The UK’s GCHQ delivers a brutally blunt assessment of quantum key distribution:
QKD protocols address only the problem of agreeing keys for encrypting data. Ubiquitous on-demand modern services (such as verifying identities and data integrity, establishing network sessions, providing access control, and automatic software updates) rely more on authentication and integrity mechanisms — such as digital signatures — than on encryption.
QKD technology cannot replace the flexible authentication mechanisms provided by contemporary public key signatures. QKD also seems unsuitable for some of the grand future challenges such as securing the Internet of Things (IoT), big data, social media, or cloud applications.
I agree with them. It’s a clever idea, but basically useless in practice. I don’t even think it’s anything more than a niche solution in a world where quantum computers have broken our traditional public-key algorithms.
Read the whole thing. It’s short.
Powered by WPeMatico
infossl
August 1, 2018
authentication, cryptography, economicsofsecurity, encryption, gchq, keys, quantumcomputing, quantumcryptography, Security technology
Read more >
Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token.
A Google spokesperson said Security Keys now form the basis of all account access at Google.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Now Google is selling that security to its users:
On Wednesday, the company announced its new Titan security key, a device that protects your accounts by restricting two-factor authentication to the physical world. It’s available as a USB stick and in a Bluetooth variation, and like similar products by Yubico and Feitian, it utilizes the protocol approved by the FIDO alliance. That means it’ll be compatible with pretty much any service that enables users to turn on Universal 2nd Factor Authentication (U2F).
Powered by WPeMatico
infossl
July 26, 2018
google, keys, phishing, Security technology, twofactorauthentication
Read more >
Bluetooth has a serious security vulnerability:
In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.
Paper. Website. Three news articles.
This is serious. Update your software now, and try not to think about all of the Bluetooth applications that can’t be updated.
Powered by WPeMatico
infossl
July 25, 2018
academicpapers, bluetooth, cryptography, encryption, keys, Security technology, vulnerabilities, wifi, wireless
Read more >
I don’t know what to make of this story:
The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec’s certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.
When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security.
Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren’t followed.
I am croggled by the multiple layers of insecurity here.
BoingBoing post.
Powered by WPeMatico
infossl
March 13, 2018
certificates, email, https, keys, Security technology, securitypolicies, tls
Read more >
No More Ransom is a central repository of keys and applications for ransomware, so people can recover their data without paying. It’s not complete, of course, but is pretty good against older strains of ransomware. The site is a joint effort by Europol, the Dutch police, Kaspersky, and McAfee.
Powered by WPeMatico
infossl
January 15, 2018
encryption, keys, ransomware, Security technology
Read more >
Interesting essay about Amazon’s smart lock:
When you add Amazon Key to your door, something more sneaky also happens: Amazon takes over.
You can leave your keys at home and unlock your door with the Amazon Key app — but it’s really built for Amazon deliveries. To share online access with family and friends, I had to give them a special code to SMS (yes, text) to unlock the door. (Amazon offers other smartlocks that have physical keypads).
The Key-compatible locks are made by Yale and Kwikset, yet don’t work with those brands’ own apps. They also can’t connect with a home-security system or smart-home gadgets that work with Apple and Google software.
And, of course, the lock can’t be accessed by businesses other than Amazon. No Walmart, no UPS, no local dog-walking company.
Keeping tight control over Key might help Amazon guarantee security or a better experience. “Our focus with smart home is on making things simpler for customers – things like providing easy control of connected devices with your voice using Alexa, simplifying tasks like reordering household goods and receiving packages,” the Amazon spokeswoman said.
But Amazon is barely hiding its goal: It wants to be the operating system for your home. Amazon says Key will eventually work with dog walkers, maids and other service workers who bill through its marketplace. An Amazon home security service and grocery delivery from Whole Foods can’t be far off.
This is happening all over. Everyone wants to control your life: Google, Apple, Amazon…everyone. It’s what I’ve been calling the feudal Internet. I fear it’s going to get a lot worse.
Powered by WPeMatico
infossl
December 22, 2017
amazon, feudalsecurity, internetandsociety, internetofthings, keys, Security technology
Read more >
This is an interesting tactic, and there’s a video of it being used:
The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered.
In the footage, one of the men can be seen waving a box in front of the victim’s house.
The device receives a signal from the key inside and transmits it to the second box next to the car.
The car’s systems are then tricked into thinking the key is present and it unlocks, before the ignition can be started.
Powered by WPeMatico
infossl
November 28, 2017
cars, keys, maninthemiddleattacks, Security technology, theft
Read more >
Amazon Key is an IoT door lock that can enable one-time access codes for delivery people. To further secure that system, Amazon sells Cloud Cam, a camera that watches the door to ensure that delivery people don’t abuse their one-time access privilege.
Cloud Cam has been hacked:
But now security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum.
And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon’s security system.
Amazon is patching the system.
Powered by WPeMatico
infossl
November 20, 2017
amazon, hacking, keys, locks, patching, Security technology, vulnerabilities
Read more >
The website key.me will make a duplicate key from a digital photo.
If a friend or coworker leaves their keys unattended for a few seconds, you know what to do.
Powered by WPeMatico
infossl
July 6, 2017
cameras, keys, Security technology, theft
Read more >
The Intercept published a story about a dedicated NSA brute-force keysearch machine being built with the help of New York University and IBM. It’s based on a document that was accidentally shared on the Internet by NYU.
The article is frustratingly short on details:
The WindsorGreen documents are mostly inscrutable to anyone without a Ph.D. in a related field, but they make clear that the computer is the successor to WindsorBlue, a next generation of specialized IBM hardware that would excel at cracking encryption, whose known customers are the U.S. government and its partners.
Experts who reviewed the IBM documents said WindsorGreen possesses substantially greater computing power than WindsorBlue, making it particularly adept at compromising encryption and passwords. In an overview of WindsorGreen, the computer is described as a “redesign” centered around an improved version of its processor, known as an “application specific integrated circuit,” or ASIC, a type of chip built to do one task, like mining bitcoin, extremely well, as opposed to being relatively good at accomplishing the wide range of tasks that, say, a typical MacBook would handle. One of the upgrades was to switch the processor to smaller transistors, allowing more circuitry to be crammed into the same area, a change quantified by measuring the reduction in nanometers (nm) between certain chip features.
Unfortunately, the Intercept decided not to publish most of the document, so all of those people with “a Ph.D. in a related field” can’t read and understand WindsorGreen’s capabilities. What sorts of key lengths can the machine brute force? Is it optimized for symmetric or asymmetric cryptanalysis? Random brute force or dictionary attacks? We have no idea.
Whatever the details, this is exactly the sort of thing the NSA should be spending their money. Breaking the cryptography used by other nations is squarely in the NSA’s mission.
Powered by WPeMatico
infossl
May 16, 2017
cryptanalysis, cryptography, encryption, ibm, keys, nsa, Security technology
Read more >
