Archive

Archive for the ‘Cryptography’ Category

Updates to the Map of Crypto Law.

September 30, 2009 Leave a comment
Google Map of International Crypto Law

Google Map of International Crypto Law

There have been a few updates to the famous map of crypto laws lately, for those new to the map, or who have forgotten it I’ve linked the picture above to it.

Fell free to mail me with corrections and additions.

Cold Boot Attacks Revisited (again).

September 16, 2009 2 comments

Following my recent post on FireWire Attacks, I thought I’d follow up on that other classic Full Disk Encryption exploit, The “Cold Boot Attack”.

Back in February 2008 a group of clever Princeton students published their infamous paper “Lest We Remember: Cold Boot Attacks on Encryption Keys“. Though the retention of data in RAM chips has been known since their invention, and certainly since at least 1978, The “Princeton Paper” reminded us that when you turn a computer off, it does not mean all the data from memory is instantly gone, and of course, if something important remained, like an encryption key, then your computer security might be vulnerable. Read more…

Is Encryption enough? Why just encrypting data doesn’t solve today’s information security concerns.

September 3, 2009 7 comments

“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.

I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.

“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.

With a stifled sigh I start to explain.. Read more…

iPhone 3GS and BlackBerry (In)securities..

July 27, 2009 1 comment

This weeks (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.

The offical description of the new feature sounds pretty good:

iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses
AES 256 bit encoding to protect all data on the device. Encryption is always enabled,
and cannot be disabled by users.

iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.

But this excellent 2nd video demonstration by Jonathan Zdziarski shows plainly that there could be something very flawed about it. Read more…

AES-256 and Reputational Risk

July 21, 2009 Leave a comment

I came across this excellent article while looking for something different. Dr O’Connor succinctly sums up the idea of impossible, and more impossible when talking about the relative key lengths of encryption algorithms.

Reputational risk is something that everyone understands, particularly businesses who regard their brand as one of their most critical assets. There is considerable trust in the security of AES-256, both in the public and commercial sectors. Reputational risk to AES-256 has a very high impact, and we therefore hope, a very low likelihood of occurrence.

AES-256 and Reputational Risk

Changes to PII and PCI regulations in Nevada

This week Linda McGlasson talked on BankInfo security about some changes to Nevada’s data protection stance. Nevada’s laws are no less complex than other states, but interestingly they have a few which, when combined, give a tighter than usual position.

The interesting bills are CHAPTER 603A – SECURITY OF PERSONAL INFORMATION, which deals with the regulations of Business Practices. This law puts the state teeth behind the PCI regulations, enforcing things which the payment card industry require as part of PCI compliance with state-driven criminal and financial penalties. Read more…

Hard Disk Encryption needs management…

March 10, 2009 1 comment

This week CNET News contributor Jon Oltsik blogged about how he believes that now there’s a unified standard for hardware disk encryption, governments should lead the transition to self-encrypting hard disks. Jon makes the point that hardware encryption is simple, fast, and generally more secure than software encryption.

While it would be admirable to see any government protect their data, Jon in my opinion missed the big point: the benefit of the standard is really common key management between all the different vendors. No one really gets any benefit from the drives doing the encryption the same way – as long as it’s a “good” way, who cares? But, if all the drives have a common key management architecture, it makes the provisioning and, more importantly, the recovery of data much simpler. Read more…

Quantum Cryptography a reality?

October 17, 2008 Leave a comment

BBC News recently reported that the world’s first robust network based on Quantum cryptography hasgone live in Vienna. Comprising 7 locations and 200km of optical fiber, and hosted by Siemens, the network has the capability to re-route connections in the event of link failure, and handle eavesdropping attacks.

Though it sounds a little Star Trek, Quantum Crypto has been around for over 20 years already – IBM patented the classic Quantum key exchange algorithm in 1984. It’s a novel concept because the key exchange algorithm (BB84) is provably secure – i.e., there’s no hack or attack for it unless our understanding of the nature of the Universe is fundamentally wrong. Read more…

Categories: Cryptography Tags:

Bitmap Discovery Exploits

October 8, 2008 Leave a comment

It was announced back in October 2008 that Bernd Roellgen of PMC Ciphers has “discovered” a possible exploit which can be used to reveal details of the encryption key used to protect hard disk image backups.  PMC used this information to promote the release of a new version of their software which is immune.

Some customers have asked me what I think about this, as it relates to McAfee products so I thought a blog would be a good place to start. Read more…