We had our first meeting of the OASIS PKCS 11 Technical Committee last week, a very interesting and exciting start to this new stage in the life of the PKCS #11 standard. It was a very impressive gathering of folks from many different companies and countries, a breadth of participation evident in the officers and [...]
As I mentioned in an earlier blog, RSA is transitioning the PKCS #11 standards effort into OASIS. The call for participation for the new OASIS PKCS 11 Technical Committee has now officially gone out from OASIS leadership, describing the process for joining the TC. The new public page for the PKCS 11 TC provides information [...]
One of the most important and widely-deployed cryptographic standards is PKCS #11, one of the family of PKCS standards that RSA initiated in the 1990s. The PKCS #11 standard specifies an API, called Cryptoki, for devices that hold cryptographic information and perform cryptographic functions. The API follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device, called a cryptographic token.
The National Institute of Standards and Technologies (NIST) announced on the 2nd of October that the winner of the SHA-3 competition is KECCAK (pronounced ketchack). Interestingly, it was 12 years ago to the day that NIST announced the Advanced Encryption Standard (AES) algorithm. Also of note is that Joan Daemen is a member of both [...]
Introduction Every day security analysts are faced with piecing together disparate parts of complex events of interest related to emerging and sophisticated threats. These pieces can be simple metadata elements or much more complex malicious code and content samples that require advanced reverse engineering and analysis. When pulled together, the cumulative result equates to [...]
I spent a week in the US recently working on key management in a single-minded way that I rarely have the opportunity for these days. First there was a two-day Key Management Workshop at NIST. Day one focused on review of the SP 800-130 Key Management Framework and the SP 800-152 Key Management Profile. Day [...]
Contrary to some comments we have seen, RSA is not “walking around” the Project Team Prosecco research as is asserted in a recent Root Labs blog; in fact we have repeatedly stated to bloggers and the press that we support this specific research (as I did here, yesterday) as well as other cryptanalysis. Our problem is with the reporting on the research and its relationship to RSA. Much of this reporting is misleading and inaccurate, leading to unwarranted fear among customers. Reports have been published that claim the cracking of RSA SecurID 800 devices, stealing of private keys and possible cloning of smart cards; all of which of course are not true. In addition, other reports link this attack against smartcards to the RSA SecurID One Time Passcode technology, which is strictly false.
Some colleagues and I were discussing DDoS attacks earlier this week: who is waging DDoS attacks, what techniques they’re using and how to deal with attacks when they occur. While discussing the value of advance warning of such attacks, one person said offhandedly, “the problem with advance warning is that the threat may be just the threat of the attack, not the attack itself.” It was an interesting and valuable insight, one that deserves some exploration.
This week’s announcement that the new release of RSA Data Protection Manager (DPM) supports the OASIS Key Management Interoperability Protocol (KMIP) standard was a particularly important one for me, personally. As co-chair of the KMIP Technical Committee since we convened it in 2009, implementation of KMIP in industry-leading key managers like RSA DPM matters a lot to me. And that got me thinking about what matters in a standard like KMIP.
At the European Identity and Cloud (EIC) Conference 2012 last week, I finally got what Craig Burton has been saying for some time now: “Baking your core competency into an open API is an economic imperative.” What brought it home for me was the presentation by 3Scale’s Steven Willmott, focusing on what he called “turning [...]