November 16, 2009 • 12:49 am 0
An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.
Here is a list of links to websites where the issue is being followed:
Filed under: Authentication, Encryption, Hacking, InSecurity, SSL, Security, Technology, e-commerce, networks , Authentication, e-commerce, Encryption, Hacking, InSecurity, networks, Security, SSL
October 22, 2009 • 8:53 pm 0
Two underused resources, “Dark Fiber” and “White Space” are to be taken advantage of to increase the power of the network.
One application seeks to use optic fiber that has being laid but not being used to enable the establishment of secure keys using quantum technology http://www.technologyreview.com/computing/23317/page1/
The other is a wireless network in which the information is carried in the unused interstices of the TV spectrum. http://www.technologyreview.com/communications/23781/
Filed under: Key Generation, Quantum Cryptography, Technology, in the News, networks, wi-fi , communications, Information Theory, networks, Quantum Cryptography, Technology, wi-fi, wireless
August 18, 2009 • 9:06 pm 0
It looks like Canadian laws are finally forcing Facebook to play nice with their users’ personal information.
read the whole article http://www.financialpost.com/news-sectors/technology/story.html?id=1902992
Filed under: InSecurity, Technology, in the News
August 7, 2009 • 3:36 am 1
Having all your personal information in one ID is not a very good idea, even if protected by a good encryption scheme. Having all your information in a card protected with a bad encryption scheme is definitely a bad idea.
That seems to be the case with the ID cards issued by the Home Office to foreign nationals working in the UK. As described in a news article, it looks that a cell phone fitted with an RFID scanner and a laptop is all the hardware you need to clone one of these cards and even change the information on it.
Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.
This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.
But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.
He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.
These cards use the same technology as the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary. ID thieves must be anxiously waiting for the introduction of government ID cards, which will facilitate their daily jobs.
Filed under: Hacking, ID Theft, InSecurity, RFID, biometrics, in the News , ID Theft, in the News, InSecurity, RFID, Technology
June 1, 2009 • 2:22 am 0
Many years ago I was involved in a research project looking to use tiny differences in processing time inside a computer as a way to fingerprint the device. The idea was not unique, I guess that at the same time many were busy looking for similar things.
The reason was that in the framework of Internet security protocols such as SSL, if each party can fingerprint the other party’s computer, that will add another dimension to the development of a strong authentication scheme. Eventually the company supporting the research run out of interest and money and I forgot all about the idea until I recently read the news.
Enter the Fingerprint Extraction and Random Numers in SRAM (FERNS) method developed by Holcomb, Burleson and Fu of the University of California Berkeley. They analyzed the initial state of the cells of a 512 kb Static Random Access Memory (SRAM) after power up and discovered that the stable states of some cells representing the bits were random, that is they have equal probability to be 1 or 0, while others cells were skewed to start as a 1 or as a 0. This property of the cells is due to imperfections of the fabrication process and are impossible to control.
A paper describing Burleson’s group work is going to appears in the IEEE Transactions on Computers.
From the Abstract
….. We use experimental data from high performance SRAM, and the WISP UHF RFID tag to validate the principles behind FERNS. We demonstrate that 8 byte fingerprints from an SRAM chip are sufficient for uniquely identifying circuits among a population of 5,120 and extrapolate that 16 to 24 bytes of SRAM would be sufficient for uniquely identifying every instance of the SRAM ever produced. Using a smaller population, we demonstrate similar identifying ability from the embedded SRAM microcontroller memory of the WISP. In addition to identification, we show that SRAM fingerprints capture noise, enabling true random number generation. We demonstrate that the initial states of a 256 byte SRAM can produce 128 bit true random numbers capable of passing the NIST approximate entropy test.
The possibilities for the application of this technology to authentication and key generation schemes are enormous, specially in the field of portable devices. To have an entropy generator “in a chip” is great, if you get that together with a fingerprint of the chip is wonderful news. Certainly we’ll hear more about it.
Related reading: Quirks of RFID Memory Make for Cheap Security Scheme
Filed under: Authentication, Entropy, Fingerprint, RAM, RFID, Random Numbers, SRAM, Security, Technology , Authentication, Technology, Entropy, SRAM, Random Numbers, Fingerprint
April 18, 2009 • 5:49 am 0
Continuing with the main theme my last two posts, hacking, I am going to wrap up with this post about Secure Processors.
A secure processor is meant to protect the information and the communications, validate the communications channel and be tamper-resistant, should it falls into the adversary’s hands.
Successful hacking of secrets has the duality of being a happy/sad event, depending on which team are you playing for. The design of secure processors makes this duality patent as, in practice, the most important evaluation criterion is that the resulting product should resist the designer’s best attempts at hacking it.
The current research and development efforts are guided by U.S. DoD Anti-Tamper specifications. To prevent reverse engineering, architectures of secure processors are based on a combination of hardware and encrypted software in such a way that if the hardware is captured, its exact functions cannot be guessed without knowing the encryption keys. During WWII, the capture of an ENIGMA machine paved the way for the breaking of the enciphering by the allied forces. These historical lessons are incorporated into today’s design criteria. Some design even incorporate sensors that will detect attempts at using physical means to force the hardware and destroy the critical information upon detection (often called zeroization).
A new dimension to the problem is added by procurement system. Electronic chips are nowadays a commodity and absolute control over the manufacturing of chips is not possible. Therefore it is essential to ensure that the critical parts, that is the processors, are designed and made in controlled facilities.
The lessons learned in military applications are now being applied to commercial system. This is where the lines blurred because in the interconnected world the enemy can wreak havoc on the infrastructure without firing a shot. Communication and control networks associated with utilities will become more resistant to attacks by using computers fitted with secure processors.
Related:
Filed under: Anti-tamper, Cryptography, Encryption, Hacking, Security, Software, Technology , Anti-tamper, secure processors, Security, Technology
January 3, 2009 • 6:08 pm 0
The USB ports can become a way into your computer for some hackers eager to steal your ID.
h/t Paul.
more about "The attack of the peripherals", posted with vodpod
Filed under: ID Theft, InSecurity, Technology, in the News , ID Theft, in the News, InSecurity
November 14, 2008 • 5:52 pm 0
For the longest time I have the suspicion that quantum cryptography, although a neat idea, is overrated. I was keeping an eye into developments (see previous posts) just in case. currently my impression is that, with the current, technology, QC is an expensive proposition for the added value it provides. It looks like I am in good company on this. In the October issue of Wired, Bruce Schneier writes a commentary piece where he asserts:
While I like the science of quantum cryptography — my undergraduate degree was in physics — I don’t see any commercial value in it. I don’t believe it solves any security problem that needs solving. I don’t believe that it’s worth paying for, and I can’t imagine anyone but a few technophiles buying and deploying it. Systems that use it don’t magically become unbreakable, because the quantum part doesn’t address the weak points of the system.
Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.
Moreover I have a nagging question about the fundamental tenet of quantum cryptography. The principle is that Alice and Bob will know for sure that Eve is eavesdropping in their channel because their bits will be changing as required by the uncertainty principle. Eve may be out of luck in getting the secrets as Bob and Alice will certainly decide not to exchange them in her presence. However, the mischievous Eve may decide that she is quite happy with only preventing the exchange. I will call this a denial of channel attack by which Eve can prevent Alice and Bob to exchange any secret until the police figures out where she is tapping the quantum line and force her to stop. Eve-hacker can now start a cat and mouse chase, that judging from the record on netting hackers by the internet police, is lopsided on Eve’s favor.
A mathematical note aside, Schneier mentions in his article the Bennet-Brassard and key reconciliation algorithms used by quantum cryptography. In a paper written with A. Bruen and D. Wehlau we gave rigurous proof of convergence for the Bennet-Bessete-Brassard-Salvail and Smolin (BBBSS92)method. These results and more about quantum cryptography also appear on the our book.
Filed under: Encryption, Infomation Theory, Quantum Cryptography, Security, Technology, in the News , Encryption, Information Theory, Quantum Cryptography, Security
November 11, 2008 • 6:23 am 3
Body odor may become the next frontier among the biometric factors useful for authentication, says a recent press release by the Monell Chemical Senses Center
“The findings using this animal model support the proposition that body odors provide a consistent ‘odorprint’ analogous to a fingerprint or DNA sample,” said Gary Beauchamp, PhD, a behavioral biologist at Monell and one of the paper’s senior authors. “This distinctive odor can be detected using either an animal’s nose or chemical instruments.”
………
“These findings indicate that biologically-based odorprints, like fingerprints, could be a reliable way to identify individuals. If this can be shown to be the case for humans, it opens the possibility that devices can be developed to detect individual odorprints in humans,” said lead author Jae Kwak, PhD, a Monell chemist.
Electronic smell sensors have been available for some time now.
Filed under: Authentication, Technology, in the News , Authentication, biometrics, Security, Technology
September 26, 2008 • 6:12 am 0
The ominous promise of a quantum computer able to factor large primes is often cited as the end of the road for cryptographic systems based in number theory, that is all forms of public key cryptography. To gain some perspective on the probabilities that a practical quantum computer with such capacity be around the corner, I have compiled a list of links related to the most promising technologies being developed in labs around the world.
A very nice graphical representation of the concepts of qubit and entanglement can be found here.
Detailed description of the trap technique (also here).
Developments on Quantum dots at Delft.
A recent survey of quantum algorithms.
IBM’s famous Quantum Information Group.
A quantum communication bus.
News from Nature blog.
Filed under: Quantum Cryptography, Technology , Quantum Cryptography, Technology
Data Security and Information Theory are essential to modern life. Far from being the exclusive domain of academics and geeks, the fundamentals and its application are easy to understand for most people. Here, my modest attempt to bring some of the issues to the public discourse and spread the knowledge to make the internet a safer place for your virtual self.
Click below to find out more
ScienceDaily: Computer Security News Wired: Commentary
