Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
Dr. Ari Juels is Chief Scientist and Director of RSA Laboratories, where he works to bring sparks of invention and insight from RSA's scientists and affiliates to the company as a whole. He joined RSA in 1996. Ari's dozens of research publications span a range of topics, including biometric security, RFID security and privacy, electronic voting, browser security, combinatorial optimization, and denial-of-service protection. Ari has served as the program chair or co-chair for a number of conferences and workshops, including Financial Cryptography in 2004, the DIMACS Workshop on Electronic Voting in 2004, the Industry Track of the ACM Conference on Computer and Communications Security in 2005, the ACM Workshop on Wireless Security (WiSe) in 2006, the IEEE International Workshop on Pervasive Computing Security (PerSec) in 2006, and the Security, Privacy, and Ethics track of WWW2006. He has been a frequent invited speaker at industry events, such as USENIX Security 2004 and CHES 2006. In 2004, MIT's Technology Review Magazine named Dr. Juels one of the world's top 100 technology innovators under the age of 35. Ari received his B.A. in Latin Literature and Mathematics from Amherst College in 1991 and his Ph.D. in Computer Science from U.C. Berkeley in 1996. Subscribe to Ari's RSS feed
Virtualization helps conceal hardware complexity, one of its many benefits for programmers and administrators. But it’s also a rug under which security and reliability concerns can be all too easily swept. Here’s a simple example. Suppose that a file system replicates data across two storage devices to prevent data loss in the advent of a [...]
Security experts have long speculated about whether virtualized environments, such as public clouds, exhibit dangerous side channels. A side channel is a form of information leakage that arises as a byproduct of resource exposure, such as the sharing of memory caches. A side-channel attack exploits such leakage to steal secrets, such as cryptographic keys. A [...]
Resources in public clouds are sold on the same premise of uniform quality as apples. A virtual machine (VM) of a given type, for instance, is a fixed-sized bundle of resources—CPU, local storage, and so forth—that is rented to a tenant at a set hourly rate. Yet VMs, like apples, vary in quality. A VM’s performance depends on the CPU model in the machine on which it sits, the workloads of its neighbors (the VMs of other tenants), and a variety of other characteristics.
RSA Distributed Credential Protection (DCP) offers the industry a transformative approach to one of its most pressing security problems: Massive breaches of sensitive information, such as password databases. DCP distributes secrets across two servers or even two organizations and periodically rotates them through re-randomization. An attacker that breaches one server, or even both of them at different times, learns nothing.
Last Thursday, a six-institution team of scientists (Kleinjung et al.) announced the successful factorization of RSA-768. RSA-768 is a 768-bit (232 decimal-digit) RSA public key created in 2001 by RSA Laboratories as a cryptanalytic challenge number. The fall of RSA-768 is a landmark result, but no surprise. It reflects a consistent pace of growth in computing power, and continuing scientific interest in the problem of factoring, not an algorithmic breakthrough.
My cryptographic thriller novel Tetraktys is slated for official release in July. My publisher is launching it this week, however, in a pre-release event at the RSA Conference.
Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I’d like a good digital signature system… with 20-bit keys" and "I want to use one-time pads for encryption… and I need to compress them." But one of the most challenging I’ve heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.
We often swallow ideas that we needn’t or shouldn’t. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful – to the heart, among other things – that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8×8 rule comes from or if it is good or bad.
So what pieces of conventional wisdom in computer security are like margarine and the 8×8 water doctrine? I’d hold forth password expiration as a prime candidate.
The U.S. Passport card or PASS (People Access Security Service) card, a new travel document, is slated for issue by the federal government in the spring of this year. A poor cousin to the standard passport, it’s more compact and less expensive, but valid only at land and sea points of border entry into the United States, not for air travel. The PASS card emerged as part of the Western Hemisphere Travel Initiative (WHTI), which phases out drivers’ licenses as border-crossing documents for the U.S.
I’ve heard two starkly contrasting opinions on the security of the PASS card…
