Clicky

20130228

PKI is sooo 20th century

PKI has been around for 25 years or so. It has been pretty good but these days it is not providing sufficient protection of data and digital identities anymore. Even RSA (the guys, not the company) think that we have to take a different approach with PKI. Read here what Shamir said about this: http://threatpost.com/en_us/blogs/rsa-conference-2013-experts-say-its-time-prepare-post-crypto-world-022613

PKI is great but a SPOF (Single Point Of Failure). Considering the Comodo and Diginotar hacks, once a PKI trust chain is compromised, you are done with all of the trust. We should move to multifactor authentication for everything, everyone and everywhere. I am even willing to state that two "weak" factors are better than single factor. You can use any combination of factors. A platform certificate + user password, biometric and a platform certificate, whatever you can lay your hands on.

Companies understand that too. E.g. the FIDO alliance (http://fidoalliance.org/) has as goal to get rid of passwords and use (multi factor) authentication methods to build trust in platform and user identity. 

One other, real good approach, is to separate data, keys and access control. E.g. Scrambls (http://www.scrambls.com)) is using this. Your data is encrypted on your computer, the key is provided by the Scrambls cloud key management server (or a Scrambls key server in your data center) and access to the encrypted file is managed by the end user and/or your own company. You are in control who and when can access the data while the data can reside in the Cloud (Dropbox, Facebook, whatever).

I think that data access and protection will (must?) fundamentally change is the coming period. We must do that to provide sufficient protection for our data and digital identities.

No comments :

Post a Comment

Real Time Web Analytics