Video Screencast Help
Encryption Blog
Showing posts tagged with Key Management Server (Key Management)
Showing posts in English
Doug McLean | 12 Aug 2008 | 0 comments

It's been an extraordinarily active week on the cybercrime front and it feels like a good time to initiate a new blog I've been thinking about for some time. For those of us that track cybercrime, identity theft and the other activities of Internet miscreants, it's clear that the nature of the game has changed in the last year. Cybercrime, historically an activity driven by testosterone impaired geeks, has become the latest growth industry for organized crime. I'll look at some of the facts and statistics that demonstrate this in the coming weeks, but for now I want to look at some of the more interesting evolving stories.

First, there was the arrest of eleven suspects in the TJX case. For those of you that don't follow internet crime closely, this was the data breach that caused the release of 41 million records (mostly credit card numbers) into the wild. Estimates of losses to date run in the hundreds of millions of dollars. The FBI has been working...

Doug McLean | 12 Aug 2008 | 0 comments

Decryption Without Key Present

The PGPsdk has a feature that allows the Encrypted Session Key (ESK) from a message to be extracted and decrypted separately. The decrypted ESK could then be used later to decrypt the original message. It works as follows:

1) Assuming the client has a PGP encrypted message.  The PGPDecode() function could be called with a event handler that extracts the ESK(s) which are presented to the handler during a  kPGPEvent_PassphraseEvent.

typedef struct
{
   PGPByte   *sessionKey;
   PGPSize   sessionKeySize;
} SessionKeyInfo;

 

static PGPError sExtractESKHandler( PGPContextRef context,
                                   ...
Doug McLean | 25 Jul 2008 | 0 comments

While products such as PGP Universal and PGP Desktop have done a successful job of protecting email and storage, securing the data presented in web application have largely been unaddressed.  Users of web mail (Gmail), forums, blogs and group calendering (google calender) currently have no reasonable way to insure the privacy of their information, in that it often resides on the web server. This pair of blogs discusses the various options for using PGP technology to extend the web client with the goal of securing web data with and without the consent of the web site operator.

Securing Web Data...An Undiscovered Country

Web applications are especially popular among mobile computer users. This is partially due to the computing and power limitation of the mobile devices, but also because of the complexity of security and synchronization issues.  While MAPI/Notes and IMAP are often used for corporate mail, web mail has also become very popular....

Doug McLean | 03 Sep 2004 | 1 comment

Abstract

Access to computer services has conventionally been managed by means of secret passwords and centralized authentication databases. This method dates back to early timeshare systems. Now that applications have shifted to the Internet, it has become clear that the use of passwords is not scalable or secure enough for this medium. As an alternative, this paper discusses ways to implement federated identity management using strong cryptography and the same PGP® key infrastructure that is widely deployed on the Internet today.

Beyond Passwords

The inherent security weakness and management complexities of password-based authentication and centralized authorization databases make such systems inadequate for the real-world requirements of today's public networks. However, by applying the same proven cryptographic technology used today for securing email, we can construct a robust authentication system with the...