-
"First and foremost, there is no proper excuse for continued use of a broken cryptographic primitive (MD5) when sufficiently strong alternatives are readily available, for example SHA-2. Secondly, there is no substitute for security awareness." ... "Advice from experts should be taken seriously and early in the process. In this case, MD5 should have been phased out soon after 2004."Read more...
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Wegerr, "MD5 considered harmful today - Creating a rogue CA certificate", December 2008 -
Read more...
"The future ability of quantum computers might be a decade or two away, their future ability to break public-key cryptography has important implications for the encryption of highly sensitive information today. For these applications, we must already design new public-key cryptosystems and one-way functions that are immune to quantum cryptanalysis."
ARDA, Report of the Quantum Information Science and Technology Experts Panel, 2004 -
Read more...
“It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders!”
Robert Morris, former Chief Scientist of the US National Security Agency (NSA), National Computer Security Center, "Crypto '95 invited talks by R. Morris and A. Shamir", 1995
Resources Synaptic website articles Security: Information assurance article: Addressing single points of failure in security systems
| article: Addressing single points of failure in security systems |
| Synaptic website articles - Security: Information assurance |
|
Security has often been described as a chain of interconnected links working together. The well-known industry saying goes that the security of the system is only as strong as the weakest link. These weakest links are single points of potential failure that can result in the security of the entire system failing. Let us briefly look at one such example. The Kerberos authentication system is designed to allow a trusted third party to securely introduce a user to another user or service. The problem with this system is that the trusted third party is potentially aware of all secret material exchanged between the users. The Kerberos system works well in environments where the trusted third party is also the party providing services to users. But it is not particularly suited to use in other applications. It was exactly this type of problem that led Whitfield Diffe to co-invent public key cryptography:
Whitfield Diffie, co-inventor of public key cryptography, speaking at the 30th Anniversary of PKC, Oct 2006 While being aware that the system is as strong as the weakest link it has often been used to justify the use of less-than-ideal components and weak constructions on the pessimistic basis that the wider system in which it is implemented is inherently insecure. The limitation in this line of reasoning is that there is no longer any strong point on which we can manage the points that are at risk. If our goal is to strive for risk management and the design of high assurance systems than we must design and implement each part of the system in a robust manner. Having comprehensively built these strong foundations we can then appropriately shift our focus to addressing the complex dynamics of large electronic systems and human interaction. Synaptic is designing a unified ecosystem which addresses the long-term security risks and the point-based problem solving to create a strong foundation on which the perpetual wheels of the security process can stand on. Synaptic Labs' Group, Enterprise, and Universal key exchanges are exemplary protocols that manage the complex human trust relationships to mitigate against the risk of single point of trust failure. The Synaptic key exchange protocols also demonstrate the ability to layer two fundamentally different key exchange techniques in a manner that provides practical increase in security under some realistic attack scenarios. |
| Last Updated on Monday, 05 January 2009 15:22 |