We had our first meeting of the OASIS PKCS 11 Technical Committee last week, a very interesting and exciting start to this new stage in the life of the PKCS #11 standard. It was a very impressive gathering of folks from many different companies and countries, a breadth of participation evident in the officers and [...]
In his introduction to the Innovation Sandbox at RSA Conference, Hugh Thompson remarked on the critical role that small companies have in driving innovation. That’s certainly true and it was great to see the innovations of the 10 finalists who presented on Monday. But Hugh’s remark got me thinking about other dimensions of innovation, particularly in the light of the phenomenal range of capabilities evident in the exhibition hall at the conference.
The Cloud Best Practices Network has just published the second installment of the e-magazine TRANSFORM. This issue, which focuses on various aspects of cloud security, includes my article on “Key Management Strategies for the Hybrid Cloud”, leveraging the use cases that we developed in OASIS KMIP for our work on the next version of KMIP. [...]
To understand the power of Jeremi’s cluster, we first need to understand how to guess passwords. If 348 billion guesses are made in one second then this will require (958 divided by 348 billion) seconds is required to try all possible passwords. This works out at approximately 19064 seconds or nearly 5 hours and 18 minutes.
Far too often, we fail to see the obvious weaknesses in our defenses. Over 50 million consumer passwords have been reported stolen in 2012 alone in highly visible ‘smash and grab’ attacks. Yahoo, LinkedIN, Zappos, eHarmony…the list goes on. This is the equivalent of robbery in broad daylight. How did we as an industry let [...]
The National Institute of Standards and Technologies (NIST) announced on the 2nd of October that the winner of the SHA-3 competition is KECCAK (pronounced ketchack). Interestingly, it was 12 years ago to the day that NIST announced the Advanced Encryption Standard (AES) algorithm. Also of note is that Joan Daemen is a member of both [...]
I spent a week in the US recently working on key management in a single-minded way that I rarely have the opportunity for these days. First there was a two-day Key Management Workshop at NIST. Day one focused on review of the SP 800-130 Key Management Framework and the SP 800-152 Key Management Profile. Day [...]
As I mentioned in my last blog, one of the sessions I gave recently at RSA Conference China was a discussion of “Keys and Clouds”, exploring various models for key management and encryption in the cloud. It’s a topic that comes up often in my meetings with customers about private, public and hybrid cloud strategy. [...]
So, here we are with my pet topic – The proposed EU Data Directive. Its ultimate goal is to protect the privacy of the EU citizen. One of the proposed changes is the ‘right to be forgotten’ so that an individual can request for their data to be deleted. If this change goes through, it will present several challenges to all organizations that collect, process and keep citizen information which is pretty much every single organization in the EU. A happy medium would be where individuals can trust the organizations to use their data for the purposes they have consented to and provide proof that their data has been deleted when requested. Encryption may be the answer here.
This week’s announcement that the new release of RSA Data Protection Manager (DPM) supports the OASIS Key Management Interoperability Protocol (KMIP) standard was a particularly important one for me, personally. As co-chair of the KMIP Technical Committee since we convened it in 2009, implementation of KMIP in industry-leading key managers like RSA DPM matters a lot to me. And that got me thinking about what matters in a standard like KMIP.