Slashdot Mirror

← Back to Stories (view on slashdot.org)

Small Company Wants to Make Encryption Key Management Into a Commodity (Video)

Posted by Roblimo on from the operating-on-the-assumption-that-all-networks-will-be-cracked-sooner-or-later dept.

StrongAuth helps protect data with strong encryption, so that even if a company's network infrastructure is breached, its critical data -- including customers' credit card numbers, for example -- is still safe. Their software is open source, and their objective is to "become like the Toyota Camry of encryption key management," says StrongAuth CTO Arshad Noor. "Everybody should be able to afford it." These are big words from a company that only has 12 employees, all in Silicon Valley, but it's a company that not only has a strong reputation among its small and medium-sized business clients, but is starting to get acceptance from Fortune 500 behemoths, too. In this video interview (and in the transcript), Arshad not only talks about data security, but about how his company makes money while developing and relying purely on open source software. And did somebody ask about Linux? Yes, their software is all based on Linux. CentOS, to be exact.

39 of 63 comments (clear)

  1. Slashvertising by Anonymous Coward · · Score: 2, Informative

    Anyone "should" be able to afford it? Everyone IS able to afford it. Right now.

    1. Re:Slashvertising by Anonymous Coward · · Score: 1

      While this is technically true and this article is definitely a slashvertisement, actually implementing data security is Hard(tm) as the tools are very clunky and information is sparse. Data security should be fairly trivial to implement, but as it stands, everyone has to figure out all the nitty gritty implementation details and roll their own based on low-level encryption algorithms. There is no "just put the password in the database with this function", instead it's a free-for-all navigating what the best current hash algorithms are, whether your data sources are random enough, whether your salt is good enough, etc. Most security experts however seem to have no interest in making security easy, but rather berating everyone for not being a security expert.

    2. Re:Slashvertising by Synerg1y · · Score: 1

      Basic security is fairly easy to implement and typically requires a little bit of common sense and business sense. Turning on https on a web server doesn't require a security expert. It all depends on who you think may target you, obviously the Chinese government has more potential to break in than a basement neckbeard. However, the Chinese government isn't interested in 99.9% of IP addresses despite the title of the other fear-monging article on /.

    3. Re:Slashvertising by CKW · · Score: 1

      Afford, yes. Implement? PROPERLY?

      I kid you not, 90% of general purpose software developers are not sharp enough to "touch" security related code or systems without leaving GAPING holes because they totally don't understand or misunderstand simple things.

      They can write an if/else or a while loop, but other more advanced things ... just beyond them. And even the moderately smart senior personnel will accidentally leave something in a "prototype" state and accidentally ship it because of deadlines.

      This is the security/encryption equivalent of a Barracuda anti-spam appliance. Yes, any smart sharp sysadmin with sufficient time allocated to the task can implement brilliant near-perfect spam filtering using open source products. LOTS of sysadmins a) aren't that smart: it won't be configured nearly as well as a company needs, and it'll fail frequently or do strange things because they disagree on how it should work, and b) they won't have sufficient man weeks allocated to it, and remember, the less sharp the person is, the more time they'll need and the more problems there will be.

      WAY BETTER for an SMB* to simply drop cash on an "appliance". It's almost impossible for a Barracuda to do worse than your average overworked sysadmin.

      I'm not a shill for the latter, it's simply the device the SMB I work for uses. And our sysadmin's aren't dumb. They're just not brilliant and they are, of course, overworked.

      (*) Small and Medium Busuiness

    4. Re:Slashvertising by unrtst · · Score: 1

      Turning on https on a web server doesn't require a security expert.

      So, you have a cert, and a webserver. Is that cert protected by a password?

      - if no, then anyone that gains access to the server and/or cert can break all transmissions. For example, do you have a backup of the cert? Is it floating around in an email somewhere? How many people can get access to it? etc.

      - if yes, then where is that password? How do you go about protecting the password that protects the cert? You'll run into some of the same problems in protecting the password. That's one of the main problems that a key server solves (I'm pretty sure that's the main goal, or at least one of the primary goals, of the StronKey CryptoCabinet, but I haven't looked into it specifically enough yet)

      Any time you encrypt anything, you need some sort of key, and you must protect it somehow, and still make it available for use in said encryption/decryption.
      Maybe you don't *need* that level of security, but some do, and it's the hard part (er... well... one of the hard parts)

    5. Re:Slashvertising by Synerg1y · · Score: 1

      Whoever signed the cert would house the key... Verisign, Comodo, etc... that's the trick, neither party has the key and a "secure" middle man does, but certs are end point authenticators, https is what would actually encrypt the traffic.

    6. Re:Slashvertising by unrtst · · Score: 1

      You're still missing the point entirely.
      What protects your cert? Is it just filesystem permissions? Is it encrypted with a password that must be entered when the webserver restarts, or encrypted and the webserver config (or helper script) holds a password, or not encrypted?
      The cert authenticates who you are. So if someone gets a copy of your private cert, they can pretend to be you.

      To keep the cert secure, it should be encrypted. A key server serves to provide decryption (or a key to decrypt) the cert in a secure manor. It gets more complicated than that, but that's the general idea. If you're just trusting some "secure middle man" (which isn't the only concern), how do you think they keep all that information secure?

      This has nothing to do with the HTTPS encryption on the wire, nor with the DH key exchange, nor with certificate chain validation up to Verisign/Comodo/etc. (well, their appliance may assist in one or more of those things, but that's not the complex bit).

      Look up "PCI DSS Encrption Key Management" for more info.

  2. Encryption costs time and CPU, not dollars. by Kenja · · Score: 2

    The cost of implementing strong encryption is the time it takes and the CPU cycles to run it. There has never been a high dollar cost that I am aware of other then these two factors. The former issue is alleviated through a standard frame-work, of which there are already a great many. The later can not be reduced, and can be a significant factor on virtual environments where CPU time is at a premium.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Encryption costs time and CPU, not dollars. by ArsonSmith · · Score: 2

      Interestingly, I do a lot of encryption related work and those two parts are the least of our worries. Key management takes up 90% of the time that is applied to encryption and it is a constant and on going thing that puts data at horrible risk if it's not done right. From both sides, you need to secure the keys well enough that only the people that need them can get them but no so well that the people that need them can lock them selves out.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    2. Re:Encryption costs time and CPU, not dollars. by Charliemopps · · Score: 1

      Agreed. You need someone that knows what they're doing to keep track of them... those types of people cost, minimum $50k/year... but they rarely ever need do anything at all. It's hard to convince management to keep them on. But when they aren't around and you need them.... whoa unto you.

    3. Re:Encryption costs time and CPU, not dollars. by mlts · · Score: 1

      I looked at their appliances... nothing really special that I can't buy from IBM or HP, except IBM has the HSM for keys on a PCI-E card -- no rack space needed.

      I remember in a previous life working for one company. A vendor approached us for a backup solution that was this magic black-box appliance that stored an encryption key for every tape. As the company I worked for had tens of thousands of LTO-4 and LTO-5 tapes, that was a concern. I asked the sales rep how to back up the keys. His reply, "the device can mirror to another device". I asked him how I back up the keys just in case the site was down. His reply: "Buy another device." I just logged on the web server of the tape silo, set a respectable passphrase for encryption of tapes, copied the passphrase to some 3x5 cards which went to different managers around the globe to keep safely via registered mail, and called it done.

      I have also pondered making my own HSM appliances. It would be on an x86 platform with the usual TPM chip, but the "trusted" stuff would be mainly to ensure the HDD was encrypted from the beginning of the boot cycle. It would do the usual signing/decrypting of stuff as everything else does, with various users/groups/roles allowing what keys at what times, and storing audit logs.

      For backups of keys, there was a dedicated USB flash drive port, and there was the option of using the protected storage space on a SD card (each SD card has an additional 20% of usable storage on it, but you have to be part of the SD group to get access to the APIs using it.) That way, the backup private keys would not be physically accessible to the run of the mill SD card reader.

      I even made a prototype appliance of storing username/password tuples in a secure case, just to prevent an intruder from grabbing hashed passwords used for Web users. This device only allowed access via a few commands (none of which allowed a complete database dump), and someone trying to guess the password of a user would get locked out quickly. Of course, one could take a backup via the USB or a SATA port, but that required physical access, and the master encryption key.

      Trick is making an appliance that honestly works, and not trying to sell it by smoke and mirrors.

  3. Re:Given Time... by buchner.johannes · · Score: 3, Insightful

    Given time, the Sun will become a red giant and destroy Earth. Given time, Dark Energy will rip the universe apart.
    The question is will the keys break before or after that.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. Slashvertisement. You're doing it right. by xxxJonBoyxxx · · Score: 2

    You even got SlashDot to post a video from a 1990's-style trade show, for God's sake.

    >> Yes, their software is all based on Linux. CentOS, to be exact.

    Er...just one distribution?

  5. And the interested parties are... by SanDogWeps · · Score: 2

    the Playstation Network?

  6. an excellent slashvertisement by nimbius · · Score: 2

    except for the "his company makes money while developing and relying purely on open source software."

    we dont need more assholes building code monastaries.

    --
    Good people go to bed earlier.
  7. Re:Given Time... by Anonymous Coward · · Score: 2, Insightful

    The question is will the keys break before or after that.

    Secret information is usually time-sensitive. The question is: Can the keys be broken before the information is worthless (de-classified)?

    It's been included many times before, but here is the obligatory XKCD: http://xkcd.com/538/

    As the cartoon and Schneider reveal, those using the security system can be exploited, if one can find them. That's been mentioned many times on 'National security letter' stories where the government is intruding into someone's online life.

  8. Backfired by Anonymous Coward · · Score: 1

    I was looking into their products, but after this blatant slashvertisement, I'm going to take my business elsewhere. You're making slashdot even worse dice. I won't support companies that help you kill yourself.

  9. Slashdot. STAHP. by PhxBlue · · Score: 5, Insightful

    Dear "Editors":

    This is a new low, even for slashvertising.

    Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites. You've just done the exact opposite. In fact, remember when The Atlantic posted a Scientology ad as editorial content? Remember the outcry that went up about the distinction between advertising and news? Well, you've just done the exact same thing.

    Knock it the fuck off. Slashdot was supposed to be "news for nerds." If you want to sell out, do it on your personal time, not here.

    --
    !#@%*)anks for hanging up the phone, dear.
    1. Re:Slashdot. STAHP. by PhxBlue · · Score: 3, Insightful

      FYI - none of these videos are paid ads.

      Then it's free advertising. Still not seeing the distinction, except that StrongAuth got an even better deal than we thought.

      Those who want to believe otherwise are free to do so, but that doesn't alter the facts.

      Slashvertising is a common enough practice that it has its own portmanteau. That's a fact. And I don't know what you think constitutes journalism, but to me, it doesn't mean sitting down one-on-one with a company talking head and tossing him a bunch of softball questions. That's public relations at best, marketing at worst, but it is not journalism.

      Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.

      Right, because insulting your readers does wonders to bolster your credibility.

      --
      !#@%*)anks for hanging up the phone, dear.
    2. Re:Slashdot. STAHP. by Roblimo · · Score: 3, Insightful

      You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.

      I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.

      In this case, Tim had a pleasant conversation with the CTO of a company that releases the software it develops for free, under the LGPL.

      What should Tim do? Thunder "How dare you do that!?" at the man?

      Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.

      But since I am supposed to absorb abuse, but never supposed to react to it, I will not use the word "Slashcretins" to describe even the most foul-mouthed, ignorant Slashdot readers. (And no, you are not one.)

      So have a nice day, and thank you for your input. :)

      - Robin

    3. Re:Slashdot. STAHP. by Alsee · · Score: 2

      by Roblimo (357)
      FYI - none of these videos are paid ads.

      It doesn't much matter - from the reader's point of view it's indistinguishable from a paid advertizement. Your readers are seriously put off by this article. That in itself is enough to establish that you blew it here

      And note that the grandparent post said "Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites" - pretty well acknowledging that it may not be a paid advertizement, and that you blew it even if it wasn't paid.

      Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.

      It looks like a paid ad, it's hardly surprising people are going to suspect it's a paid ad, particularly when there was no statement to the contrary at the time. That's hardly some loony conspiracy theory. You blew it, it was a bad article, simply answer that it wasn't a paid ad and move on and avoid the appearance of paid ads in the future. Calling your readers loony birthers only compounds the problem.

      MY bigger issue is that you knew this company was pushing a Trusted Computing scheme. (He directly mentioned the Trusted Platform Module during the interview). I, and a lot of people here, find that far more offensive than the idea of a paid article. At least a paid article I can begrudgingly understand - Slashdot is a business and sometimes parts of a revenue model can be annoying but understandable. But knowingly getting in bed with Trusted Computing - promoting it - that's just plain villain terrain. This stuff is fucking evil, and a large percentage of your readership views it as fucking evil. And I assume you're well aware that the large majority of us view is as fucking evil. It is the single greatest threat to Open Source, it's a direct assault against the fundamental ownership and control of your own computer, it's an ideology to "fix" general purpose computers so they are not general purpose computers. It redefines "security" to mean glorified DRM schemes. It is the single greatest threat to lockdown/exterminate innovation and new technology.

      WTF were you thinking?!?!

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    4. Re:Slashdot. STAHP. by PhxBlue · · Score: 1

      You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.

      Good call. Life's too short. And getting upset by "people who choose to believe things that aren't true" is how religious crusades and emacs/vi flamewars start.

      I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.

      Neither do I. But it should be based on something more than, "[Subject name here] likes it." Something needs to be of interest to a large number of people in order to be news.

      Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.

      Yes, and when you can show me lists of articles on Slashdot tagged "Slashcretin," give me a holler. :)

      --
      !#@%*)anks for hanging up the phone, dear.
    5. Re:Slashdot. STAHP. by cusco · · Score: 1

      Doesn't help that most of the major media outlets have been broadcasting press releases as 'news' for the last several years in exchange for promised advertising. It's not a big leap to assume that Dice would do the same thing as CNN or NBC. Thanks for letting us know that they aren't actual ads, I had just assumed that some of them were.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  10. Nothing but a whorefest by shaitand · · Score: 4, Informative

    I get this everywhere else. I don't need it on Slashdot too.

    1. Re:Nothing but a whorefest by Roblimo · · Score: 1

      So what do you want? something uncompromisingly negative to make up for something positive?

      Why aren't Slashdot editors allowed to like anything? Hmm?

    2. Re:Nothing but a whorefest by Gizzmonic · · Score: 1

      Your life is a whorefest? All I can say is, make sure you get tested regularly!

      --
      (-1, Raw and Uncut is the only way to read)
    3. Re:Nothing but a whorefest by shaitand · · Score: 2

      Sure but at least put it up in a way that PRETENDS not to be an advertisement. I think a fair number of us work in the enterprise tech world and browse Slashdot to escape it for awhile. This stuff floods our inbox all day long.

      This thing doesn't even promote an actual solution it just delivers the rah rah pep talk these guys would have in the company meetings they subject their staff to. Lots of enthusiasm and feigned altruism, no content. I don't mind a slashvertisment slipping through now and again if it introduces me to some neat new thing or raises interesting discussion. But this has none of that. Just the nonsense philosophical spin a random company is putting on having the same goal as every other corp, milking profits.

      Hopefully this is just a one off event that resulted from an editor doing a solid for a friend. Still i think it would be more effective if some geek driving the tech for a project in this company wrote up about something sweet it does and the marketing department kissed off. I think you'll find that I'm not one of those who usually rants about the editors. ;)

  11. Cleartext has to be available by Todd+Knarr · · Score: 1

    The problem I see is that for software to process and work with the encrypted data it must be decrypted without human intervention. That means that either the software itself has to know the decryption key, the software has to know the authentication key used to get the decryption key from the crypto infrastructure, or the decryption key has to be available from the infrastructure without authentication. So while the encryption can protect against an intruder who's gained access to the network from the inside (without accessing the externally-visible side of the applications), it can't protect against an intruder who's gained access to the applications. And it seems like the most common exploits use vulnerabilities in the applications to gain access through the applications. So once the application is compromised, how does the encryption prevent the application from getting the decrypted data when the one unchangeable requirement is that the application can get the decrypted data to work on?

    It's the same dilemma as with full-drive encryption. Sure, it'll protect your drive against someone who physicall steals your laptop. How much good will it do you against the malware slipped into your machine that accesses data while you're using your machine?

  12. Re:Given Time... by Anonymous Coward · · Score: 1

    Well, as one who is working on the project, I don't think that... ... wait a minute: the project is open source?!?!!? My boss never told me that; that's crazy. So much for using the industry standard strong encryption, ROT26. I may have to go back to my old job. They've got to be more clear about these things on job applications.

  13. Re:Given Time... by K.+S.+Kyosuke · · Score: 2

    Given time, the Sun will become a red giant and destroy Earth.

    Actually, now it's gonna be by courtesy of Oracle, but same difference.

    --
    Ezekiel 23:20
  14. Bad Name for a Company by xxxJonBoyxxx · · Score: 1

    >> StrongAuth helps protect data with strong encryption

    So...why's it called "strong authentication"?

  15. Wait...what? by Chris+Mattern · · Score: 2

    Encryption Key Management IS a commodity. What in hell are these yahoos talking about?

  16. Re:So, another one for the just pile? by Chris+Mattern · · Score: 1

    Hey, it's this new Linux thing. They've heard that it's all the rage with these computer kids.

  17. Fundamental ignorance? by rich_salz · · Score: 1

    From their website: "DES and the International Data Encryption Algorithm (IDEA) are the two most commonly used symmetric techniques." Totally wrong. Doesn't make you feel good about them as a security company.

  18. Slashvertisment by tomalpha · · Score: 1

    Ugh. I haven't logged in to post for some time. This kind of story is why. I hope they paid for this and the standard of posting hasn't just sunk to a new low without $$$ exchanged.

    1. Re:Slashvertisment by cusco · · Score: 1

      Higher up the thread Roblimo said that none of the videos are paid ads.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    2. Re:Slashvertisment by tomalpha · · Score: 1

      Yes, and I had read that before posting my comment. I want to believe, but find it harder to do so recently. To state the obvious: Dice have a credibility problem with some of the slashdot crowd. They need to go out of their way to avoid the *appearance* of paid-for-journalism. IMHO they didn't get this one right. However well intentioned it may or may not have been; it doesn't *appear* to be well intentioned. It's not the first time, and I dare say it won't be the last. They should be worried when their audience stops calling them out on it because we'll have given up caring at that point. I don't want to give up caring, but sometimes they make it hard.

  19. Stenography! I love it! by VortexCortex · · Score: 1

    Unlike the other clueless commenters who revile this "slashvertizement", I recognize that this must be a form of stenographic encryption. Roblimo must have needed a way to send a secret message, or to permanantly store his PGP revocation key (I'm always losing that); Thus, this article was created to deliver the stenographically encoded payload in the text and/or video. You're not fooling me!.

    Nice touch including the tags in the headline so you can easiliy retrieve the article later by searching "Management Encryption Key". Might want to be a little less obvious next time though.

  20. Can't I just download bouncy castle? by rsilvergun · · Score: 1

    If you're writing Java it's easy. It's a bit more trouble with .Net because nobody's bothered with a good tutorial.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/