Theres no better place than Singapore to do a deep tech startup, particularly anything involving cryptography. So says Brijesh Pande, founder and managing partner of the Tembusu ICT Fund, a Singapore-based software-focused venture capital fund. Admittedly, he has a vested interest in enticing entrepreneurs to come to the island nation, but heand two founders of companies in his portfolio, Lawrence Hughes from Sixscape and Ramond Looi from Vi Dimensionsmake a solid argument.

Here in Singapore, Pande says, We have no requirement for a security back door. The fact that the NSA [National Security Agency] requires U.S. companies to provide a back door makes technology developed in the U.S. less trusted around the world.

Hughes, who before decamping to Singapore founded several companies, including U.S.-based Ciphertrust and Philippine-based Infoweapons, says its just too difficult to do cyber security products in the U.S. these days. The NSA requires weakened algorithms and back doors, so you have to assume all IT products in the U.S. are compromised. That, he says, makes it hard to market them around the world.

Sixscape, Hughes latest startup, has developed a certificate management protocol based on a distributed public key infrastructure that can manage, he says, billions of unique certificates. Web sites use server certificates to identify themselves as legitimate. In his scheme, individual users will also use client certificates, created on their own computers, as identification, instead of less secure usernames and passwords. For additional security, banks and other particularly sensitive businesses can give their clients hardware keys containing certificates to even more reliably confirm identity. Hughes says Sixscape will soon be piloting the technology, issuing some 2 million hardware tokens for a government agency in a nearby country that wishes to allow secureaccess its website, without usernames or passwords.

Meanwhile, two-year-old Vi Dimensions, Looi explained, is developing AI to mine surveillance videos for anomalies. With hundreds of millions of cameras out there, he says, the cost of human monitoring is just too high. The software, he says, can spot a big truck driving an unusual route, or a child lost in a subway station. The company, he says, has deployed the technology on 200 cameras in Sentosa, a resort island with 20 million visitors annually, has signed an agreement with one of Europes largest national railways to use the technology on its surveillance cameras, and has completed trials in an Abu Dhabi skyscraper. On Sentosa, he said, the technology was able to improve operationsby spotting too-long lines at taxi stands and identifying points where parents were having trouble navigating strollers.

Its not just escaping the NSA that makes Singapore more and more attractive to startups, these entrepreneurs say.

The potential tightening of H1B visas in the United States will push more companies to start elsewhere, says Pande. If the U.S. develops an H1B issue, he says, that will be good for Singapore.

Here, there is no limit to H1Bs, you just have to demonstrate a need, Pande says.We have Singaporeans, Americans, Iranians, Indians, Russiansa veritable United Nations working at all our companies.

And, pointed out Hughes, Singapore has zero capital gains tax, relying instead on income and value added taxes.

Starting a company in Singapore, Pande points out, is not without challenges. We dont have a deep bench, he says. So the second level of tech talent, just below the entrepreneur, can be hard to come by.

And though the local universities are solid, he says, there just arent the big tech companies doing core R&D that spit out spinoffs.And there isnt a big domestic market, says Pande,though government support helps.

Valuations for startups also tend to be low compared to those in the U.S., Hughes says, but its early days here.

IEEE Spectrums blog featuring the people, places, and passions of the world of technologists in Silicon Valley and its environs. Contact us:t.perry@ieee.org

Germany takes the lead in making the Internet local 23Jan2014

Scott Borg, director of the U.S. Cyber Consequences Unit, says hardware design engineers hold the future of cybersecurity in their hands 15May

Secretive big data company Palantir has gobbled up downtown Palo Alto 14Jan2015

HAXs Ben Joffe takes a look at whats going on in Chinas startup sector 27Jun

Derive is taking technology that lets hot rodders soup up their vehicles and using it to make drivers behave themselves 27Jun

HAX executives preview trends in hardware startups 26Jun

The Canadian company wants to use AI to rate your car insurance risk in real time 22Jun

Affectivas Rana El-Kaliouby says our devices need to get a lot more emotionally intelligent 13Jun

The Pied Piper of the TV show's fictional quest to reinvent the Internet trails the progress of MaidSafe and the University of Michigan 9Jun

Nannycams? So yesterday. Startup Lighthouse's computer vision and AI will tell you everything you miss when youre not home 6Jun

Silicon Valley startup Verdigris cloud-based analysis can tell whether youre using a Chromebook or a Mac, or whether a motor is running fine or starting to fail 3May

Enviro Powers small steam turbine could cut homeowners electricity bills by 30 percent 18Apr

Avegant is confident enough about its light-field-based mixed-reality technology that it's willing to show and tell 18Apr

The 2017 contest puts a renewed emphasis on projects that could become successful businesses 24Mar

Who needs infrared spectrometers in their phones? People who hate buying tasteless produce or mystery cheese 14Mar

Palo Alto startup twoXAR partners with Santen Pharmaceutical to identify new glaucoma drugs; efforts on rare skin disease, liver cancer, atherosclerosis, and diabetic nephropathy also under way 13Mar

As coal industry jobs are lost, likely not to return, some in coal country have turned to coding 15Feb

The next-generation kitchen ovens promise perfect cooking using solid-state RF transmitters and sensors 6Feb

Take a bit of Maker Faire, a dash of Burning Man, and a scoop of Chuck E. Cheese, add $15 million, and poof, a micro-amusement park 19Jan

$34 million in drone preorders wasn't enough to keep Lily open 12Jan

Originally posted here:
Doing a Startup Involving Cryptography? Get Out of the US - IEEE Spectrum

A brief history of GnuPG: Vital to online security but free and underfunded

This article was first posted on The Conversation.

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forcedto fundraiseto continue the project.

GnuPG is part of the GNU collection offree and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt onJanuary 11, 1996, but relief is probably a good guess. The United States government had just endedits investigationinto him and his encryption software, PGP or Pretty Good Privacy.

In the 1990s, the U.S. restricted the exportof strong cryptography, viewing it as sensitive technology that had once been the exclusive purview of the intelligence and military establishment. Zimmermann had been facing serious punishment for posting PGP on the internet in 1991, which could have been seen as a violation of theArms Export Control Act.

To circumvent U.S. export regulations and ship the software legally to other countries, hackers even printed the source codeas a book, which would allow anyone to scan it at its destination and rebuild the software from scratch.

Zimmermann later worked with the PGP Corporation, which helped define PGP as an open internet standard,OpenPGP. A number of software packages implement this standard, of which GnuPG is perhaps the best known.

What is PGP?

PGP implements a form of cryptography that is known as asymmetric cryptography or public-key cryptography.

The story of its discovery is itself worth telling. It was invented in the 1970s byresearchersat the British intelligence service GCHQ and then again byStanford University academicsin the U.S., although GCHQs results were only declassified in 1997.

Asymmetric cryptography gives users two keys. The so-called public key is meant to be distributed to everyone and is used to encrypt messages or verify a signature. The private or secret key must be known only to the user. It helps decrypt messages or sign them -- the digital equivalent of a seal to prove origin and authenticity.

Zimmermann published PGP becausehe believedthat everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.

The challenge facing security software

Despite Zimmermanns work, the dream of free encryption for everyone never quite came to full bloom.

Neither Zimmermanns original PGP nor the later GnuPG managed to become entirely user friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands -- an anachronism even in the late 1990s, when most operating systems already used the mouse.

Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.

Big corporations such as Microsoft, Google and Apple shunned it -- to this day, they do not ship PGP with their products, although some are now implementing forms of end-to-end encryption.

Finally, there was the issue of distributing public keys -- they had to be made available to other people to be useful. Private initiatives never gathered much attention. In fact,a number ofacademic studiesin the early and late 2000s showed that these attempts never managed to attract widespread public usage.

The releaseof the Edward Snowden documents in 2013 spurred renewed interest in PGP. Crypto parties became a global phenomenon when people met in person to exchange their public keys, but this was ultimately short-lived.

PGP today

When I met Zimmermann in Silicon Valley in 2015, he admitted that he did not currently use PGP. In a more recent email, he said this is because it does not run on current versions of macOS or iOS. I may soon run GnuPG, he wrote.

By todays standards, GnuPG -- like all implementations of OpenPGP -- lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermanns invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.

Read more:
A brief history of GnuPG: Vital to online security but free and underfunded - GCN.com

+Comment An Australian computer scientist working in Thailand has offered his contribution to Australia's cryptography debate by creating a public-key crypto demonstrator in less than a day, using public APIs and JavaScript.

Brandis.io not a useful encryption implementation (the site itself says as much), but is a useful public education exercise.

By using the WebCryptoAPI, author Dr Peter Kelly has implemented end-to-end crypto in just 445 lines of JavaScript code.

As Kelly writes at GitHub, Brandis does not implement encryption itself; instead, it relies on the Web Cryptography API provided by your browser, and simply exposes a user interface to this API that enables its use by non-programmers.

Hence its smallness: the cryptography is already out there, in the form of straightforward calls to public APIs: there's more JavaScript devoted to screen furniture than to generating public and private keys, or encrypting/decrypting the messages.

Dr Kelly's Brandis.io crypto demonstrator

As Kelly told Vulture South: I spent way more time on [the presentation] than I did on the crypto-using code. Picking a colour scheme took longer than writing the code for generating a public/private key pair.

Kelly warns visitors to the site not to treat this as a messaging platform: Brandis is primarily intended as a demonstration; it was put together in less than a day. For real-world usage, we recommend more established software such as GnuPG.

By the way, if you decide to try Brandis.io, note that its current message size limit is 190 characters. Kelly's investigating why that's so.

+Comment: Vulture South notes that kelly's efforts only addresses one part of the debate the Australian government ignited when its Attorney-General George Brandis fired the latest shot in what's being colloquially called CryptoWars 2. The other half is device security.

A common critique levelled at those who resist the idea of governments undermining encryption (the so-called war on mathematics, highlighted when Prime Minister Malcolm Turnbull unhelpfully quipped that Australia's laws will prevail over he laws of mathematics) is that they've got the wrong end of the stick, because messages could be recovered by means that don't attack encrypted messages in transit, but rather while they're at rest for example, by recovering messages as stored on devices like iPhones or Androids.

First, it's worth keeping in mind that the government itself drew attention towards strong encryption, with its complaint that singled out specific end-to-end encrypted applications, and its promise to get platform-makers to co-operate (as well as device vendors).

More importantly, however, the argument that an endpoint compromise is okay ignores history. Whether it's the sloppy IoT security let the Mirai botnet hose big servers or the leaked NSA tools that let loose ransomware rampages, or the DNS Changer malware attack that began in 2006, there's ample evidence of the danger posed by insecure endpoints.

You can't have security if you have insecure endpoints was first expressed to this writer in the 1990s, and it's still true. We can't redirect concerns about weak cryptography by saying you can still have strong crypto, if vendors will make weak devices.

Even the NSA couldn't keep device exploits secret, after all.

More here:
Dev to El Reg: Making web pages pretty is harder than building crypto - The Register

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or Pretty Good Privacy.

In the 1990s, the US restricted the export of strong cryptography, viewing it as sensitive technology that had once been the exclusive purview of the intelligence and military establishment. Zimmermann had been facing serious punishment for posting PGP on the internet in 1991, which could have been seen as a violation of the Arms Export Control Act.

To circumvent US export regulations and ship the software legally to other countries, hackers even printed the source code as a book, which would allow anyone to scan it at its destination and rebuild the software from scratch.

Zimmermann later worked with the PGP Corporation, which helped define PGP as an open internet standard, OpenPGP. A number of software packages implement this standard, of which GnuPG is perhaps the best-known.

PGP implements a form of cryptography that is known as asymmetric cryptography or public-key cryptography.

The story of its discovery is itself worth telling. It was invented in the 1970s by researchers at the British intelligence service GCHQ and then again by Stanford University academics in the US, although GCHQs results were only declassified in 1997.

Asymmetric cryptography gives users two keys. The so-called public key is meant to be distributed to everyone and is used to encrypt messages or verify a signature. The private or secret key must be known only to the user. It helps decrypt messages or sign them - the digital equivalent of a seal to prove origin and authenticity.

Zimmermann published PGP because he believed that everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.

Despite Zimmermanns work, the dream of free encryption for everyone never quite came to full bloom.

Neither Zimmermanns original PGP nor the later GnuPG managed to become entirely user-friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands - an anachronism even in the late 1990s, when most operating systems already used the mouse.

Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.

Big corporations such as Microsoft, Google and Apple shunned it to this day, they do not ship PGP with their products, although some are now implementing forms of end-to-end encryption.

Finally, there was the issue of distributing public keys - they had to be made available to other people to be useful. Private initiatives never gathered much attention. In fact, a number of academic studies in the early and late 2000s showed that these attempts never managed to attract widespread public usage.

The release of the Edward Snowden documents in 2013 spurred renewed interest in PGP. Crypto parties became a global phenomenon when people met in person to exchange their public keys, but this was ultimately short-lived.

When I met Zimmermann in Silicon Valley in 2015, he admitted that he did not currently use PGP. In a more recent email, he said this is because it does not run on current versions of macOS or iOS. I may soon run GnuPG, he wrote.

By todays standards, GnuPG like all implementations of OpenPGP lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermanns invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.

Whats more, email reveals the sender and receiver names anyway. In the age of data mining, this is often enough to infer the contents of encrypted communication.

Nevertheless, GnuPG (and hence OpenPGP) is alive and well. Relative to the increased computational power available today, their cryptography is as strong today as it was in 1991. GnuPG just found new use cases - very important ones.

Journalists use it to allow their sources to deposit confidential data and leaks. This is a vital and indispensable method of self-protection for the leaker and the journalist.

But even more importantly, digital signatures are where GnuPG excels today.

Linux is one of the worlds most common operating system (it even forms the basis of Android). On internet servers that run Linux, software is downloaded and updated from software repositories - and most of them sign their software with GnuPG to confirm its authenticity and origin.

GnuPG works its magic behind closed curtains, once again.

Ralph HolzisLecturer in Networks and Security at theUniversity of Sydney

This article was originally published on The Conversation. Read the original article.

Error: Please check your email address.

Tags securityencryptioncyber security

Read the original post:
A brief history of GnuPG: vital to online security but free and ... - Computerworld Australia

Infotecs, an internationally known IT security and threat intelligence provider, is developing quantum encryption technology to exchange encryption keys at very high data volumes.

Quantum computing has the potential to revolutionize modern computing by attaining computing speeds previously thought impossible. However, computing that is significantly faster would also make it easy to break many of todays encryption techniques. One reason for this is that if encryption keys are used too frequently, attackers can find statistical patterns that allow decryption of the data. The solution to that problem is to change keys very frequentlysometimes as much as several times per second.

Infotecs has invested roughly 4.8 million dollars over three years in the development of a post-quantum cryptography (PQK) technology that manages key exchange. Infotecs, in cooperation with international scientific institutions, is working to develop a marketable, efficient, but affordable solution for the construction of a secure quantum data network.

"The IT security sector is facing an extremely difficult challenge because of increasingly high-performance computer systems," comments Aleksandr Tkachev, General Manager of Infotecs Americas. "Our cryptographers have been working intensively since autumn 2016 on the development of a post-quantum cryptography solution to provide our customers with a market-ready encryption technology that meets the changing future requirements for secure, encrypted communication."

About Infotecs As a leading international IT security provider and an experienced specialist in software-based VPN solutions, Infotecs has been developing peer-to-peer ViPNet technology since 1991 to provide more security, flexibility and efficiency than other security products that are common to the market. The ViPNet Security and Threat Intelligence Platform provides complete security for all enterprise environments in a single cost-effective solution. As the only technology, ViPNet supports real point-to-point security and is therefore considered highly secure. The encryption solution is scalable, flexible, and easy to implement and manage. ViPNet can also be seamlessly integrated into existing network infrastructures, enabling customers to find the right balance between high security, low complexity and low risk. More than 1,000,000 endpoints, company locations and servers have been securely connected to each other using ViPNet - supported by experienced crypto specialists from our IT development and support team, as well as a strong network of partners. Further information on the company can be found at http://www.infotecs.us.

Contact Infotecs Americas James Quinn Vice-President, Strategic Security Architecture 77 Water Street, 8th Floor New York, NY 10005 (917) 362-4284 james.quinn(at)infotecs(dot)us

See the original post here:
Infotecs At The Forefront Of Quantum Cryptography - Broadway World

Experts from Kudelski Security will also dive into topics such as cloud security and orchestration, managed attacker deception, advanced threat intelligence, designing IoT security and cryptography during a series of Debriefing Sessions hosted at the Four Seasons Hotel.

Aumasson and Romailler's presentation will focus on a new and efficient approach to systematic testing of cryptographic software: differential fuzzing. Unlike general purpose software fuzzing such as afl, differential fuzzing doesn't aim to find memory corruption bugs (although they might come as a by-product), but to find logic bugs. Compared to test vectors, differential fuzzing provides greater code coverage and compared to formal verification, differential fuzzing is easier to apply, both for testers and developers. Aumasson and Romailler will present this session at both Black Hat and BSides LV. Romailler will also present it at Crypto & Privacy Village within DEF CON 25.

While at Black Hat 2017, Kudelski Security will also be hosting a Crypto Challenge, a series of after show Debriefs Sessions and a party at the House of Blues' Foundation Room within Mandalay Bay. Details include:

Media and analysts interested in meeting with Kudelski executives at the show should contact kudelskipr@teamlewis.com.

About Kudelski SecurityKudelski Security is the premier advisor and cybersecurity innovator for today's most security-conscious organizations. Our long-term approach to client partnerships enables us to continuously evaluate their security posture to recommend solutions that reduce business risk, maintain compliance and increase overall security effectiveness. With clients that include Fortune 500 enterprises and government organizations in Europe and across the United States, we address the most complex environments through an unparalleled set of solution capabilities including consulting, technology, managed security services and custom innovation. For more information, visit http://www.kudelskisecurity.com.

Media Contact:John Van Blaricum Vice President, Global Marketing Kudelski Security +1 650 966 4320 john.vanblaricum@kudelskisecurity.com

View original content with multimedia:http://www.prnewswire.com/news-releases/kudelski-security-to-present-on-automated-testing-of-crypto-software-at-black-hat-usa-2017-300488871.html

SOURCE Kudelski Security

Home

Originally posted here:
Kudelski Security to Present on Automated Testing of Crypto Software at Black Hat USA 2017 - PR Newswire (press release)

An attacker sitting between server and client can exploit the Orpheus Lyre bug to impersonate some services to the client.

A bypass bug present in the Kerberos cryptographic authentication protocol for 21 years has now been fixed in patches from Microsoft, Samba, Fedora, FreeBSD, and Debian.

The discoverers of the ancient Kerberos bypass bug have called it Orpheus Lyre after Orpheus, the musician from Greek legend who bypassed Cerberos, the three-headed hound guarding the gates of Hades. Orpheus pacified the dog with the music of his lyre.

Kerberos, which is named after Cerberos, is implemented as a cryptographic authentication protocol in products like Microsoft's Active Directory. Microsoft fixed the bug in this week's patch Tuesday update.

Samba, Debian, and FreeBSD are also affected through the open-source Heimdal implementation of Kerberos V5. Heimdal before version 7.4 is vulnerable. It appears Apple's Kerberos implementation in macOS is also vulnerable to Orpheus Lyre. However, the MIT implementation is not.

Orpheus Lyre was discovered by Jeffrey Altman, Viktor Duchovni and Nico Williams. They explain in a post that Orpheus Lyre can be used by a man-in-the-middle attacker to remotely steal credentials, and from there gain privilege escalation to defeat Kerberos encryption.

Instead of public-key cryptography's use of digital certificates from certificate authorities, the Kerberos protocol relies on a trusted third-party called the key distribution center (KDC).

These KDCs issue "short-lived tickets" that are used to authenticate a client to a specific service. An encrypted portion of the ticket contains the name of the intended user, metadata, and a session key. The KDC also provides the user with a session key that creates an Authenticator, which is used to prove they know the session key.

As they explain, Kerberos' "original cryptographic sin" was the abundance of unauthenticated plaintext in the protocol. While Kerberos can be secure, implementing it so as to authenticate plaintext is difficult.

"In this case, a two-line bug in several independently developed implementations of Kerberos, caused that metadata to be taken from the unauthenticated plaintext, the Ticket, rather than the authenticated and encrypted KDC response," they wrote.

The researchers haven't detailed every method of exploiting the Orpheus Lyre bug but note that an attacker sitting between a client and server can impersonate some services to the client. The bug also can only be closed by patching end-user systems rather than servers.

"If the client presents a Ticket and Authenticator, and the service can decrypt the Ticket, extract the session key, and decrypt the Authenticator with the session key, then the client is whoever the Ticket says they are, for they possessed the cryptographic key with which to make that Authenticator," they explain.

Read this article:
Windows, Linux distros, macOS pay for Kerberos 21-year-old - ZDNet - ZDNet

Data protection should be a top priority for small business owners. While it is common for small businesses to adopt basic back-up solutions, this bare-bones approach can result in oversights that leave data vulnerable. With constantly-changing technology that makes it easier than ever to keep sensitive information safe, there is no excuse for not protecting against a wide variety of emergencies that could lead to a loss or breach of confidential business data. Take all the steps you can to safeguard your small business data with the following suggestions.

Back It Up

Backing up your systems regularly is essential and one of the safest ways to keep your small business data safe.According to theSBA, businesses should back up their information daily, or weekly at the very least especially if the business is fairly active in creating or updating files and documents. Many business owners are familiar with and commonly practice backing up their data to a physical hard drive or server. However, it is advisable to back up important information to a cloud server as well. Using an off-site server protects data in the event of a disaster. For example, if your back-up hardware is destroyed in a flood, you can still retrieve files and documents from a cloud server. Using both of these methods is a great way to protect against many unexpected emergencies.

Set Up Firewalls

While a back-up system protects data from unexpected accidents like power outages and natural disasters, a firewall can protect your information from malicious intrusions specifically intended to breach your system. A firewall monitors all traffic coming in and out of your network, and prevents malware like viruses or Trojan horses from accessing and corrupting your data. When deciding on firewalls, consider an appliance rather than software. Firewall hardware serves as a layer between the internet and your system, blocking malicious software before it enters your network. To take an extra step towards protecting your data, use anti-virus and anti-spyware programs to scan your system and check for any breaches that may have bypassed your firewall.

Limit Financial Transactions To One Computer

Use one computer for all your businesss online financial transactions, and do not use it for other online activities like surfing the web, checking e-mail or using social media. It is much more difficult for outsiders to gain access to sensitive information when a computer is used solely for online business transactions. If you are a business owner, it is important to review transactions daily so you can spot fraud sooner rather than later.

Run Virtual Servers

In addition to being cost-effective, running virtual servers can improve your data security. Server virtualization allows you to run several virtual server environments (like your email, database and web servers) on one device. Put another way, this technology allows you to run one server on multiple computers. This means that your work can be recovered and accessed from another machinein the event of a hardware failure.

Secure Confidential Information With Cryptography

It is essential to use strong cryptography during storage and transmission of information that is confidential. Cryptography methods vary, and choosing one depends on your specific business needs. The FTC states, the method will depend on the types of information your business collects, how you collect it, and how you process it. Common options include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash. Regardless of method, encrypting sensitive transmissions is necessary and can save you the grief of dealing with a data breach.

The foregoing information is provided by City National Bank (CNB). Unless otherwise stated, opinions expressed are those of the respective authors and not necessarily those of CNB. The information is provided without warranty and no recommendation or endorsement by CNB is intended or should be inferred unless specifically stated.

Visit City National Banks News & Insights for small business tips, trends and updates.

For more tips and inspiration for small business owners, visit CBS Small Business Pulse Los Angeles.

View original post here:
How To Safeguard And Protect Your Small Business Data - CBS Los Angeles

Mouser now stocks the EFR32BG12 and EFR32BG13 Blue Gecko SoCs from Silicon Labs. Part of the Wireless Gecko portfolio, these Bluetooth low energy SoCs deliver superior RF performance, enhanced cryptography acceleration, larger memory options, on-chip capacitive touch control, and additional low-power peripherals and sensor interfaces.

Their SoCs integrate a high-performance 32-bit 40MHz ARM Cortex-M4 core with a 2.4GHz and sub-1GHz radio transceiver. The devices offer more memory than previous generations of Blue Gecko devices, with EFR32BG12 devices offering 1Mbyte of flash memory and 256kbytes of RAM, while the EFR32BG13 devices offer 512kbytes of flash memory and 64kbytes of RAM. This significant memory expansion makes it easier to develop complex, feature-rich IoT applications supporting multiple protocol stacks, real-time operating systems such as Micrium OS, backup images for devices and OTA updates for field upgrades to extend the life of IoT products.

The companys Blue Gecko SoCs are ideal for enabling energy-friendly Bluetooth 5 networking for IoT devices, wellness products, home and building automation, and smart metering.

Share on Google Plus Share

View original post here:
Mouser Latest Bluetooth 5 SoCs deliver superior RF performance and enhanced cryptography acceleration (Silicon ... - Electropages (blog)

Chinese scientists have recently announced the use of a satellite to transfer quantum entangled light particles between two ground stations over 1,000 kilometres apart. This has been heralded as the dawn of a new secure internet.

Should we be impressed? Yes scientific breakthroughs are great things.

Does this revolutionise the future of cyber security? No sadly, almost certainly not.

At the heart of modern cyber security is cryptography, which provides a kit of mathematically-based tools for providing core security services such as confidentiality (restricting who can access data), data integrity (making sure that any unauthorised changes to data are detected), and authentication (identifying the correct source of data). We rely on cryptography every day for securing everything we do in cyberspace, such as banking, mobile phone calls, online shopping, messaging, social media, etc. Since everything is in cyberspace these days, cryptography also underpins the security of the likes of governments, power stations, homes, and cars.

Cryptography relies on secrets, known as keys, which act in a similar role to keys in the physical world. Encryption, for example, is the digital equivalent of locking information inside a box. Only those who have access to the key can open the box to retrieve the contents. Anyone else can shake the box all they like the contents remain inaccessible without access to the key.

A challenge in cryptography is key distribution, which means getting the right cryptographic key to those (and only those) who need it. There are many different techniques for key distribution. For many of our everyday applications key distribution is effortless, since keys come preinstalled on devices that we acquire (for example, mobile SIM cards, bank cards, car key fobs, etc.) In other cases it is straightforward because devices that need to share keys are physically close to one another (for example, you read the key on the label of your Wi-Fi router and type it into devices you permit to connect).

Key distribution is more challenging when the communicating parties are far from one another and do not have any business relationship during which keys could have been distributed. This is typically the case when you buy something from an online store or engage in a WhatsApp message exchange. Key distribution in these situations is tricky, but very solvable, using techniques based on a special set of cryptographic tools known as public-key cryptography. Your devices use such techniques every day to distribute keys, without you even being aware it is happening.

There is yet another way of distributing keys, known as quantum key distribution. This uses a quantum channel such as line of sight or fibre-optic cable to exchange light particles, from which a cryptographic key can eventually be extracted. Distance limitations, poor data rates, and the reliance on specialist equipment have previously made quantum key distribution more of a scientific curiosity than a practical technology. What the Chinese scientists have done is blow the current distance record for quantum key distribution from around 100kms to 1000kms, through the use of a satellite. Thats impressive.

However, the Chinese scientists have not significantly improved the case for using quantum key distribution in the first place. We can happily distribute cryptographic keys today without lasers and satellites, so why would we ever need to? Just because we can?

Well, theres a glimmer of a case. For the likes of banking and mobile phones, it seems unlikely we will ever need quantum key distribution. However, for applications which currently rely on public-key cryptography, there is a problem brewing. If anyone gets around to building a practical quantum computer (and were not talking tomorrow), then current public-key cryptographic techniques will become insecure. This is because a quantum computer will efficiently solve the hard mathematical problems on which todays public-key cryptography relies. Cryptographers today are thus developing new types of public-key cryptography that will resist quantum computers. I am confident they will succeed. When they do, we will be able to continue distributing keys in similar ways to today.in other words, without quantum key distribution.

Who needs quantum key distribution then? Frankly, its hard to make a case, but lets try. One possible advantage of quantum key distribution is that it enables the use of a highly secure form of encryption known as the one-time pad. One reason almost nobody uses the one-time pad is that its a complete hassle to distribute its keys. Quantum key distribution would solve this. More importantly, however, nobody uses the one-time pad today because modern encryption techniques are so strong. If you dont believe me, look how frustrated some government agencies are that we are using them. We dont use the one-time pad because we dont need to. The same argument applies to quantum key distribution itself.

Finally, lets just suppose that there is an application which somehow merits the use of the one-time pad. Do the one-time pad and quantum key distribution provide the ultimate security that physicists often claim? Heres the really bad news. We have just been discussing all the wrong things. Cyber security rarely fails due to problems with encryption algorithms or the ways that cryptographic keys are distributed. Much more common are failures in the systems and processes surrounding cryptography. These include poor implementations and misuse. For example, one-time pads and quantum key distribution dont protect data after it is decrypted, or if a key is accidentally used twice, or if someone forgets to turn encryption on, etc. We already have good encryption and key distribution techniques. We need to get much better at building secure systems.

So, Im very impressed that a cryptographic key can be distributed via satellite. Thats great but I dont think this will revolutionise cryptography. And I certainly dont feel any more secure as a result.

Featured image credit: Virus by geralt. CC0 public domain via Pixabay.

Here is the original post:
Who needs quantum key distribution? - OUPblog (blog)