April 11, 2008

NetID product clarification

To respond to Sonny Yu's questions, the timing data I provided below is for the JCOP 41 smart card. The JCOP 21 crypto processor is slower and Windows logon performs 3 private RSA key operations on the card per session. Therefore the performance with JCOP21 is slower.

The minidriver works with USB JCOP cards but has not been tested with contactless cards. 

March 03, 2008

NetIDSys releases new information security products based on smart cards

I am pleased to announce the release of the new NetID suite of products. It is a smart card-based information security solution for the new cryptographic architecture on Windows (CNG) and integrates with the Base CSP, Smart card KSP, and ILM 2007. Our product is designed specifically for this new architecture and capitalizes on the advantages it offers.  

What distinguishes our product suite from other competitive products is the world-leading speed of service. Our product outperforms the competition by a wide margin in all important end-user use-cases: Windows logon (approximately 1.5 seconds), remote login, e-mail signing, and many others.  Please visit the corporate site for more details about it.

September 11, 2007

Recent developments in cryptography and information security - an international symposium in Oryahovitza, Bulgaria

I am back from my visit to Bulgaria. As promised, I am attaching the keynote presentation I gave at the symposium.

This was a truly excellent meeting with several exceptional talks. I learned a great deal of information about elliptic curve cryptography and applications. I am pleased to say that my presentation was received well too.

A couple of interesting facts: the organizer is a NGO (the Minu Balkanski foundation and the National Institute for Education) that aims at promoting science and arts in post-communist Bulgaria: from helping gifted math and computer science high-school students find educational opportunities abroad, to helping improving the qualification of teachers, to helping gifted art students, and more. I was very impressed with the track record the foundation has established thus far, in some cases rivaling the performance of much more powerful government institutions. 

The organizers are planning to turn thus successful start into an annual event, so look for the call for papers for next year - I highly recommend it.  

August 14, 2007

International symposium on recent developments in cryptography and information security

It has been long since my last post: busy working on the soon-to-be-released NetIDSys products, pursuing some new IP ideas, completing a paper for the September/October 2007 issue of IEEE Security and Privacy magazine. I don't want to sound lame but this is the reality. On the bright side, I accepted an invitation to give a talk at the upcoming symposium on "Recent Developments in Cryptography and Information Security", August 29-31, 2007, Oryahovitza, Bulgaria. It promises to be a very well-attended event with many interesting presentations. The title and abstract for my talk are shown below; the full presentation coming after the event.

Smart cards and the Holy Grail of Internet security

Abstract. The rapidly growing need for secure and flexible Web services is creating a demand for a new generation of personal authentication solutions. Smart cards are secure, tamper-resistant, portable devices. Although smart cards are used by the billion in mobile communications, banking, and public transport systems, they have not achieved the same level of adoption in IT security applications. In this talk we examine the issues facing traditional smart cards and introduce an emerging technology with great potential for responding to the security needs of the Internet.

April 05, 2007

Security benefits of OS virtualizations: real or virtual?

Nowadays the way we communicate with other people is nothing like it used to be only a decade ago. A popular way to stay in touch is to use Skype. It is a great tool, in particular its voice conversation capabilities. Recently some research has emerged, alleging that Skype may be doing some not-so-transparent things while running on your machine. As a result, many corporate users have been banned from using Skype.

Being a security-conscious person, this prompted me to think what can be done as a precaution against potential breaches while still enjoying the service Skype provides.  I realized that I am using OS virtualization quite a lot in my professional activities. So, a natural thought is to run Skype in a sandboxed virtual OS image. Indeed, this is a useful approach that can be used to defend against some vulnerabilities. But what is the real security picture when OS virtualization is used? It is a good question with some surprising answers.

I summarized some of my findings in a paper. The abstract and introduction are provided below. The full paper is available here.

Abstract. Recently, people have begun to use OS virtualization as a tool for improving LAN security. While virtualization is very useful in optimizing hardware utilization, we show that its security benefits come at a price.


Operating system (OS) virtualization allows businesses and individuals alike to use their availablecomputer hardware resources much more efficiently and flexibly. This technology has become indispensable for many professional software developers and testers, allowing quick configuration of reference OS images that can be used in different contexts, often executing on the same computer [1].

There are two main technological approaches to OS virtualization [2]: standard and lightweight;lightweight further splits into containers and paravirtualization. Each approach has different architectural and run-time characteristics, hence different robustness of the isolation from the host OS.

Recently, an important security trend has emerged in OS virtualization usage. Consumers have begun to use virtualization as a tool for isolating processes, e.g., Internet browsers, in order to prevent malicious software (malware) from invading their main computing environment [2]. Using any of the available OS virtualization technologies, one can configure an image of an operating system with a browser and execute it on a computer as an isolated process within the host OS. A user can then utilize the browser in the image to explore the Internet without a fear that the main system will be invaded by malware. But are users safe, really? 

In this paper we consider the problem of process/application isolation through OS virtualization and examine how it can be used in practice for securing users’ computing environments.

March 08, 2007

The futility of secrets

My view point on this subject just appeared in the March 2007 issue of Information Security. For those of you that do not wish to subscribe to this excellent magazine, I provide it below.


I agree with Ranum that we must stop living in denial about the futility of using easy-to-compromise secrets to authenticate people and transactions. However, the fix he proposes is futile too: one-time passwords of this kind are susceptible to well-known attacks. There are much stronger available technologies for user and transaction authentication.



Yes, Schneier has it right in pointing out that the problem is mainly economic but he is wrong in saying we should give up on fixing the authentication of people.  The payment card industry has introduced smart cards in Europe where, for example, a person paying at a restaurant is presented with a portable wireless payment terminal and must insert the card and then enter a PIN before the transaction is approved. This eliminates the possibility for the waiter to go in the back room and record the card details so that he can place a fraudulent transaction later; something that still happens on this side of the Atlantic. There is no other way to explain the resistance of the payment card industry to introducing this technology here than to paraphrase Bill Clinton’s election slogan: “It is the economy, stupid.”



Just try to imagine what a horrible reality we could be living in if the auto industry in this country had the luxury of using the approaches of the payment card industry: the number of people in the United States involved in car accidents compared to the total number of people driving is small; it is also a fact that the society is not at risk as a whole, even if all traffic accidents were fatal; so, what if the auto industry skipped safety technologies such as seat belts, airbags, anti-lock brakes, traction control, etc?



Indeed, let’s work on fixing the economic problems first and then introduce comprehensive privacy laws.


March 01, 2007

ViewStateUserKey final verdict

I did some more investigation on this subject and found a proper way to use this mechanism and add layered security to your Web site. The solution is to use ViewStateUserKey only after the user identity is authenticated. I.e. the proper code segment looks like this:

   if (User.Identity.IsAuthenticated)
      ViewStateUserKey = Session.SessionID;

This protects against the well-known one-click attack and can be used in combination with TLS/SSL for protecting the access to your site. It may seem as an overkill when TLS/SSL is used and if performance improvement is badly needed, this added protection may be sacrificed. However, in general it is a good security measure.

The reason it does not work as I tried earlier is because the system uses a different key to decrypt the ViewStateUserKey for authenticated and unauthenticated identities. So setting the key for the unauthenticated identity on the account page before the redirect occurs and returning back to it when authenticated breaks the mechanism

OK, I felt it is important to set the record straight and that's all I wanted to say.