A group of cryptography experts have proposed a theory about how law enforcement can still break into iPhone despite continuous iOS patches and layers of safeguards Apple's strongest encryption protects less data than it used to.

Matthew Green, an associate professor at Johns Hopkins Information Security Institute, proposed the theory in a Twitter thread on Wednesday in response to news of the ACLU suing for information about iPhone unlocking methods. The theory is based on research from two of his students, Maximilian Zinkus and Tushar M. Jois.

Green contends that law enforcement agencies no longer need to break the strongest encryption on an iPhone because not all types of user data are protected by it.

The research was prompted by the fact that forensic companies reportedly no longer have the ability to break Apple's Secure Enclave Processor. That means it's very difficult to crack a iPhone's password. Given that law enforcement agencies continue to break into locked devices, Green and his students began researching how that could be possible.

They came up with a possible answer, which Green said would be fully detailed in a report after the holidays. Although it's conjecture, it could explain how government and police entities are still able to extract data from locked iPhones.

It boils down to the fact that an iPhone can be in one of two states: Before First Unlock (BFU) and After First Unlock (AFU). When you first power up your device and enter your passcode, it goes into the AFU state. When a user types in their code, the iPhone uses it to derive different sets of cryptographic keys that stay in memory and are used to encrypt files.

When a user locks their device again, it doesn't go into BFU, but remains in the AFU state. Green notes that only one set of cryptographic keys gets purged from memory. That set stays gone until a user unlocks their iPhone again.

The purged set of keys is the one used to decrypt a subset of an iPhone's files that fall under a specific protection class. The other key sets, which stay in memory, are used to decrypt all other files.

From here, all a law enforcement entity needs to do is use known software exploits to bypass the iOS lock screen and decrypt most of the files. Using code that runs with normal privileges, they could access data like a legitimate app. As Green points out, the important part appears to be which files are protected by the purged set of keys.

Based on Apple's documentation, it appears that the strongest protection class only applies to mail and app launch data.

Comparing that to the same text from 2012, it seems that the strongest encryption doesn't safeguard as many data types as it once did.

The data types that don't get the strong protection include Photos, Texts, Notes, and possibly certain types of location data. Those are all typically of particular interest to law enforcement agencies.

Third-party apps, however, are able to opt-in to protect user data with the strongest protection class.

As far as why Apple seems to have weakened the protections, Green theorizes that the company forfeited maximum security to enable specific app or system features like location-based reminders. Similarly, some apps wouldn't be able to function properly if the strongest encryption class was used for most data.

Green notes that the situation is "similar" on Android. But, for Apple, the cryptography professor says that "phone encryption is basically a no-op against motivated attackers."

The findings, as well as other details and possible solutions are outlined in a research paper penned by Green, Zinkus, and Jois.

Read the rest here:
This might be how law enforcement agencies break into the iPhone - AppleInsider

The UAE has set up the first national crypto library to enable the country to safeguard vital and confidential sources of information.

The library is an initiative of the Advanced Technology Research Council (ATRC) through its Cryptography Research Centre.

Researchers at Cryptography Research Centre, one of ATRCs initial seven dedicated research centres, have already released multiple versions of the crypto library and are working on its integration into the UAEs critical digital infrastructure, according to a statement from the centre.

Cryptography Research Centre currently employs and collaborates with scientists in multiple fields of cryptography such as post-quantum cryptography (PQC), hardware-based cryptography, lightweight cryptography, cryptanalysis, cryptographic protocols, and cloud encryption schemes, amongst others.

The ever-evolving sophistication of cyberattacks should not be taken for granted, Faisal Al Bannai, secretary-general of the Advanced Technology Research Council (ATRC) said.

By developing a national crypto library in the UAE and integrating this within critical digital infrastructure, we can increase our security levels and build sovereign capability simultaneously.

Read: Kaspersky signs MoU with Zayed University to boost cybersecurity training in UAE

The library encompasses a collection of algorithms that cryptographers use in a specific order to safeguard confidential and high-security information.

The integration of the National Crypto Library with live systems will enable a more fluid security strategy across critical data-sensitive sectors such as finance, health-care, and telecommunications, said Dr. Najwa Aaraj, chief researcher at Cryptography Research Centre.

Go here to read the rest:
Researchers in Abu Dhabi build first national crypto library for the UAE - Gulf Business

With Elon Musks Skylink constellation set to take the lead in a market that UK government-backed OneWeb wants a slice of, the European Union (EU) has revealed itself as the next on the launch pad for satellite-based broadband services.

Details of the bid have been revealed by the European Commission (EC), which has selected a consortium of European satellite manufacturers, operators and service providers, telco operators and launch service providers to study the design, development and launch of a European-owned, space-based communication system.

The EC said the study would assess the feasibility of a new initiative aiming to strengthen European digital sovereignty and provide secure connectivity for citizens, commercial enterprises and public institutions, as well as providing global coverage for rural and not-spot areas.

Once it gets the green light, the new EU flagship programme would complement the existing Copernicus and Galileo craft and, said the EC, would fully exploit the synergies of the technological potential of the digital and space industries.

The European space-based connectivity system, advocated by internal market commissioner Thierry Breton, is intended to provide secure communication services to the EU and its member states as well as broadband connectivity for European citizens, companies and mobility sectors, strengthening EU digital sovereignty.

It will build on the EUs GOVSATCOM programme of pooling and sharing satellite services, and is claimed to ensure a high level of reliability, resilience and security not currently available in the market. It will also leverage the EuroQCI initiative, which promotes quantum cryptography technology.

More specifically, the study phase awarded by the EC will consolidate the user and mission requirements and provide a preliminary architectural design and service provision concept, as well as associated budgetary estimates. A public-private partnership scheme will be considered and assessed during this phase.

The study will look at how the space-based system could enhance and connect to current and future critical infrastructures, including terrestrial networks, strengthening EU capability to access the cloud and providing digital services in an independent and secure way, which is said to be essential for building confidence in the digital economy and ensuring European strategic autonomy and resilience.

The EC sees the project as being able to take advantage of, and even strengthen, the role of satellites in a 5G ecosystem, assessing interoperability while also taking into account the evolution towards upcoming 6G technologies. At the beginning of December 2020, Nokia was appointed project leader for Hexa-X, the ECs 6G flagship initiative for research into the next generation of wireless networks.

The EC believes a sovereign satellite infrastructure will benefit a wide range of sectors, including road and maritime transport, air traffic and control, autonomous vehicle development, and many internet of things applications. It is intended to offer enhanced security in the transmission and storage of information and data supporting the needs of various users such as governmental agencies, finance and banking companies, science networks, critical infrastructures and datacentres.

The contract value of the year-long feasibility study amounts to 7.1m and the selected participants are Airbus, Arianespace, Eutelsat, Hispasat, OHB, Orange, SES, Telespazio and Thales Alenia Space.

Link:
EU looks to enter broadband space race - ComputerWeekly.com

Unfortunately, the powerful capabilities of quantum computers also introduce risks to our current security technology, namely public key cryptography. Symmetric key cryptography such as Advanced Encryption Scheme (AES) or Secure Hash Algorithm (SHA) -2 and -3 will not be completely compromised. The only known attack uses Grovers algorithm, which achieves fast unstructured search for the key space for symmetric ciphers or the output space for cryptographic hash algorithms. However, enhanced search by Grovers algorithm has an upper limit. Furthermore, the attack requires a considerable amount of quantum resources. Therefore, these symmetric key algorithms can sustain their security by simply increasing the key sizes or output sizes to at most twice their current size.

The rapid adoption by enterprises of hybrid cloud and multicloud environments along with the rise of the Internet of Things, a much more remote workforce and other trends that have contributed to the increasingly distributed nature of modern IT has put the vast amounts of data that is being generated in a precarious position. No longer created, collected and store in central datacenters sitting behind corporate firewalls, workloads and data are now bouncing between public clouds, between clouds and on-premises datacenters, from the edge through the cloud to the datacenter and back again.

Data is everywhere and in multiple environments, putting it at greater risk from cyberthreats from increasing sophisticated criminal and nation-state operations that now have a much larger attack surface to work on. Theres no way to put a firewall around such a decentralized situation, so other means of security including encryption are getting more work as organizations look to shield sensitive data from cyberattacks and stay in compliance with the growing numbers of government regulations and standards think the European Unions General Data Protection Regulation (GDPR) or Californias Consumer Privacy Act (CCPA) designed to protect the privacy of business user and consumers.

However, even modern encryption has its shortcomings. Enterprises now can encrypt data when its at rest and when its in transit. However, when they have to start putting it to work to process and analyze it it must be decrypted, exposing it to cyber-criminals who want to access or steal it or to third parties that may be able to see it. In a hybrid cloud world, the risk is high.

Enter Fully Homomorphic Encryption (FHE). Initially discussed in the 1970s but not demonstrated until 2009, homomorphic encryption enables data to remain encrypted even as organizations process and analyze it in the cloud or in third-party environments, protecting it from bad actors and the eyes of others who are not supposed to see it. Once the calculations or other mathematical operations are run on the encrypted data, the results will be corrected once theyre decrypted.

Its important because data is more portable than ever, Eric Maass, director of strategy and emerging technology at IBM Security Services, tells The Next Platform. We are in a very fluid state. Infrastructure is everywhere. Once upon a time, we built monolithic applications and the data, for all intents and purposes, was well contained within sight of a monolith of sorts. Today, applications are very hybrid in nature. Theres computing thats happening on-prem. Theres aspects of that computation that may happen in a hybrid fashion on infrastructure-as-a-service provider. Data is just being sent wherever its needed, basically to be utilized by highly distributed applications. In a hybrid cloud era, we expect that the infrastructure has become far more distributed and therefore [so is] the computing and therefore where the data needs to flow in order to perform that computing.

IBM has been an active player in the development of FHE, with IBM researcher Craig Gentry in 2009 demonstrating the first working algorithm for homomorphic encryption, though it was far too slow for practical use. More recently, Big Blue this summer ran successful FHE field trials and released a FHE toolkit for MacOS and iOS, Apple operating systems, adding Linux and Android later. This month, announced its IBM Security Homomorphic Encryption Services, a scalable offering hosted on IBM Cloud that gives organizations an environment for experimenting with the encryption technology and consulting and managed services to help them with their efforts.

Over the past decade, IBM and other companies have worked to make processing encrypted data faster. The demonstration in 2009 showed it could be done, but at the time it could take days or weeks to run FHE calculations that otherwise would take seconds on decrypted data. The organizations worked to improve the algorithms used for FHE and IBM created open-source libraries, such as HELib and the aforementioned FHE Toolkit. The result is homomorphic encryption that is more functionally viable and ready for wider use. The algorithms IBM is using on its new cloud service are founded on lattice-based cryptography, an encryption technology that is being developed to push back at the oncoming cyberthreats that will arrive with more widespread quantum computing.

The combination of expanded compute power and advanced algorithms, FHE can now be performed at seconds-per-bit, an important measurement that indicates that homomorphic encryption is fast enough to be used in increasing numbers of use cases and early trials. Examples of uses cases can include healthcare facilities that want to give patient data to clinical researchers to help them search for cures for a disease but cant do so now because regulations prevent exposing such sensitive data to third parties or retailers who want to do more targeted marketing but are worried about jeopardizing trust of their consumers by using their data in a way that exposes it.

Over the last 10 years, a lot of what it comes down to is just the math, Maass says. It gets down to finding efficiencies in the way that the math is being done to improve the speed. Way back in the day, a single digit being computed in an FHE-enabled application took somewhere around a half an hour. We improved that. Its still multiple times slower than performing the same calculation on clear text data, but its improved to the point where a lot of the computation that we make here about basic analysis, statistical analysis of data, that sort of stuff, could be done in a way thats almost imperceptible.

IBMs FHE Services offering has two key goals: To give enterprises a cloud-based environment trying out the technology and running experiments and as a way of educating organizations and offering them services and support from IBM cryptography experts, both with the aim of preparing them to build and deploy FHE-enabled applications. The tools were developed by IBM Research and IBM Z, offering templates for common FHE use cases, including encrypted search, AI, machine learning and analytics. The IBM Cloud infrastructure can scale as needed.

There continue to be challenges to mass adoption of homomorphic encryption, Maass says. FHE is complex and requires a lot of compute power as much as 100 times the compute resources of operations on plaintext data the lattice encryption keys and other FHE-specific technologies are not mainstream and may need particular infrastructure, and coding for FHE may be different from traditional methods. Applications and data need to be prepared in particular ways when dealing with FHE.

Data preparation really has a lot to do with what use case you plan to implement with the technology, he says. The simplest example is if you picture a spreadsheet of data, you have rows and columns. Traditional databases have rows and columns of data. Often with [FHE] data preparation, the columns need to become rows and the rows need to become columns. There are certain types of math that needs to take place in which were twisting and turning the data in ways that its not natively coming out of a traditional relational database. Its not overly complex, but it does take understanding those constraints and use cases in order to plan for that. Clearly, systems as they exist today for storing data within these organizations are not going to be natively compatible if we need to start twisting and turning the data that way.

Likely candidates for using FHE include organizations in highly regulated industries healthcare, financial services, retail and the like and those using data in highly collaborative and distributed, which is getting more common with the growing adoption of hybrid clouds.

That said, FHE will be a targeted sort of technology, not one designed to be a wholesale replacement for all forms of encryption, he says. Were going to still see basic asymmetric and symmetric encryption that exists for data at rest and data in transport continue to be the primary way to do that job. They do it well. They do efficiently. This is really targeted at data that needs to be protected as its being put into an untrusted domain, shared with a third party, maybe being utilized in an untrusted cloud computing environment where its out of our hands and we want to make sure that its not going to be exposed as were computing on it. Theres a time and place for every form of cryptography and we see this as complementary to the data at rest and data in transit algorithms and techniques that are out there today.

Its going to take time, but two to three years down the road homomorphic encryption will have evolved from a fresh-from-the-lab technology to one that is more widely used, Maass says. Gartner analysts earlier this year predicted that by 2025, at least 20 percent companies will have projects on the books that include FHE, up from about 1 percent now. IBMs FHE Services offering is a step in that direction by getting organizations prepared for the technologys evolution.

Continued here:
IBM Leverages Cloud To Push The Encryption Envelope - The Next Platform

More Than Just Bitcoin

By Matthew Ogrodowicz, MSA

Blockchain is a term used to broadly describe the cryptographic technology that underpins several applications, the most widely known of which is Bitcoin and other similar cryptocurrencies.

Matthew Ogrodowicz

Even though it is the largest current application, a survey conducted on behalf of the American Institute of Certified Public Accountants (AICPA) in 2018 found that 48% of American adults were not familiar with Bitcoin, Ethereum, or Litecoin, three cryptocurrencies among those with the largest market capitalizations. The largest of these, Bitcoin, currently sits at a market capitalization of approximately $355 billion. If half of all adults are unfamiliar with this largest application, it is safe to assume that even fewer know about other ways the technology could be used including for some of the regions major industries.

Three of these largest industries in Western Mass. are healthcare, manufacturing, and higher education. In each of these industries, the secure and verifiable information network created by blockchain can provide efficiencies. This network, essentially a public ledger, consists of a series of transactions (blocks), which is distributed and replicated across a network of computers referred to as nodes. These nodes each maintain a copy of the ledger, which can only be added to by the solving of a cryptographic puzzle that is verified by other nodes in the network.

The information on the ledger is maintained by another aspect of cryptography, which is that the same data encrypted in the same way produces the same result, so if data earlier in the chain is manipulated, it will be rejected by the other nodes even though the data itself is encrypted. Thus, an immutable chain of verifiable, secure information is created, capable of supporting applications in the aforementioned fields.

Each of these industries can benefit from the blockchains ability to host smart contracts. A smart contract is a digital protocol intended to facilitate, verify, or enforce the performance of a transaction. The simplest analogue is that of a vending machine once payment is made, an item is delivered. Smart contracts would exist on the blockchain and would be triggered by a predefined condition or action agreed upon by the parties beforehand. This allows the parties to transact directly without the need for intermediaries, providing time and cost savings as well as automation and accuracy.

Combined with the security and immutability noted earlier, smart contracts should prove to be a valuable tool, though there is still work to be done in codifying and establishing legal frameworks around smart contracts. Other applications of blockchain technology are more specifically applicable to individual fields.

In the field of healthcare, blockchains ability to process, validate, and sanction access to data could lead to a centralized repository of electronic health records and allow patients to permit and/or revoke read-and-write privileges to certain doctors or facilities as they deem necessary. This would allow patients more control over who has access to their personal health records while providing for quick transfers and reductions in administrative delay.

In the field of manufacturing, blockchain can provide more supply-chain efficiency and transparency by codifying and tracking the routes and intermediate steps, including carriers and time of arrival and departure, without allowing for unauthorized modification of this information. In a similar fashion, blockchain can provide manufacturers assurance that the goods they have received are exactly those they have ordered and that they are without defect by allowing for tracking of individual parts or other raw materials.

Finally, in the field of higher education, blockchain could be used to improve record keeping of degrees and certifications in a manner similar to that of electronic medical records. Beyond that, intellectual property such as research, scholarly publications, media works, and presentations could be protected by the blockchain by allowing for ease of sharing them while preserving the ability to control how they are used.

And, of course, blockchain development will be a skill high in demand that will benefit from the creation of interdisciplinary programs at colleges and universities that help students understand the development of blockchain networks as well the areas of business, technology, law, and commerce that are impacted by it.

For these reasons and many more, businesses should feel an urgency to increase their knowledge of blockchains impact on their industries while exploring the potential dividends that could be reaped by a foray into an emerging technology.

Matthew Ogrodowicz, MSA is a senior associate at the Holyoke-based accounting firm Meyers Brothers Kalicka, P.C.

Read the original:
Blockchain Can Provide Efficiencies in Healthcare and Other Sectors - Business West

ABU DHABI, United Arab Emirates--(BUSINESS WIRE)--Technology Innovation Institute (TII), the applied research pillar of Advanced Technology Research Council (ATRC), today announced the formation of a board of advisors at Cryptography Research Centre (CRC). The new board of advisors comprises global experts in the field of cryptography.

The appointments follow a series of rapid announcements at Technology Innovation Institute since the first Advanced Technology Research Council board meeting in August 2020.

CRC is one of the initial seven dedicated centres at TII and it is also one of the few global centres bringing together theoretical and applied cryptographers in a research-oriented setting. The cryptographers collaborate on breakthrough research projects that lead to innovative outcomes in cryptography. Spanning fields from post quantum cryptography (PQC), lightweight cryptography, cryptanalysis, cryptographic protocols, hardware-based cryptography, confidential computing, amongst others, the distinguished board of advisors will guide efforts to develop breakthrough technologies for global impact, reinforcing the UAEs position as a global hub for innovation and R&D.

The Board of Advisors includes: Prof Joan Daemen, Professor of Symmetric Cryptography at Radboud University in The Netherlands, who co-designed the Rijndael cipher that was selected as the Advanced Encryption Standard (AES) and is also one of the co-designers of the Keccak (SHA-3) cryptographic algorithm; Prof Lejla Batina, Professor of Hardware Cryptography at Radboud University, whose expertise is in applied cryptography and embedded systems security; Dr Guido Bertoni, CEO of Security Pattern, Italy, whose research areas include cryptographic algorithms, hardware-based cryptography, applied cryptography and embedded systems security. He is also a co-designer of the Keccak (SHA-3) cryptographic algorithm. Prof. Carlos Aguilar, Professor of ISAE SUPAERO in Toulouse University, France, a post quantum cryptographer and expert in secure cryptographic implementations and computational theory; Prof. Damien Stehl, Professor in Computer Science at cole Normale Suprieure de Lyon, France, whose focus areas are post quantum cryptography, computational theory and complex algebra; and Prof. Tim Gneysu, Professor of Security Engineering at Ruhr-University Bochum, Germany, who is an expert in secure hardware implementations, cloud cryptographic schemes and secure engineering.

CRC currently employs and collaborates with scientists in multiple crucial fields of cryptography. The experts are engaged in the full spectrum of fundamental and applied cryptography and cryptanalysis research.

Speaking on the board appointments, Dr Najwa Aaraj, Chief Researcher at CRC, said: The success of any scientific and research-focused entity is led by its board of advisors as they support in setting the vision. By bringing together renowned experts, we are connecting global expertise in the field of cryptography.

Dr Aaraj added: Through the research undertaken at the Cryptography Research Centre, we are confident that Abu Dhabi and the UAE will pioneer breakthrough technologies that ensure even greater enhancements in high-priority cryptographic areas.

TII is a pioneering global research and development centre that focuses on applied research and new-age technology capabilities. The Institute has seven initial dedicated research centres in quantum, autonomous robotics, cryptography, advanced materials, digital security, directed energy and secure systems. By working with exceptional talent, universities, research institutions and industry partners from all over the world, the Institute connects an intellectual community and contributes to building an R&D ecosystem in Abu Dhabi and the UAE. The Institute reinforces Abu Dhabi and the UAEs status as a global hub for innovation and contributes to the broader development of the knowledge-based economy.

To know more about Cryptography Research Centre (CRC):

tii.ae/cryptographytii.ae/cryptography

*Source: AETOSWire

More:
Technology Innovation Institute Appoints Global Cryptography Leaders as its Board of Advisors at Cryptography Research Centre - Business Wire

Are you fascinated with cryptography? Youre not alone: a lot of engineers are. Occasionally, some of them decide to go as far as to write their own custom cryptographic hash functions and use them in real-world applications. While understandably enticing, doing so breaks the number 1 rule of the security community:??dont write your own crypto.?

How do hashing algorithms work and whats special about password hashing? What does it take for an algorithm to get ready for widespread production use? Is security through obscurity a good idea? Lets see.?

Before storing a users password in your applications database, youre supposed to apply a cryptographic hash function to it. (Youre not storing passwords in plain text, right? Good. Just asking.)?

Any cryptographic hash function converts an arbitrary-length input (a.k.a. message) into a fixed-length output (a.k.a. hash, message digest). A??secure cryptographic hash function??must be:?

Now, theres general cryptographic hashing, and then theres password hashing that is somewhat special.?

Standard cryptographic hash functions are designed to be fast, and when youre hashing passwords, it becomes a problem.??Password hashing must be slow.??You want to make it as hard as possible for the attacker to apply brute force attacks to passwords in your database should it ever leak. This is why you want to make passwords hashing computationally expensive. How expensive? Well, its a tradeoff between convenience for your legitimate users when they validate their passwords and making brute-force attacks hard for the attacker.?

To make hashing computationally expensive, a special kind of functions is commonly used:??key derivation functions??(KDFs). Under the hood, KDFs invoke hashing functions, but they add a random salt before hashing, and then apply numerous (usually thousands or tens of thousands) iterations of hashing. Ideally, they make brute force attacks both CPU-intensive and memory-intensive.?

A key derivation function produces a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count?(RFC 2898: Password-Based Cryptography Specification Version 2.0).

In password hashing discussions, the terms hash function (such as MD5 or SHA-1) and key derivation function (such as PBKDF2 or Argon2) are often used interchangeably although theyre technically not the same.?

Both writing a custom hashing algorithm and creating your own implementation of a well-known algorithm are bad ideas. Why??

You probably dont have the skills. Lets face it: cryptography is hard, and messing up an algorithm or implementation is easy, even for professionals. Should you go for creating your own password hashing, some of the things youd need to take care of include:?

This is a lot on your plate even more so given that??you wont have access to qualified testers??from the cryptography community to help you find (inevitable) vulnerabilities.?

Youll likely want to depend on secrecy and obscurity??by keeping your algorithm private. Doing so breaks the fundamental doctrine of cryptography known as the?Kerckhoffs?principle:??a cryptosystem should be secure even if everything about the?system, except the key, is public knowledge.??Security by obscurity can provide a short-term advantage but relying on it long-term is a bad practice:?

Youll put sensitive user data at risk. Leaking sensitive user data is one of the worst things that can happen to a business. This is something that instantly undermines trust, turns customers away, and is very expensive to remediate. Some companies and lots of developers are prone to the Not Invented Here fallacy, but password hashing is probably the worst thing you can choose to re-implement.?

Most importantly,??you wont know when your algorithm gets broken.?

Established algorithms and implementations benefit from??years of testing and polishing??by large communities of cryptography experts who help reveal and fix vulnerabilities without any malicious intent.?

Since your own algorithm and/or implementation wont be available to anyone with a good will, attackers will be the only category of people willing to crack it. Once they do that, they wont give you a headsup;?youll only know when sensitive data of your users is?compromised,?and your business is in serious trouble.?

Thats great! Go forward and practice. Read reference implementations of existing algorithms, play with your own implementations, reach out to the community for advice, and have a great time learning something new and exciting!?

Just dont use whatever youve written in your production applications.?

To learn more, read our vulnerability decoder on insecure crypto.?

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by fheisler@veracode.com (fheisler). Read the original post at: https://www.veracode.com/blog/secure-development/how-password-hashing-algorithms-work-and-why-you-never-ever-write-your-own

Original post:
How Password Hashing Algorithms Work and Why You Never Ever Write Your Own - Security Boulevard

WISeKey launches IoT partnerships via the Trust Protocol Association to monetize its intellectual property (IP) portfolio, including both patent and data assets

Geneva, Switzerland/New York, USA December 14, 2020 WISeKeyInternational Holding Ltd. (WISeKey NASDAQ: WKEY; SIX Swiss Exchange: WIHN), a leading cybersecurity IoT company, today announced the launch of IoT partnerships via the Trust Protocol Association to monetize its intellectual property (IP) portfolio, including both patent and data assets.

With a rich portfolio of more than 46 patent families, covering over 100 fundamental individual patents, and another 22 patents under review, WISeKey continues to expand its technology footprint in various domains including the design of secure chips powered with near field communication (NFC) technology, development of security firmware and backend software, secure management of data, improvement of security protocols between connected objects and advanced cryptography. The Company has filed strategic patents in U.S. which are essential to the digital transformation applications that are fueling the growth in the IoT market (see list patents https://www.wisekey.com/company/our-value-proposition/our-patents/).

For WISeKey, adding to its patent portfolio and intellectual property is key to ensuring that it remains a major player in the IoT industry for years to come, providing its customers with scientifically proven technology that differentiates and protects their products from counterfeiting, adds valuable supply-chain tracking features, and prevents the loss of sensitive enterprise and consumer data.

Digital transformation in the IoT market is opening up new applications that can improve the efficiencies of power grids, use NFC chips embedded on pharmaceutical labels to provide better quality healthcare, or secure autonomous vehicles but its also creating new security risks, each with its own set of challenges and consequences. Digital identities provided as part of the WISeKey Integrated Security Platforms act as the first line of defense in IoT security architectures by giving each object its own unique, immutable, identity that can be used for strong authentication of the device and encryption of sensitive data as it travels from the edge to the cloud.

The purpose of the Trust Protocol Association is to establish a new Trust Protocol for the internet combining traditional Cryptographic Trust Models with distributed blockchain ledgers creating a new Global Trust platform.

The mission of the Association is to create an ecosystem of governmental, technology and business partners, each representing a node with the possibility to have multiple nodes per country.Blockchain-based solutions aim to override the need for a central authority by distributing information previously held in a centralized repository across a network of participating nodes. While Blockchain is not owned by one individual or organization, anyone with an internet connection (and access, in the case of private Blockchains) can make use of it, help maintain and verify it. When a transaction is made on a Blockchain, it is added to a group of transactions, known as blocks. Each block of transactions is added to the database in a chronological, immutable chain. Each block is stamped with a unique cryptographic code, which ensures that records are not counterfeited or changed. The Blockchain approach lacks legal validity in most jurisdictions, which only recognize the digital signatures as equally valid that manuscript signatures when generated using traditional PKI technology.

The Trust Protocol Association is working with a number of members in USA, Asia MEA and Europe to deploy a fully compliant Trusted Health Passport using the WIShelter Version 2, a new application in the WISeID App ecosystem, designed to remediate risks during the global COVID-19 lockdown period. Using their digital identity secured by WISeKey, users will be able to geo-localize other certified users and stablish secure communications. If needed, the app allows users to prove to local authorities that they are respecting the stay at home recommendations. To ensure the data privacy, each users Personal Identifiable Information is kept encrypted and never disclosed without their consent. For more information visit: https://www.wisekey.com/press/wisekey-oiste-org-and-the-trust-protocol-association-to-help-health-organizations-deploy-a-covid-19-trusted-health-passport-on-the-blockchain/.

About WISeKey

WISeKey (NASDAQ: WKEY; SIX Swiss Exchange: WIHN, NASDAQ: WKEY) is a leading global cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT respecting the Human as the Fulcrum of the Internet. WISeKey microprocessors secure the pervasive computing shaping todays Internet of Everything. WISeKey IoT has an install base of over 1.5 billion microchips in virtually all IoT sectors (connected cars, smart cities, drones, agricultural sensors, anti-counterfeiting, smart lighting, servers, computers, mobile phones, crypto tokens etc.). WISeKey is uniquely positioned to be at the edge of IoT as our semiconductors produce a huge amount of Big Data that, when analyzed with Artificial Intelligence (AI), can help industrial applications to predict the failure of their equipment before it happens.Our technology is Trusted by the OISTE/WISeKeys Swiss based cryptographic Root of Trust (RoT) provides secure authentication and identification, in both physical and virtual environments, for the Internet of Things, Blockchain and Artificial Intelligence. The WISeKey RoT serves as a common trust anchor to ensure the integrity of online transactions among objects and between objects and people. For more information, visitwww.wisekey.com.

Press and investor contacts:

Disclaimer:

This communication expressly or implicitly contains certain forward-looking statements concerning WISeKey International Holding Ltd and its business. Such statements involve certain known and unknown risks, uncertainties and other factors, which could cause the actual results, financial condition, performance or achievements of WISeKey International Holding Ltd to be materially different from any future results, performance or achievements expressed or implied by such forward-looking statements. WISeKey International Holding Ltd is providing this communication as of this date and does not undertake to update any forward-looking statements contained herein as a result of new information, future events or otherwise.

This press release does not constitute an offer to sell, or a solicitation of an offer to buy, any securities, and it does not constitute an offering prospectus within the meaning of the Swiss Financial Services Act (FinSA), the FinSAs predecessor legislation or advertising within the meaning of the FinSA, or within the meaning of any other securities regulation. Investors must rely on their own evaluation of WISeKey and its securities, including the merits and risks involved. Nothing contained herein is, or shall be relied on as, a promise or representation as to the future performance of WISeKey.

The securities offered will not be, and have not been, registered under the United States of America Securities Act of 1933, as amended, and may not be offered or sold in the United States of America, absent registration or an applicable exemption from the registration requirements of said Act.

Read more:
WISeKey launches IoT partnerships via the Trust Protocol Association to monetize its intellectual property (IP) portfolio, including both patent and...

A pair of Purdue engineering professors and a computer science professor have been chosen to the 2021 class of newly elevated fellows of the IEEE.

Yung-Hsiang Lu, professor of electrical and computer engineering, was named for his contributions to energy efficiency of computer systems. His research focus is mobile and cloud computing, energy-efficient computing, and image and video processing. Gesualdo Scutari, the Thomas and Jane Schmidt Rising Star Associate Professor in the School of Industrial Engineering and professor of electrical and computer engineering, was selected for his contributions to distributed optimization in signal processing and communications. Scutaris research interests include distributed and large-scale optimization, computational game theory, variational inequalities, machine learning, big data and applications in communications, networking, signal processing and sensor networks. Ninghui Li, the Samuel D. Conte Professor of Computer Science, was named for his contributions to data privacy and security. Lis research focus includes data privacy, access control, trust management, applied cryptography, and human factors in security and privacy.

IEEE Fellow is a distinction reserved for select IEEE members whose extraordinary accomplishments in any of the IEEE fields of interest are deemed fitting of this prestigious grade elevation, according to its website.

More here:
Appointments, honors and activities - Purdue News Service

In our 2019 paper March of the Blocks we commented on the substantial compliance hurdles that the General Data Protection Regulation (GDPR) presents to the ongoing development of blockchain solutions that involve storing (and transacting with) data. There, we concluded that blockchain solutions that respect the fundamental principles of data protection and privacy are achievable. But does our conclusion hold firm in light of the threat posed by quantum technology to the integrity of data recorded on a blockchain?

In this article, with help from the team at our Quantum Computing Hub, we revisit our thinking and interrogate whether quantum computers herald the end of data security in the context of blockchain solutions, or whether the reality is in fact more nuanced.

Simply put, quantum computers are computers that make use of two laws of quantum mechanics: superposition and entanglement. They do so via quantum bits or qubits. This is easiest to explain by reference to classical computers (the computers we currently use) which make use of bits, units of information which can only exist in one of two states: off or on, 0 or 1.

Because of superpositionwhich refers to the ability of individual units to exist in several possible states at the same timea qubit in a quantum computer can be on, off, or on and off in a variety of combined states at a single point in time.

Entanglementwhich describes the phenomenon whereby particles interact with each other and share their states even if separatedmeans that the state of a series of qubits can become linked.

These properties enable quantum computers to perform certain tasks with greater efficiency than even the most powerful classical computers. These tasks include searching through an unordered list for a specific item, identifying causal relationships, and finding the prime factors of large numbers.

Identifying the quantum threat to blockchain

A blockchain is a series of blocks of data, linked together by a cryptographic hash to form a chain. A cryptographic hash is a function that turns a block of data of any length into a fixed length output. The hash stored in each block of the chain operates like a fingerprint of the previous block, and it is possible to run a hash-checking process over the previous block to confirm that it generates the correct hash. If the previous block is changed in any way, it will not generate the correct hash and the chain will be broken. Therefore, the data of any block in the chain cannot be modified without changing the hash of every block that comes after it in the chain.

Many blockchain solutions also deploy public-key cryptography, where both public and private keys are made up of a string of alphanumeric characters. If a user wants to send encrypted data to a recipient, it must utilise that recipients public key (which is broadcast to the network). The sender can encrypt their data with this public key, and send the data to the recipient. Only the recipients private key (which the recipient keeps secret) can then be used to decrypt the data. Where blockchain solutions facilitate transactions, private keys are often used to sign and authenticate transactions.

The fly in the ointment (and a chink in the blockchains armour) is that many popular public-key cryptographic algorithms, including RSA encryption, are vulnerable to attack from quantum computers. This is because those cryptographic algorithms rely on mathematical calculations which break down large numbers into their prime factors (the prime numbers that, when multiplied, equal the original large number), something which is hugely time consuming for conventional computing circuits to compute. As we have already observed, this is a task that quantum computers are poised to perform with relative ease as compared to classical computers.

It has also been suggested that quantum computers increase the risk of a 51% or majority attack, whereby a bad actor seeks to take control of a majority of the nodes in a blockchain network and thereby acquires the ability to interrupt the recording of new blocks, as well as reversing records of blocks that had been completed while they were in control of the network.

What does this mean from a legal perspective?

A number of legal risks arise in a UK context, and similar obligations may well apply in other jurisdictions. In particular, the GDPR requires controllers and processors to ensure that personal data is processed in a manner that protects against unauthorised or unlawful processing and, accordingly, to implement appropriate technical and organisational security measures. Data protection should, moreover, be baked in to processing activities and business practices from the design state right through the lifecycle. Should quantum computers be able to compromise data stored on a blockchain, compliance with these requirements will similarly be compromised.

Legal liability does not stop at the GDPR, however, and may vary depending on the type of entity that is storing data on a blockchain solution. For example, organisations that fall within scope of the Network and Information Security (NIS) Directivewhich include operators of essential servicesare subject to further requirements to manage the risks posed to the security of networks and information systems which they use in their operations.

UK financial services firms should also be mindful of proposed PRA and FCA rules to improve the operational resilience of firms, expected to be published in Q1 2021, in addition to requirements relating to appropriate systems and controls and adequate risk management systems. Senior managers within regulated firms who are responsible for data security could, moreover, come under regulatory scrutiny in the event that any data was compromised.

In addition, interference with the integrity of data recorded on a blockchain could constitute an infringement of directors duties under the Companies Act 2006, as well as a breach of the UK Corporate Governance Code.

As this survey of the legal position demonstrates, the implications of quantum computers rendering vulnerable data stored on a blockchain are significant. But, in practice, how real is this threat?

Commentators appear confident that cryptography will be able to keep pace with developments in quantum computers, which are expected to be in use by governments and companies in the 2030s. As such, current cryptographic techniques can be transitioned to cryptography that is resistant to quantum attacks (sometimes referred to as post-quantum cryptography). There is, however, no proof that any of the currently recognised post-quantum methods are secure against a quantum computer.

The degree of vulnerability of incumbent blockchain systems is, moreover, subject to debate. To take one example, the blockchain solution underlying Bitcoin (which utilises a number of cryptographic techniques in addition to public-key cryptography) is considered by some to be quantum-resistant in its current incarnation, although this appears to be a minority view.

Where incumbent systems are vulnerable to quantum computers, it is certainly the case that a bad actor could steal data now and wait until advances in quantum computing enable access, irrespective of subsequent precautions put in place.

While the degree of the threat remains subject to debate, it is clear that quantum computing has the potential to undermine the integrity of data stored on blockchain solutions. As we have explored, this could give rise to a number of negative legal consequences, in particular under the GDPR.

Various measures can, however, be taken in order to mitigate such consequences. We have already highlighted the need to bring current cryptographic techniques up to date with post-quantum cryptography. In addition, as flagged in our March of the Blocks paper, the storing of personal data on a blockchain should be avoided as far as it is possible to do so.

This could potentially be achieved via middleware applications (software that sits on top of one or more underlying blockchain networks, enabling the application of those blockchain networks to particular use cases) by avoiding, for example, any free form data fields for names and contact details. These applications could also employ more advanced techniques to recognise and remove personal data from information submitted to the blockchain network.

To conclude, we remain optimistic that the GPDR and other legislation relating to data security need not stymy the development of blockchain solutions. The limitations presented by blockchain must, however, be recognised and a pragmatic approach adopted, particularly in light of the threat to data integrity posed by quantum computers.

The rest is here:
The Collapse of Cryptography? Considering the quantum threat to blockchain - Lexology