Archive for the ‘pki’ Category
A company was having intermittent trouble with their new authenticated SSL, it wasn’t that they experienced trouble with the certificates, which came from a large international CA, or the authentication. There was a bug which caused the OCSP check on some certificates to fail. And after it had failed the first time for a certificate it would continue to fail for that certificate until the application server had been restarted. As this was a mission critical application for their customers between 8am-6pm they had taken to restarting the servers at 7am to ensure that there would be less issues during the day. This was obviously not a permanent solution so the vendor was called to fix the issue.
Recently on NANOG I saw the item below, I was thinking about what this actually means. A computer would – similar to DynDNS – register itself and it’s hostname to a DNS server using some kind of authentication. Naturally I immediately thought this was a brilliant plan, and didn’t understand why nobody, with the exception of DynDNS, had thought of this before. The immediate afterthought was that this would be easy to implement with a soft-token, which is the software equivalent of a physical token like RSA’s SecureID, or complicated to implement with PKI infrastructure.
From: Mark Andrews <email@example.com>
Re: mailing list bounces
It will be much better when the OS’s just register themselves in
the DNS. Humans shouldn’t have to do this when a machine renumbers.
Named can already authenticate PTR updates based on using TCP and
the source address of the update. For A/AAAA records you setup a
cryptographically strong authentication first.
DynDNS uses username password, which is less secure than the cryptographically strong solution that Mark Andrews mentions below.
Image source: Bill McCurdy
No, it’s not just another p2p/file sharing program. Forban is a local network p2p program, it’s meant for replicating ANY file to computers in the immediate proximity without requiring the Internet. As it is has a narrow focus on the local network it can also be used for Personal Area Networks consisting of laptop’s and mobile devices. I have yet to be able to install python on my digital camera, but I’m sure that this will be possible in the future.
It can be run in two modes, gossip and epidemic. Gossip mode, uses the gossip protocol to spread the files by disseminating the data the peer has to a random peer. Epidemic mode is similar to a real virus epidemic, spreading the files rapidly from one Forban server to another. Like any p2p network it requires that there are others running for it to communicate with, these can be intermittently connected to the network, whether it be a mobile device which comes into proximity of the LAN/PAN or a laptop.
It uses HTTP, and I doubt that adding authenticated HTTPS would be much of an issue once the PKI infrastructure is in place. This would make it ideal for rapidly sharing or backing up data without user interaction when you get to the office. And as it requires little user interaction, and with authenticated HTTPS this service can be left running in the background with minimal risk of the wrong people getting their hands on the data.
Forban is an old French word for pirate.
Since I started working for my company I’ve been exposed to PCI DSS (Payment Card Industry Data Security Standard), “It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues.“1 There are only a small amount of requirements that need to be implemented, although these can be pretty substantial for some customers. I can also be difficult to understand the details of these 12 requirements for compliance.2
Being a programmer by nature I’ve often been told that the nuts and bolts of what I do, the part I enjoy, are a little complex. PCI is something different, everybody can understand that credit card data needs to be protected from unauthorized access. Not just credit card data, but all data that could potentially be used in identity theft. Which means that a policy or control needs to be implemented to control this, and note any non-compliance.
PCI is just about protecting your “Cardholder Data“:
I know first hand that most of the banks in the Netherlands, and in most of the world, are quick to discover credit card fraud. They are also quick to payout and correct the issue for the customer, because the chance that customers will loose faith in the bank is high if they don’t. Yet ultimately these customers are still paying for all the fraud committed with all the credit cards. Banks, payment service providers or retail merchants, who have your Cardholder Data, have all the data needed for this kind of financial identity theft and fraud, and more…
It may seem obvious that this data is stored securely, credit card use is ubiquitous. Yet the large banks have had the same problems with data leakage as small retailers, which means the data must be secured from the customer right to the bank who finally processes the payment to avoid this type of leakage. The problem is that payment service providers or merchants have traditionally not done this. They may handle the temporary authorization requests for the PAN or use the Bank Identification Number (BIN) from the card number for routing the payments to the specific issuer, so they may need the number. That’s fine, as long as they store the data securely and have a log of who accessed the data and why the data was accessed.
Now that’s out of the way I can tell you what I’m doing, I’m playing with RSA Database Security Manager [now EOL’d] and RSA Key Manager. Simply put DBSM is a framework which encrypts the data as in goes into the database and decrypts it as it comes out. It’s something that anybody who is paranoid like me had already been doing for a while, but the way I was doing it required me to write custom fragments of code for every application which needed to access the data. DBSM does it transparently, while at the same time checking the users who try to access it, so only the correct users gain access. RKM hooks into this by providing a framework for the policies or controls which grants the correct people/devices/programs a key to lock-up or unlock the data, different policies can be implemented for different types of data or device.
Now you know what I do.
Originally appeared here.
VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +
- Mobile Credential (phone or mail PIN)
- Account Information Card (can be used by applications such as Microsoft CardSpace)
- VeriSign browser certificate
- VeriSign Identity Protection (VIP) Credential (Physical Token)
As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.
Hope that helps you.
As an early Christmas gift my father gave me vouchers he didn’t want to get him and myself some books we would enjoy. I went out and bought Anathem – which I will discuss in a following blog – and Cryptonomicon. He was very happy with my choice, we had both enjoyed Snow Crash and The Diamond Age, and would be sure to enjoy these.
The book starts just before the age of modern cryptography, in a time when computers were people who performed computations, and weaves a story of the Waterhouse clan from grandfather’s fumbled first meetings with Alan Turing, through the cracking of the Enigma code, up to the modern age of fibre optics and Van Eck phreaking. It is ranges from witty to down-right hilarious, with lines like
“War is hell, but smoking cigarettes makes it all worthwhile.”
And it covers the art of cryptography in a way that I, a geek with some knowledge of cryptography, understand.
The story itself reads like a spy novel, with as much subterfuge in the WWII periode as in the modern age, where the discovery of information by lawyers and dentists can be as bad if not worse that the discovery by Nazis. In the end the WWII characters have died leaving legacies which ripple into the future, and those left alive are left fighting an enemy much worse than the Third Reich, corporations.
I really liked Cryptonomicon.