Click here to close now.




















Welcome!

Java IoT Authors: Nicholas Lee, VictorOps Blog, Esmeralda Swartz, Liz McMillan, Pat Romanski

Related Topics: Cloud Security, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, SDN Journal

Cloud Security: Article

Time to Ditch Cryptographic Keys?

Will keyless signatures overtake PKI as the wave of the future? Governments, flying drones, and big telecom all say so

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys' without blinking. But recent headline events - and a ‘biggie' last year - have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data.

Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware.

In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple's OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products.

The original Arstechnica article (McAfee revoking keys) noted that the administrator intended to revoke his individual user key, but "instead revoked the code-signing keys Apple uses to help keep the Mac ecosystem free of malware."

The bottom line: the mistake left customers with no safe options to install or upgrade their programs. The big takeaway: this episode paints a graphic picture of the challenges of administering the digital certificates at the heart of public key infrastructures (PKI) - certificates used to validate software and websites, and to encrypt email and other forms of Internet communication.

Also in February, a private key that security firm Bit9 uses to certify software was stolen by crooks and used to put a trusted seal of approval on malware that infected a few Bit9 customers.

However, those sorry episodes pale in comparison to a massive security breach last year when hackers used a stolen master private key from RSA to attack Lockheed Martin (RSA/EMC losing its master private key.) Lockheed, a major defense contractor to the U.S. government, makes the F-16, F-22 and F-35 fighter aircraft, the Aegis naval combat system, and the THAAD missile defense.

Sources close to Lockheed said compromised RSA SecurID tokens - USB keychain dongles that generate strings of numbers for cryptography purposes - played a pivotal role in the Lockheed Martin hack.

Hackers apparently entered Lockheed Martin's servers and accessed the company's virtual private network (VPN). The VPN allows employees to connect over virtually any public network to the company's primary servers, using information streams secured by cryptography.

With the RSA tokens hacked, those supposedly secure VPN connections were compromised.

Predictably, Lockheed said it detected the attack almost immediately, repulsed it quickly, and that the risk was minimal. The company also claimed that no customer, program or personal employee data was compromised.

All of the above examples not only undermine the security of using cryptographic keys but leave people wondering whether there is a better way to authenticate.

The better way - Keyless Signature Infrastructure (KSI) - has been around since 2007, when it was invented by scientists in Estonia. KSI generates digital signatures for electronic data on a massive scale but uses only cryptographic hash functions, meaning there are no keys to be compromised or trusted humans in sight.

Some six years ago, Estonian scientists at Tallinn Technical University posed the question: How can you rely on electronic data if you assume that your entire network has been compromised and nobody - not even the system administrators within your own organization - can be trusted?

KSI, the fruit of those scientists' work, is used by governments and companies around the world. It helps them to authenticate electronic data generated from the Smart Grid, the Connected Car, and networked routers and machines (either virtual or physical) - basically any type of electronic data. In November, China Telecom, the largest fixed line telecommunications service provider in China, became a keyless signature service provider via its Tianyi 3G platform. Most recently Japan Drones, a developer of custom software for miniature Unmanned Aerial Vehicles (UAVs) announced it was using keyless signatures for its drone security. The U.S. military could use the good PR, given publicity over a white hat hacking scheme done by University of Texas students as reported in June by The Huffington Post, which went as far as to say, "Turns out it's not too difficult to hack a drone."

Chaozong Chen, general manager of Ningbo CA, the Certificate Authority for the city of Ningbo in Zhejiang province in China, said, "KSI's unique features such as independency of verification, intrinsic time binding for data, universal accessibility cross platforms and lack of keys allow us to provide functions and values where traditional public key infrastructure (PKI) is limited. The future proof from quantum computing is of course a major benefit."

Here's another example of KSI in action: every payment within the Estonian banking system comes with a keyless signature, ensuring that insiders cannot modify transactions intent on fraud.

In addition, the Estonian government has embarked on a huge project to integrate KSI technology into the rsyslog utility - a project that will enable every system event across all government networks to be authenticated by time, data integrity and server identity. (Note: rsylog is an open source utility used on Unix and Unix-like computers for forwarding log messages in an IP network.)

Further demonstrating Estonia's confidence in KSI, the Estonian Government's Centre of Registers and Information Systems (RIK) recently embraced the technology.

RIK is using keyless signature technology for validating the authenticity of documents that it is digitizing from the archives of the Succession Register and Chamber of Notaries.

Using keyless signature infrastructure, the authenticity of all the records is periodically verified, the re-verification happens automatically, meaning that the information about the integrity of the stored records is always up to date and any breaches create an alert immediately.

As KSI has proven itself for years in various government and commercial entities, the time is ripe to consider it the logical successor to cryptographic keys, which are starting to look outdated and very vulnerable.

"While our PKI based solutions have been widely adopted, we see a growing need to prove data integrity and time on a massive scale, with cases where customer identification registration is unpractical and less important, such as electronic receipts for cash based transactions," said Chaozong Chen. "These are where KSI can help. It is strategically important for us to start integrating KSI with our successful PKI solutions and this will help us maintain our leadership in the field."

More Stories By Herman Mehling

Herman Mehling has been an IT writer and consultant for more than 25 years. He has written thousands of articles for leading trade magazines and websites. His work has appeared in such publications as Computer Reseller News, eWeek, Forbes, Network World and InformationWeek. In the ’80s and ’90s, he worked as a PR executive at many San Francisco Bay Area high-tech agencies, including Niehaus Ryan Haller, which helped to launch Yahoo! and to re-cast the image of Apple as an Internet player. He was a staff editor and reporter at Computer Reseller News for many years.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with APIs within the next year.
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, d...
In his keynote at 16th Cloud Expo, Rodney Rogers, CEO of Virtustream, discussed the evolution of the company from inception to its recent acquisition by EMC – including personal insights, lessons learned (and some WTF moments) along the way. Learn how Virtustream’s unique approach of combining the economics and elasticity of the consumer cloud model with proper performance, application automation and security into a platform became a breakout success with enterprise customers and a natural fit for the EMC Federation.
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of profound change in the industry.