Archive for February 2012

Home2012February

Identity Theft: The Number One Consumer Complaint in 2011

On 2012/02/29   /   Industry News   /   Comments Off
Identity Theft: The Number One Consumer Complaint in 2011

Identity theft was the number one consumer complaint from consumers to the Federal Trade Commission (FTC) for the 12th year in a row.

The FTC tracks and records complaints into Consumer Sentinel, an online database used to track targets and research cases. Of more than 1.8 million complaints filed with the FTC in 2011, nearly 15 percent were identity theft complaints.

Twenty-five percent of those were tax or wage related, according to data from the FTC’s annual Consumer Sentinel Network Data Book released on Tuesday. The Miami-Ft. Lauderdale metro area ranked number one for most identity theft crimes.

Thirty percent of identity theft victims never notified police, according to Consumer Sentinel Data. However, Consumer Sentinel Data is accessible by law enforcement agencies for investigations. And data from Consumer Sentinel can be added by about a dozen other agencies, including the U.S. Postal Service Inspection Service, the Department of Justice Internet Crime Complaint Center, and all U.S. and Canadian members of the Better Business Bureau.

Meanwhile, the Electronic Frontier Foundation released a new version of HTTPS Everywhere, a Web browsing tool for Firefox and Google Chrome browsers, that automatically encrypts communication with major Web sites to help protect user information from monitoring and hijacking of data that can lead to identity theft.

The new version, HTTPS Everywhere 2.0 for Firefox, has a feature that warns a user when they’re visiting a Web site that has security vulnerabilities, flagging sites that are vulnerable to eavesdropping or man in the middle attacks.

“In recent weeks, an unexpected weakness in the encryption used by many routers, firewalls and VPN devices made big news,” said EFF Technology Projects Director Peter Eckersley. “The new version of HTTPS Everywhere for Firefox will let users know when they connect to a website or device that has a security problem–including weak key problems like the ones that were disclosed two weeks ago–giving people the information they need to protect themselves.”

The browser extension has been downloaded in more than one million homes since its launch in 2010, according to an EFF press release distributed on Tuesday.

photo by altemark/flickr

By Carlton Purvis 02/29/2012
Back to Top

E-passports spread to half the globe

On 2012/02/28   /   Industry News   /   Comments Off
E-passports spread to half the globe

By Ryan Clary, Contributing Editor, AVISIAN Publications

Re-Posted from SecureIDNews: http://www.secureidnews.com/2012/02/28/e-passports-spread-to-half-the-globe

Tuesday, February 28, 2012

Nearly half of all United Nations (U.N.) member states are now issuing biometric e-passports, according to the newest data from the International Civil Aviation Organization (ICAO), the U.N. agency that oversees international air travel.

ICAO, which held its 20th TAG/MRTD meeting in September, reports that 93 out of 193 U.N. member states now issue e-passports, with 21 additional countries ready to deploy the technology in the next 12 to 48 months.

ICAO estimates that as of July 2011, these 93 states have issued more than 345 million e-passports, of which almost 340 million are in circulation.

As per ICAO specifications, each of these documents contains a contactless integrated circuit chip that stores biometric data–i.e. facial, fingerprint or iris–of the passport holder as well as other encrypted identification data. Forty-five of the e-passport issuing states store both fingerprint and facial data on their documents, while 34 store only the facial data. The remaining 14 states currently use facial data, but will begin including fingerprints by the end of 2011.

According to ICAO’s findings, the U.S. remains the largest issuer with 72 million documents issued to date. The U.S. issued 13 million in the past year. The UK, which issued 5 million e-passports in 2011, ranks as the second largest issuer with 27 million in total.

By region, Europe leads the pack with multiple countries–notably France, Spain, Italy, the Netherlands and Germany–each issuing more than a million e-passports in the past year.

However, according to Acuity Market Intelligence, Europe will soon be challenged by the Asia Pacific region, which is projected to issue 55 million documents in 2014 alone, representing 42% of the global share. Altogether, Acuity projects that there will be 26 Asia Pacific nations issuing e-passports by 2014.

Japan and India are leading the Asia Pacific region each with 20 million e-passports issued to date. According to ICAO, India rolled out 12 million documents in the past year, compared to Japan’s 4 million. The two are followed by the Philippines with 12 million issued to date, followed by Australia with nearly 11 million.

Many states in Africa, Central America and South America have yet to commit to the new technology, although several major countries including Mexico and South Africa are among the 21 nations listed by ICAO as “pending” for e-passport deployments.

The other nations planning to issue e-passports in the near future include Armenia, Azerbaijan, Bahrain, Belarus, Cameroon, China, Colombia, Israel, Jamaica, Kenya, Kuwait, Lebanon, Oman, Panama, Saudi Arabia, Sri Lanka, Ukraine, Uzbekistan and Vietnam.

Issuance Strong but Usage Lags

Despite the growing numbers, ICAO reports that less than a third of e-passport issuing nations participate in the organization’s Public Key Directory (PKD)–a system ICAO says is “key” in maintaining global interoperability of e-passports.

The PKD system acts as a central broker to manage the exchange of Public Key Infrastructure certificates and PKI certificate revocation lists. ICAO says the PKD plays a critical role in minimizing the volume of certificate lists that must be exchanged and is essential to keeping the exchange of these crucial lists accurate and timely.

Even fewer states use Automated Border Crossing systems, which require the traveler to pass through e-gates that verify the biometric information stored on the passport. ICAO reports that 15 nations now use the systems–of which six employ facial scans, six check fingerprints and the remaining three use both facial and fingerprint scans.

According to ICAO, just eight states read e-passports at airports and borders. These include the U.S., the U.K., Singapore, Portugal, New Zealand, Japan, Indonesia and Germany.

Report: 90% of passports chip-enabled by 2016

IMS Research predicts that within five years 90% of passport holders will be using e-passports with integrated smart card IC chips.

Nearly half of all current passports issued today use smart chip technology, thanks to a rapid migration started in 2007. “This trend is set to continue,” states Alex Green, author of the IMS report “Electronic Government and Health Care ID Cards.”

“There are still a few countries around the world that are not yet issuing e-passports. However, most have started and with the typical five to ten year replacement rates for passports, it is only a matter of time before all passports in circulation are e-passports,” explains Green.

The report examines the use of biometrics in e-passports, which is still largely limited to a digital image of the holders face stored on the IC.

Green says this will change: “By 2014, the situation is forecast to have been reversed. By this time the majority of passports being issued will also include additional biometric data such as one or more fingerprints, iris scans, etc.”

Back to Top

A Comparison of PIV, PIV-­I, and CIV Credentials

On 2012/02/27   /   Education   /   Comments Off
A Comparison of PIV, PIV-­I, and CIV Credentials

Homeland Security Presidential Directive 12 (HSPD-12) mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. Signed by President George W. Bush in August 2004, HSPD-12 initiated the development of a set of technical standards and issuance policies (Federal Information Processing Standard 201 [FIPS 201]) that create the Federal infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies for physical and logical access.

The policy, processes and technology in FIPS 201 also reflect specifications defined in a number of other special publications (SPs) specifically written for FIPS 201 and build on other National Institute of Standards and Technology (NIST) standards and SPs that support best practices. Importantly these standards also build on international and national standards from organizations such as the Internet Engineering Task Force (IETF), the International Telecommunications Union (ITU), the Institute of Electrical and Electronics Engineers (IEEE), the International Organization for Standardization (ISO), the Organization for the Advancement of Structured Information Standards (OASIS) and others.

Two additional credentials have been defined – the Personal Identity Verification-Interoperable (PIV-I) and Commercial Identity Verification (CIV) credentials – with the goal of taking advantage of the infrastructure created by the Federal government’s PIV program. The policy, process and technology applied to each of these credentials result in a level of assurance and interoperability, and ultimately the extent to which it can be used and trusted in its intended application. As shown in the table below, the policy and process around PIV and PIV-I enable the interoperability and trust of the credential. The CIV credential definition was developed to define a commercial credential that could take advantage of the PIV infrastructure. Identity and credential infrastructure requires an additional investment in order to adhere to and maintain these policies and processes. In return, users and organizations can access identity and credential services in the commercial arena with many of the advantages enabled by the creation of the PIV infrastructure.

PIV PIV-I CIV
Policy
Breeder documents Follows FIPS 201 Follows FIPS 201 Follows the issuing
organization’s policies
Background checks National Agency Check
with Investigation		 None required, directly
impacts level of suitability
for access		 Follows the issuing
organization’s policies
Process
Application
Adjudication
Enrollment
Issuance
Activation		 Follows FIPS 201,
including separation of
roles, strong biometric
binding		 Follows Federal Bridge
cross-certification
certificate policies(1)
Follows SP 800-63-1 for
Federal issuance
Based on FIPS 201,
including separation of
roles, strong biometric
binding		 Follows the issuing
organization’s policies
For Federal relying parties,
follows SP 800-63-1
Technology
Card data model Must follow SP 800-73 Must follow SP 800-73 “Follows” SP 800-73
(recommended)
Current primary credential
number		 FASC-N(2) (requires Federal
agency code)		 UUID (no Federal agency
code required)		 UUID (recommended) (no
Federal agency code
required)
Object identifiers Federal Bridge Federal Bridge Organization Internet
Assigned Number
Authority (IANA) (if exists)
Types of Federation Levels of Assurance Policy
Trustworthiness Trusted identity, credential
and suitability		 Trusted basic identity and
credential but not suitability		 Trusted credential only
within the issuing
organization.
Trust among organizations Federal Bridge Clustered through Federal
Bridge		 Clustered alone
Origin
Organization NIST Federal CIO Council Smart Card Alliance
Access Control Council(3)
Defining documents FIPS 201, SP 800-73 and
other related NIST
publications		 Personal Identity
Verification Interoperability
for Non-Federal Issuers(4)
FICAM PIV-I FAQ(5)		 The Commercial Identity
Verification (CIV)
Credential–Leveraging
FIPS 201 and the PIV
Specifications(6)
Motivation HSPD-12 Interoperable credential for
organizations doing
business with the
government and for first
responders		 Commercial credential that
could take advantage of
the PIV infrastructure
Markets
Organization Federal agencies Federal agencies
Federal contractors
Commercial organizations
doing business with the
Federal government
State and local
governments
Critical infrastructure
providers
First responder
organizations
Commercial organizations
who are part of an industry
initiative and require an
interoperable, trusted
credential		 Commercial organizations
seeking a credential for
use for their employees,
subcontractors, non-employee
visitors and
customers
Federal agencies who
accept credentials with
medium hardware
assurance(7)
Resources that the
credential may be used for		 Credential can be used in a wide range of both employment-related and consumer based
transactions. Examples include physical access, logical access(8), mass transit,
and closed loop payments.

(1) http://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf
(2) The FASC-N contains a federal agency code which is managed by NIST. PIV-I and CIV credential numbers
(UUIDs) are generated by the issuing organization. See NIST SP 800-87 for additional information.
(3) The Smart Card Alliance Access Control Council selected the name CIV and documented the specifications that
would define a credential that was technically compatible with the PIV specifications.
(4) http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers.pdf
(5) http://www.idmanagement.gov/documents/PIV-I_FAQ.pdf
(6) http://www.smartcardalliance.org/resources/pdf/CIV_WP_101611.pdf
(7) Requires that the CIV credential have a medium hardware certificate.
(8) Logical access includes: computer logon, digital signatures, network access, application access, data/communication encryption.

About this Brief

This brief was developed by the Smart Card Alliance Access Control Council to provide an easy-to-use comparison of PIV, PIV-I and CIV credentials.

Access Control Council members involved in the development of this white paper included: AMAG Technology; Booz Allen Hamilton; Diebold Security; Marty Frary; HP Enterprise Services; Identification Technology Partners; Identive Group; IDmachines; Intellisoft, Inc.; NASA; NXP Semiconductors; Oberthur Technologies; Probaris; Software House/Tyco; U.S. Department of State; XTec, Inc..

Additional information on PIV-I and CIV credentials can be found in the following Smart Card Alliance white papers:

About the Access Control Council

The Smart Card Alliance Access Control Council is focused on accelerating the widespread acceptance, use, and application of smart card technology for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the access control community and that will help expand smart card technology adoption in this important market. Additional information can be found on the Smart Card Alliance Web site, http://www.smartcardalliance.org.

Re-Posted from Smart Card Alliance: http://www.smartcardalliance.org/pages/publications-a-comparison-of-piv-piv-i-and-civ-credentials

Back to Top

Using PKI for physical access control

On 2012/02/27   /   E-CARD News, Education   /   Comments Off
Using PKI for physical access control

Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world.

The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access.

A traditional access control reader provides one authentication factor, which results in “some” assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three.

A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone.

Access control systems can use PKI at the door to accomplish this and determine a card’s authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.

Where does PKI at the door live?

There are three basic configurations for PKI at the door:

1. The challenge is generated at the panel and sent to the reader where it is passed to the card. The reader is effectively a transparent smart card reader that passes smart card commands and responses between the card and the panel. Cryptographic processing of the response from the card is performed at the panel and certificates and certificate revocation status are cached at the panel.

The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate offline from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door.

2. The challenge is generated at the PACS server and sent to the reader, which passes it to the card. The reader passes the response back to the server, which then verifies the response and issues a message to the appropriate hardware to unlock the door.

This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server.

3. The challenge is generated by an additional board or controller and is sent to the reader, which passes it to the card. The reader passes the response back to the controller where it is verified. Depending on the verification results, the card identifier is sent to the access control panel.

There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time – much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.

With all three approaches, data is sent over multiple hops from the card edge to the PACS.

With each hop, the data needs to be secured using encryption.

Is PKI at the door for everyone?

All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds.

The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security.

What does the future hold for PKI at the door?

While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay.

This type of solution won’t work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it.

The trickle down effect–where the mainstream market embraces technologies first implemented by the government–will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.

 

By Bob Fontana, President and CTO, Codebench

Original Article from SecureIDNews: http://www.secureidnews.com/2012/02/27/using-pki-for-physical-access-control

 

Back to Top

Three reasons why ID theft increased in 2011 and how you can protect yourself.

On 2012/02/27   /   E-CARD News   /   Comments Off
Three reasons why ID theft increased in 2011 and how you can protect yourself.

ID theft increased by 13 percent in 2011 over the previous year, according to a new study from Javelin Strategy & Research. Find out why and how you can protect yourself better.

Last year saw an increase in identity theft incidents when compared to 2010. According to a fraud report from Javelin Strategy & Research, there has been an increase of 13 percent in ID Theft for 2011, and some of the blame can be pinned on the rise of social media and smartphone use.

In 2010, roughly ten million adults were victims of ID fraud; that number is now up to 11.6 million adults in 2011. Javelin Strategy & Research’s long-running study surveyed 5,022 US consumers in October 2011 in order pinpoint the impact of fraud, as well as the prime areas of vulnerability. The fraud report found that, in 2011, the main catalysts for the rise in ID theft incidents were the rampant data breaches, negligent smartphone security and publicly displayed personal information on social media sites.

Interestingly, while the fraud incidents are higher for 2011, the costs of identity fraud haven’t increased. Compared to 2004, the consumer’s out-of-pocket costs have actually decreased by 44 percent. The report believes that this is due to the crack-down on authentication by institutions, as well as consumer awareness efforts by the government and institutions. Last spring, seeking to minimize identity theft, Obama administration put forth a new plan known as the National Strategy for Trust Identities in Cyberspace (NSTIC); the administration is currently trying to convince internet companies to comply with one standardized Internet login system.

“While identity fraud incidence increased last year, it is becoming less profitable for fraudsters. Consumers, the financial services industry, law enforcement and government agencies are stopping fraud earlier and making new account fraud more difficult to perpetrate,” said Javelin Strategy & Research president, James Van Dyke.

Three ID theft catalysts

Key to the large number of fraud incidents was the increase in data breaches we saw in 2011; Sony had its infamous PSN data breech where an estimated 100 million users’ data was compromised. Javelin reports that there was a 67 percent increase in the number of Americans impacted by data breaches last year. The three most common items found to be exposed in a breech are: Credit card number, debit number and social security number. The research found that data breach victims are 9.5 more likely to have an identity fraud incident.

Javelin also found that certain social behaviors put consumers more at risk. Despite warnings that fraudsters often use social media as a resource, the research found that users were sharing a large amount of personal information on their networks; the same type of information used to authenticate identity by institutions. The study found that, of those who had public profiles, 68 percent shared their birthday information, 63 percent shared their high school, 12 percent shared their pet’s name and 18 percent even shared their phone number.

Though Javelin said there is “no proof of direct causation,” Google+, Twitter, Facebook and LinkedIn had the highest incidence of fraud. LinkedIn users were twice as likely to have reported being an identity theft victim.

As far as smartphone users go, the survey found that seven percent of owners were victims of ID theft. Mobile. Javelin believes that these users could benefit from updating to newest OS whenever possible, using a password on their home screen, and to avoid saving login information on their devices.

How to protect your ID

The research firm offers some tips for those of you worried about your data. On the prevention-side. Always keep your personal data private. That means keep your data secure with passwords or in a locked storage device and never pay your bills on a public WiFi hotspot. Also, obviously keep key personal information on social networking sites, like your cat’s name, or your birthday, private. On the mobile-front, be sure of the apps you download, the data shared on public WiFi and of course, watch where you leave your phone.

Prevention can only do so much, so create a system to detect fraud early. Make sure you monitor credit/debit accounts via your institution’s website and set up an alert system to be sent to your mobile or email. Try looking into some of the identity theft services which offer credit monitoring, fraud alerts, credit freezes, database scanning etc.; many can be found for free or for no cost.

Lastly, if a problem does arise, make sure you report it as quickly as possible. The sooner you act, the less you will lose and the more likely law enforcement can catch the fraudsters.

This article was originally posted on Digital Trends

By Jeff Hughes

http://www.digitaltrends.com/mobile/why-id-theft-increased-in-2011-and-how-you-can-protect-yourself/

Back to Top

Attention, parents: Your child’s college student ID might be doubling as a prepaid card.

On 2012/02/24   /   Industry News   /   Comments Off
Attention, parents: Your child's college student ID might be doubling as a prepaid card.

 

Attention, parents: Your child’s college student ID might be doubling as a prepaid card.

The prepaid aspect is the latest twist on a long tradition of college campus ID cards serving a dual financial purpose.

In the late 1980s and early 1990s, many college student IDs worked as closed-loop cards, allowing students to pay for meals, laundry and other services on campus, as well as purchases at select merchants off campus. Through the mid-to-late 1990s, many banks linked PIN-based debit accounts to student ID cards, according to Lent.

And in the last three years, some universities started distributing financial aid refunds to students via prepaid student IDs.

Several companies have rolled out prepaid student ID cards in 2011. Here’s an outline of their features and fees.

New prepaid student ID cards

On April 27, SunTrust launched its SunTrust Campus Card, which is a MasterCard reloadable prepaid card that also serves as a college student ID. With the SunTrust Campus Card, students can make purchases anywhere MasterCard is accepted and withdraw cash fee-free at SunTrust ATMs.

Parents and students can add funds to the card online, and participating colleges and universities will be able to load financial aid disbursements directly onto the cards, if desired.

In November, American Express followed suit with the launch of its first prepaid campus ID card with the University of North Florida.

The Osprey 1Card prepaid campus ID card offered by American Express allows students to make purchases anywhere American Express is accepted, including online retailers. It has two magnetic stripes — one for campus use and one for American Express transactions.

Once students register their prepaid student ID with American Express, they can add money to the card from a bank account or through a Green Dot MoneyPak, a service that allows customers to add money to a prepaid card or PayPal account without using a bank account. Students using a MoneyPak to load cash onto their prepaid cards pay a purchase fee of up to $4.95.

American Express provides one free ATM withdrawal per calendar month with the card. After that, a $2 fee is assessed for each additional ATM withdrawal.

If a prepaid student ID card is lost or stolen, American Express will replace the card’s prepaid balance.

But be aware — a college or university may charge anywhere from $10 to $25 to replace a student ID, says Lent.

Another card — the Discover Campus Card — allows college students to load it with their financial aid balances, work-study funds, student payroll or other funds. Students can make purchases anywhere Discover is accepted, get cash from ATMs and add money to the card from a bank account.

With the Discover Campus Card, students can make free ATM withdrawals at participating on-campus ATMs and at Allpoint Network ATMs. If a student withdraws cash from the card with another network’s ATM, a $2.50 card fee applies.

If a Discover Campus card is inactive for nine consecutive months, a $3.50 monthly maintenance fee is applied.

Grading prepaid student IDs

The prepaid functionality adds purchasing power to a student’s trusty school ID, a card many college students always carry.

“It makes it that much easier for the student,” says Madeline K. Aufseeser, a senior analyst with Aite Group, a Boston-based research and advisory firm for the payments industry. “They only have to carry one card along with them.”

Students can use their prepaid campus ID cards to pay bills, shop online or withdraw cash at local ATMs. And because the cards are prepaid, students can only spend the amount loaded on the card.

“You can’t overdraft,” says Terry Maher, general counsel for the Network Branded Prepaid Card Association. “If there’s no money on the card, it declines the transaction.”

However, it’s smart to review any financial components to your college student’s ID card. Here are some details to research before signing up.

  • Can your student use the card to make purchases on and off campus?
  • Can the student ID card be linked to a checking account?
  • Can your child receive his or her financial aid refund on the card? How else can the card be funded?
  • Are there any fees associated with the card, including fees for loading money, monthly maintenance, inactivity, card replacement or ATM withdrawals?
  • Will the funds be replaced if the card gets lost or stolen?

“Take the time to read through the terms and conditions of prepaid cards,” Lent says. “Not all prepaid cards are created equal. Some have fees. Others don’t.”

Before signing up for a student ID that functions as a prepaid card, consider your student’s other financial options. Would your child be better off with a student checking account and debit card from a local bank or credit union?

“They don’t necessarily have to take the university card. Check and see if the product being offered by the university is competitive,” Maher says. “If a student already has a bank account, they might want to use a debit card.”

This post originally appeared at Bankrate.com
Back to Top

Crypto researcher Arjen Lenstra shares thoughts on paper blasting RSA cryptosystem

On 2012/02/20   /   Industry News   /   Comments Off
Crypto researcher Arjen Lenstra shares thoughts on paper blasting RSA cryptosystem

Lenstra: ‘If the environment cannot provide enough entropy during key set-up, then RSA becomes a tricky choice’

By Ellen Messmer, Network World
February 17, 2012 01:43 PM ET

What a week for the RSA cryptosystem! A group of prominent researchers published a paper blasting it as woefully insecure, RSA said there’s nothing wrong with the RSA algorithm, it’s an implementation issue mainly with random-number key generation, and now the cryptography researcher behind the paper, Arjen Lenstra, signs off the week with a few thoughts about it all.

BACKGROUND: RSA brushes off crypto research findings that RSA algorithm is flawed

“If properly implemented, RSA is fine,” said Lenstra, the well-known crypto researcher who worked with James Hughes, Maxime Augier, Joppe Bos, Thorsten Kleinjung and Christophe Wachter on the remarkable project that included examining millions of X.509 public-key certificates that are publicly available over the Web.

That study (explained in the “Ron is wrong, Whit is right” paper) had the researchers examining 6.4 million distinct X.509 certificates and PGP keys containing RSA moduli, and “we stumbled upon 12,720 different 1024-bit RSA moduli that offer no security.” They said that “their secret keys are accessible to anyone who takes the trouble to redo our work.”

The paper concluded: “Overall, over the data we collected, 1024-bit RSA provides 99.8% security at best.” It also compared RSA to “single secret” cryptosystems such as ElGamal and DSA, based on Diffie-Hellman (DH), saying these are “less risky” than cryptosystems based on RSA.

“The recommendation is to use a cryptosystem that is appropriate for the environment where it will be used,” said Lenstra in an email exchange with Network World. “If the environment cannot provide enough entropy during the key set-up, then RSA becomes a tricky choice. RSA itself is fine — it is the way it us used/implemented/whatever you want to call it, that is the problem. Other crypto (DSA and such) have that too, but in subtly different ways.”

The concept of “entropy” in the science of cryptography is roughly analogous to “uncertainty,” he says, based on mathematical outcomes. “Lots of tricks have been invented, but getting enough entropy on a device is still a very tricky problem,” he points out.

Lenstra said, “Apparently, the consideration that adequate entropy needs to be present when generating RSA keys has not consistently been taken into account (most commonly on embedded devices, but unfortunately not only in those environments). As far as I can tell, everyone is in full agreement on this issue.”

As far as there being a “clear distinction between RSA and Diffie-Hellman based methods such as ElGamal and (EC)DSA,” Lenstra points out, the research outlined in the paper underscores “that the effects of poor entropy are different for the two types of methods: for the latter, the parties using the same poor entropy can breach each other’s security (as it may result in identical keys), for the former anyone may be able to breach the security of any pair of parties that use poor entropy (namely, if it results in non-identical but intersecting keys — the latter does not occur for the DH-type methods). As far as I’m aware, this distinction has not been pointed out before.”

Lenstra added: “I do not know to what extent it has played a role in NSA’s Suite B cryptography,” and the National Security Agency’s decision to recommend ECDSA “may have been entirely based on issues related to key size and uncertainty of extrapolation thereof, which is a bit curious given how straightforward it is.”

The researcher continued: “It is not a failure of RSA — indeed, everyone knows that RSA key set-up should only be done when adequate entropy is present — but it is a consideration that one may want to take into account. This is in full agreement with RSA’s recommendation to ensure good implementation and to follow best practices.”

The research group is not planning any further activities specifically along the lines of what it has just done, and has moved all its data offline and “stored everything in a secure location,” Lenstra said. He said “it is not at all our main activity or interest but it was just a toy project based on our curiosity” and “our initial findings (which we cannot share) were such that we looked at it at a somewhat wider scale than we had originally intended.”

Some sources intimate that NSA may have conducted a similar research project to that described in the “Ron is wrong, Whit is right” paper, though this wasn’t for public consumption. Lenstra said he’s not surprised the NSA would have done a similar project on its own, but he doesn’t know anything about it.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Re-posted from Network World: http://www.networkworld.com/news/2012/021712-rsa-lenstra-256309.html?page=1

Back to Top

Canada introduces the Protecting Canada’s Immigration System Act

On 2012/02/17   /   Industry News   /   Comments Off
Canada introduces the Protecting Canada’s Immigration System Act

Legislation to protect the integrity of Canada’s immigration system was introduced today by Citizenship, Immigration and Multiculturalism Minister Jason Kenney.

The proposed measures include further reforms to the asylum system to make it faster and fairer, measures to address human smuggling, and the authority to make it mandatory to provide biometric data with a temporary resident visa application. “Canadians take great pride in the generosity and compassion of our immigration and refugee programs. But they have no tolerance for those who abuse our generosity and seek to take unfair advantage of our country,” said Minister Kenney.
The new bill, Protecting Canada’s Immigration System Act, proposes changes that build on reforms to the asylum system passed in June 2010 as part of the Balanced Refugee Reform Act.
The proposed measures would provide faster protection to those who genuinely need refuge, and faster removal for those who don’t.
In particular, refugee claimants from generally non-refugee-producing countries such as most of those in the European Union (EU) would be processed, on average, in 45 days compared to more than 1,000 days under the current system, or 171 days under the Balanced Refugee Reform Act.
It has become clear that there are gaps in the Balanced Refugee Reform Act and we need stronger measures that are closer to the original refugee bill we tabled back in March 2010,” said Minister Kenney. “Canada receives more refugee claims from Europe than from Africa or Asia. Last year alone, 23% of all refugee claims made in Canada were made by nationals from the EU. That’s up from 14% the previous year. This growing trend threatens the integrity of our immigration system.”
In recent years over 95% of EU claims were withdrawn, abandoned or rejected. If that trend continues, that means that the unfounded claims from the 5,800 EU nationals who sought asylum last year will cost Canadian taxpayers nearly $170 million.
Too many tax dollars are spent on bogus refugees. We need to send a message to those who would abuse Canada’s generous asylum system that if you are not in need of protection, you will be sent home quickly,” added Minister Kenney.
With the Balanced Refugee Reform Act and today’s legislation, the provinces and territories are expected to save in the range of $1.65 billion over five years in social assistance and education costs.
Most of the provisions in the former Preventing Human Smugglers from Abusing Canada’s Immigration System Act (Bill C-4) have also been included in this new bill, with one modification. Minors under the age of 16 would be exempt from the detention proposals designed to deal with all mass arrivals from human smuggling operations.
Our Government is sending a clear message that our doors are open to those who play by the rules, including legitimate refugees. However, we will crack down on those who endanger human lives and threaten the integrity of our borders,” said Minister Kenney. “Human smuggling is a despicable crime and Canadians think it’s unacceptable for criminals to abuse Canada’s immigration system for financial gain.”
Mandatory detention remains for people who enter Canada as part of a designated smuggling event. But once the identity of a claimant has been established and a refugee claim is approved, individuals would be released from detention.
The final component of the new legislation would give the Minister the authority to make it mandatory for visa applicants to provide biometric data (i.e., fingerprints, photograph) to visit Canada. Documents can be forged or stolen, whereas biometric data provide greater certainty, confirming the identity of applicants when they apply.

Biometrics will be an important new tool to help protect the safety and security of Canadians by reducing identity fraud and identity theft,” said Minister Kenney. “As fraudsters become more sophisticated, biometrics will improve our ability to keep violent criminals and those who pose a threat to Canada out. In short, biometrics will strengthen the integrity of Canada’s immigration system while helping facilitate legitimate travel.”

These measures would put us in line with international partners such as the United Kingdom, the European Union, Australia, and the United States. This would help prevent known criminals, failed refugee claimants and deportees from using a fake identity to obtain a visa. The use of biometrics would also bolster Canada’s existing measures to facilitate legitimate travel by providing a fast and reliable tool for confirming identity.
All these reforms are aimed at deterring abuse of Canada’s generous immigration and refugee system. With these proposed measures, the integrity of Canada’s immigration programs and the safety and security of Canadians will be protected.
To maintain the support of Canadians for our generous immigration and refugee systems, we must demonstrate that Canada has a fair, well-managed system that does not tolerate queue jumping,” concluded Minister Kenney.

Article Shared from SecurityNews.tv: http://security-news-tv.com/2012/02/17/canada-introduces-the-protecting-canadas-immigration-system-act/

Back to Top
Page 1 of 212

Sign up for our Newsletter

* = required field

Address:

Vancouver Office (Main):
 200-7560 Vantage Way, Delta, BC, Canada V4G1H1

Toronto Office:
 1200-251 Consumers Road, Toronto, ON, Canada M2J4R3

Toll Free: (888) 983-2299
Vancouver: (604) 940-2298
Toronto: (416) 360-0948

Customer Support:

E-CARD Customer Care representatives will respond to your email request within 24 hours.

Please include your phone number so we can call you back right away to work through the issue.