Comments have been requested by NIST (until July 29, 2011) for the latest revision of their DRAFT Electronic Authentication Guideline

…technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision.

NIST SP 800-63 Rev. 1

Comment Template

Submit comments to eauth-comments@nist.gov.

EKMI is dead, long live EKMI. It was more than two years ago that I reached a proud milestone as a member of the open-source key management group for Oasis EKMI (Enterprise Key Management Infrastructure) — we released the SKSML (Symmetric Key Services Markup Language) in January 2009.

It was a culmination of projects I had been working on for years with StrongAuth to provide an easy and inexpensive encryption solution for the Payment Card Industry (PCI). SKSML did not get a warm welcome from some big name vendors but it did generate some industry attention.

Encryption represents a final level of protection. Even if data is lost or stolen, it’s of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.

The SKSML protocol had been available since 2006. Yet just a couple months after the OASIS specification was final and public we watched vendors step forward to form a separate and competing committee at OASIS: the KMIP (Key Management Interoperability Protocol).

It was weird to see a competitive standard formed from within OASIS instead of from a competing organization (e.g. the IEEE P1619.3 or DSKPP from KEYPROV/IETF) as illustrated by ISACA in 2009.

On the other hand we were pushing an open-standard that emphasized ease of deployment and configuration. These concepts may have challenged the philosophy of some vendors to the point where they felt compelled to try and reboot the OASIS committee. The chair of EKMI stepped-down rather than fight on all fronts.

Our goal was to push forward an enterprise key management protocol into the industry. To that end it was a success, even if our open and easy philosophy to key management was not adopted.

Today I was asked if I have heard of KMIP and asked whether it is a good idea. Not only do I think it is a great idea to have key management, I think we’re long overdue for a practical implementation in a multi-tenant environment (whitepaper forthcoming).

Cloud providers I’m working with need a solution that allows them to provide self-managed encryption to their customers. EKMI was definitely up to the job. In 2009 single-tenant storage encryption was said by some to be the real game in town, which EKMI saw as a subset of enterprise encryption (end-to-end and file-level encryption was also offered) rather than the entire focus. KMIP is an option and it seems now to be getting some attention but its more closed approach as well as limitations with multi-tenancy may resurrect interest in the original aims of EKMI.

The Ottawa Citizen has an interesting review of currency changes to outsmart counterfeiters. It touches on how security researchers use everything from chemsitry to social science to develop controls.

Counterfeits in Canada peaked in 2004, when an estimated 470 out of every million bills were forgeries. The introduction of watermarks and holograms to the “Journey” series of bills that were issued from 2001 to 2004 saw that number plummet. It now sits at only 35 fraudulent bills per million.

In efforts to keep that number low, Firth works with everyone from banknote suppliers and printers to the RCMP and university professors, the latter helping determine the psychology of how people use money, which in turn can help the bank make spotting counterfeits more intuitive for the public. Security features that are fussy, difficult to use or require special equipment, she says, simply aren’t as effective.

Here are instructions from the bank for checking the new notes

Each time the technology is defeated, it has to be circulated out of use and replaced with the next evolution. Canadian bills now will be migrated from cotton-based paper to a polymer. With that in mind, the new bills are expected to be in circulation for more than twice as long.

Each of the 840 million $20-bills “the most popular denomination” now in circulation are expected to last three years. The polymer $20s will last seven and a half.

Either they have far more trust in the new technology, or they don’t mind removing bills from circulation before they expire…or counterfeiting is not the only motivation to move away from paper.

The CEO & co-founder of CloudFlare, a self-described “recovering lawyer”, explains his company’s position on LulzSec:

Two broad points that I’ve drawn from the experience of watching this unfold over the last three weeks. First, CloudFlare is firm in our belief that our role is not that of Internet censor. There are tens of thousands of websites currently using CloudFlare’s network. Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.

Second, the experience of being attacked by some of the Internet’s most notorious hackers has validated CloudFlare’s core value proposition: if you can share data about attacks across a network, rather than keeping it siloed within each organization, everyone using that network can benefit. As hackers tried to take down LulzSec, CloudFlare recorded all the patterns of the attacks. In the last 3 weeks, we’ve generated more than 1 million new rules to better mitigate threats targeted at our users. Those rules were propagated in realtime to benefit the whole CloudFlare community.

In other words they don’t censor without being forced by law to censor (standard provider legal response) and they don’t mind the cost of developing millions of rules just for the Lulz.