dinsdag 7 juni 2011

RSA mocking hype

And so finally RSA aknowledged that the march hack can in fact result in risks. It took some while and perhaps because of this the tweetosphere exploded by all experts mocking RSA: SecurID is unsafe now. And the fact that RSA said to replace unsecure SecureID's for only a few 'high risk' customers made things even worse.

And alas, for RSA things will not get better soon. Being vague about the theft of whatever was stolen does not help getting back the trust that was lost today.

But there is another problem. Media report that SecurID is corrupted, but, as long as we don't know what the real problem is, I have not yet seen an objective problem analysis. What is the real risk for a regular RSA customer? Is everybody just repeating (RT'ing) others without thinking for themselves?

Fact: trust in RSA is low. No fact: SecurID is corrupted.

Let's just think of an attack scenario like this:
An attacker can calculate the security code, based on knowledge of the algorithm, using a seed from the stolen dataset. But, what seed is the seed that belongs to a token that is used for authentication? What token is used? A web login form does not contain this information. Besides one would need a valid userid (for a Windows domain), a valid password and the pincode of the device, that is needed to proof the legitimed use of the token.

Unless an attacker has all this information, he cannot authenticate. An attacker might fool the RSA authentication server, that is not enough to enable access. More is required. That makes me think that the documented attacks must be inside jobs and that the insiders had to steal the RSA data as well to make further remote access possible.

I may be wrong, must be because of all the fuss by the security community, but I really don't see SecurID compromised. I don't trust it now, because the strange moves of RSA, but as far as I can see, SecurID can still be used as a means for strong authentication. But we need to know more of the data loss and we need to know more of the (obscure) security model.

And no, besides being a SecurID user I have no relationship whatsoever with RSA.

zaterdag 4 juni 2011

Personal digital lockers and standards

A new trend is born, the secure personal digital locker. It used to be called the Digital Vault, but locker feels a lot more personal.

What's the purpose of a locker? It's a storage area for your personal data. The principle behind the locker (as defined by Google's Schmidt) is that you are the owner of your data.

Interestingly, now I know of at least 4 dedicated cloud based locker systems: Qiy, Digidentity, Singly, Azigo. And of course there is Google, iTunes, Amazon
And it will not end here, many more will appear, multi platform tools and apps, and, of course, the inevitable patent wars will happen too. Nevertheless, it seems a nice concept.

But having a locker is only the start. You have to get your data in there. And using a web form to upload is not very practical. Automatic interfaces will have to appear that enable upload from service providers to lockers of their customers, thereby transforming physical output on paper to digital output for delevering and storage in digital lockers.
Interesting, especially for those service providers, it will save massive amounts of paper, quite some business case!

But how will this end? Will everyone have just one locker? Or do we split risks and have separate lockers for different aspects of our lives?
And how can service providers know which locker to use to send data to? And which digital identity is required to open a locker? What legislation is there, can governments open my locker? And what if I die?

Plenty questions and hardly any answers yet. But I know for certain that we need open standards, at least locker provider should use open standards. Standards to be able to send data, upload, standards for identity.

[rant mode]And puhlease, get rid of those patents in order to make this new ecosystem work. Long time ago I had a Compuserve account and I feel that all current patent discussion can be stopped by pointing as Compuserve as an example of prior art.[/rant] (sorry about this)