Ordinary video cards and botnets make cracking passwords trivial, affecting all that you do and see. As a ‘high assurance’ security vendor, as opposed to one that just plays one on ‘marketing content’, nearly all uses of authentication in our products are PKI-based.

Ultimately, the success of any security service hinges on authentication (see this classic post on authentication).

If everything that you depend upon uses some form of authentication to control who may use them, what may they do, where may they do so, etc., then the trivial level of effort to crack passwords affects everything from your email to online banking to any service that you use.  All these undoubtedly have usage controls, which may rely only on passwords for such controls.  As you walk around looking at what others are doing, at the services you rely on, at the tools/software that you use, consider how passwords may be at work in them. Imagine what harm could be done if a criminal controlled these things around you, that serve you, that may even have some control over you.  You’d see why there are so many cyber criminals: because there are so many easy ways to get ahead.

When passwords are required, everyone ought to be using passPHRASES instead, sprinkled with a few odd characters and/or numbers. Government Computer News (GCN) recently published an article on how ordinary video cards are empowering hackers. Combine the article with the notion of a botnet (thousands) of these computers and you thus see the state of the art.

As a ‘high assurance’ security vendor, as opposed to one that just plays one on ‘marketing content’, nearly all uses of authentication in our products are PKI-based. Those of you concerned with HSPD-12 must know PKI: public key infrastructure. It is the strongest form of authentication commercially available. And when employed in a mandatory, mutual manner, it is essentially uncrackable.  Contrast this with one-time pass code authentication (e.g., keyfob that displays six characters), which is only one-way (i.e., authenticates client for server but does not authenticate server for client) and subject to man-in-the-middle attacks.  Arguably, these things do more harm than good with their false sense of security.

At Blue Ridge, we practice what we preach.  The management plane of all our products is secured by PKI. Our remote access VPN and our new EdgeGuard product line are PKI based. The key exchange process for our VPN technology is enveloped within PKI. Even our enterprise software designed to stop zero-day malware attacks that your antivirus cannot…uses PKI to secure policy updates and event logs. Everything we develop is PKI based.

The real value in designing PKI based authentication into tools and workflow processes from the very beginning is how little end-users actually have to see anything PKI. The best security remains convenient and easily understood despite being highly effective. And when customers that have used our products say they didn’t realize our products used PKI, we’re deeply gratified.

Walk away point: look for PKI in all you need. Anything worth stealing that relies solely on passwords is probably cracked already.

Posted: Tuesday, August 17th, 2010 - Authentication
RSS 2.0 - Comment - Trackback