand at attention. If your browser bar doesn’t have a green “https” in it when you’re entering important information, you should be asking questions. Increasingly, if you’re not being asked to type in a verification code, scan a fingerprint, or do something else beyond type in a password, you should be thinking twice.
- This is really good news for everyone. The more comfortable we all are with these concepts and the more they are introduced into new products and services the more confidence we can have. And confidence is key. Confidence will allow us all to interact more freely with new products and services. It will allow developers to invest less time in creating trust on a one-by-one basis and more time developing new and innovative products. Continued acceptance and incorporation of cryptographic processes will massively drive down the costs of establishing trust. The result will be an Internet and a world where we spend less time worrying about protecting ourselves and more time taking advantage of all the great things that can happen when information can flow efficiently (and securely).
The impact of Apple helping shine more light on the tokenization conversation should not be understated in this regard. The average consumer does not need to understand the inner workings of how Apple is tokenizing their credit card information. But they do need sufficient knowledge of what’s going on and of the advances in this field to truly believe that these improvements are worth trusting.