PKI is sooo 20th century

PKI has been around for 25 years or so. It has been pretty good but these days it is not providing sufficient protection of data and digital identities anymore. Even RSA (the guys, not the company) think that we have to take a different approach with PKI. Read here what Shamir said about this:

PKI is great but a SPOF (Single Point Of Failure). Considering the Comodo and Diginotar hacks, once a PKI trust chain is compromised, you are done with all of the trust. We should move to multifactor authentication for everything, everyone and everywhere. I am even willing to state that two "weak" factors are better than single factor. You can use any combination of factors. A platform certificate + user password, biometric and a platform certificate, whatever you can lay your hands on.

Companies understand that too. E.g. the FIDO alliance ( has as goal to get rid of passwords and use (multi factor) authentication methods to build trust in platform and user identity. 

One other, real good approach, is to separate data, keys and access control. E.g. Scrambls ( is using this. Your data is encrypted on your computer, the key is provided by the Scrambls cloud key management server (or a Scrambls key server in your data center) and access to the encrypted file is managed by the end user and/or your own company. You are in control who and when can access the data while the data can reside in the Cloud (Dropbox, Facebook, whatever).

I think that data access and protection will (must?) fundamentally change is the coming period. We must do that to provide sufficient protection for our data and digital identities.


Airline food

Yes, I know that airlines are going to tough times. They need to save money wherever they can. That has lead to a situation where you get this meal on a transatlantic flight:

A chicken that had more flight hours that the plane, red wine of 3 degrees centigrade in a plastic Coca Cola cup, a salad that was several days old (brown edges) and frozen olive oil in the dressing.

I see a new business opportunity: selling lunch bags at the airport! Just a water, a small orange juice, two fresh sandwiches and a piece of fruit.Then you buy a beer or a glass of wine for the usual $7,- (!) and you have a much better experience that that the airlines offer today.

UPDATE: I was on Tampa and Charlotte airport today and it seems that companies had already picked up my idea and sell different food that can be taken in to the plane. Still at relatively high prices but hey, better expensive then not available, right?


A world without passwords!

You might have read my post about the 127 character password but do not tell the user. Things move fast. Now there is the FIDO alliance, a new group that creates standards for device and user authentication without the user remembering passwords. They are utilizing different authentication factors like biometrics or the Trusted Platform Module. Using different factors is very conveiniant (use what is available for a user) and enables also authentication "weighing". E.g. an authentication with the TPM (security hardware) is better than a fingerprint scan (easier to spoof).

Multifactor authentication with the user in control! FIDO will present on Thursday February 21st. Read more about FIDO here.


Give users a 127 character password but do not tell them


Password policies, like minimum length, complexity and periodic renewal, are there to mitigate password leakage and misuse. Users hate it and a substantial number of helpdesk calls are password (reset) related. There is a method to let the user use  a very long and complex password without telling them. 

Let the computer provide the user credentials

When you protect the user identity by special security hardware, like the Trusted Platform Module (TPM), the computer can provide the user credentials (on behalf of the user) to Windows. The computer doesn’t care how long a password is so you can assign very complex (random) password. Since the user’s identity is in cryptographic hardware there is no need for password policies like minimum length or password renewal. How does that work?

The TPM as Virtual Smartcard

Wave Systems TPM software
Windows supports a logon method through Smartcards. A smartcard is usually a creditcard with a chip. However, smartcards are expensive, users forget or break them and smartcard logistics can be cumbersome. 

Much better is to let the computer act like a smartcard. Once the user credentials are enrolled to the TPM, the user only has to provide a PIN to access the computer and authenticate against Active Directory. Since the user does not have to remember (or even knowing) a Windows password you strengthen security too! An attacker needs to obtain the PIN and the PC before he gets access to the computer.

All other Windows security feature still apply (NTLM authentication, Kerberos etc.) so there are no changes in the backend necessary. You also can use the Virtual Smartcard to store other user or company secrets. Also it is possible to use the TPM for traditional PKI solutions like WiFi authentication or VPN security. 

A world without passwords!

So, without changing your IT infrastructure you are able to offer the user a seamless method to logon, authenticate the computer and the user credentials and provide single sign on solutions to Windows, services and applications! You only need to enable the TPM, load Wave Systems TPM drivers and enroll the user’s PIN to the computer. Very simple to deploy and the users and the helpdesk will love this solution.

More information on this subject can be found at or send an email to
Real Time Web Analytics