Monthly Archives: May 2005

Solving the certificate distribution problem

Leave a reply

For a long time now I’ve realised one of the biggest problems with PKI, especially in organisations, is distribution and management of the keys/certificates. So now that I actually have some hardware to play with it’s enabled me to start working on some solutions to this problem.

My first solution to this problem was also my first attempt at coding a PHP-GTK application as well, one of the benefits of PHP-GTK is it’s ability to be run across many platforms similar to java and .net, the down side was a major lack of decent examples and documentation. I came across numerous applications in the “Hello World”, and some very very advanced applications such as the novap2p app, but there was very little in the way of what I was attempting, so hopefully it will serve as a good demo for others as well as a useful tool for people with hardware crypto devices. The other down side is poor GUI design tools, I ended up using glade, but it is by far the worst GUI design tool I’ve ever used, although I don’t know that the full blame lies with glade, but it could have been made so much better, all the elements are there just some of the defaults are brain dead.

In any case, and a number of other non-php/gtk related issue later, I’ve posted the app online as well as some screen shots to the wiki, it’s a very basic app to make things easier in getting certificates signed and onto PKI cards, but it does work pretty well even if I do say so myself.

Is it finally time to sound the death knell to passwords?

Leave a reply

Security mechanisms can be defined in the following ways “something you know”, “something you have” and “something you are”.

Passwords are something you know
PKI cards/tokens are something you have
Biometrics is something you are

The problem I have with biometrics is you can’t change the tokens, and this can be bad for a number of reasons. For example, some new cars come with a biometric reader so they can claim they are harder to steal, but as one proud new owner found out it just makes criminals hurt you more, so now he doesn’t have a car and he has one less finger, that’s right, they stole his car and cut off his finger as well!

My preference lies with something you have, that is PKI hardware, which in most cases also requires a PIN, which is something you know, which adds up to 2 factor authentication. The beauty of this system is that the PIN and the card by themselves are useless, having the card by itself is useless because if you get the PIN wrong 3 times the cards will lock themselves to prevent brute force attacks, and of course the PIN by itself is pointless.

And so begins my epic tale of getting PKI hardware to work with Linux, and the difficulty I encountered highlighting one of the many reasons PKI hasn’t taken off in a big way.

This week I met up with a nice gentlemen, who happened to be the distributor for Gemplus products in Australia/New Zealand, and was kind enough to give me a few of their products for evaluation purposes. I believe others have also managed to get evaluation kit from Aladdin as well, check the main mailing list archive for details on that.

In any case this was my first look at any kind of PKI based hardware, and as per usual for Linux driver support and integration between applications leave a lot to be desired, but the lack of coherent documentation was an even bigger headache.

Read on for more Continue reading

2005 Annual General Meeting

Leave a reply

Some of you may be unaware, however we’ve pencilled the 3rd of July (for most time zones) in as the date of the next AGM. By law we are required to hold an AGM every 12 months.

If you would like to vote on, or be nominated for any of the board positions you must either become a member, or renew your membership by the 1st of July (so we can process things in time for the meeting).

If you would like to become a member it’s encouraged that you read our rules, as this has information covering most/all questions about memberships and board roles, it also has the membership form on the 2nd last page that needs to be filled out and signed.

Adobe’s PDF editor can digitally sign documents, or you can print it out and scan it. Once you have a signed document (either digital or written signatures) you need to email this to secretary at CAcert org. Once received all new membership requests will be dealt with as the first order of business at the next AGM.

It’s encouraged that everyone that wants to vote or be nominated for a role also get their membership paid for before the AGM as this will ensure your vote is valid and able to be counted.

Membership is only US$10/year, and if you don’t want to become a member, but just want to donate some money to CAcert that is also welcome.

PGP Ruled as Relevant For Criminal Case

4 Replies

What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer.

It’s also worth mentioning that the article also points out that the police didn’t claim to actually find anything relevant to their case that was encrypted.

What this amounts to is walking into a shopping centre with a bag, and the police concluding that you had a bag so you were intending to steal something, without actually finding any evidence of you stealing in the bag.

Conundrum

3 Replies

One FUD issue some people keep regurgitating to keep us from being included in browsers is they worry about us issuing certificates for the likes of paypal.com, most people pushing this line tend to neglect to mention that issuing a certificate on it’s own is mostly useless, unless you can attack the host file on a users computer or the DNS name system, in which case there is bigger problems then falsely issued SSL certificates, especially since most phishing attacks (which is the assumption likely to abuse this) don’t even resort to using SSL.

Currently we require people to have code signing access before issuing IDN/punycode domain/email certificates, and it has been suggested that we have a similar requirement for anyone requesting certificates for high profile sites.

One way to determine popularity is by sites like alexa.com which give out rankings.

I guess the question is how popular must a site be if we want to enforce this, and over what time period?

Another concern is with large organisations as a lot of departments inside these organisations run their own sub-domain and the TLD is handled usually by the main IT department, and this could be cause for concern if someone registers the TLD and starts getting certificates for either the entire organisation or for sub-domains they shouldn’t be allowed to control, this is usually controlled by an organisations IT policy, but this call also lead to someone intercepting traffic by setting up a reverse proxy, and there is questions hanging over this as it will potentially effect legit users one way or another.

Over million bank records stolen

Leave a reply

What has to be the biggest black eye for the US banking industry in recent times had nothing to do with phishing attempts, it didn’t have anything to do with intercepting and brute forcing SSL packets, and it didn’t have to do with any root keys escaping into the wild.

What it does have to do with is a shady person talking high level bank employees into stealing the details of the banks customers and to go on and hassle people based on false collection claims, not to mention potential identity theft attacks as well.

Full story can be read on the CNN website.