About

  • Welcome to the Thales Key Management digital media news centre.

    As companies look to protect their customer data and other sensitive information, encryption is being deployed more widely. Yet if an encryption key is lost then that data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management making the protection, management and secure use of cryptographic keys a fundamental component of modern IT security.

    This Thales media center provides information on international industry issues and trends relating to the general topic of key management. There's a also a Q & A page here which aims to answer some of the frequently asked questions on the subject. Key management affects organizations across all sectors and this site includes information on global best practices, regulation, technology, deployment scenarios and key management strategy.

    Thales leads in the provision of information and communication systems security solutions for government, defence, critical infrastructure, enterprise and the finance industry. Thales’s comprehensive portfolio of security products and services protect electronic information – safeguarding transactions, IT operations and information transfers within highly sensitive and regulated environments.

    Subscribe by email

    Find out more at http://www.thales-esecurity.com/

    Visit our payments site at www.paymentssecurity.com

Contributors

Resources

August 07, 2012

Data protection in the cloud – are we fooling ourselves?

How many organizations currently transfer sensitive data to the cloud? Who should be responsible for looking after that data? Are organizations capable of protecting their data once it has been transferred to the cloud? And how do organizations apply encryption to protect data in the cloud?

These are just some of the questions that our brand new study – Encryption in the Cloud – answers.

 

Continue reading "Data protection in the cloud – are we fooling ourselves?" »

Posted at 08:14 in Cloud computing, Encryption, Key management |

Technorati Tags: , , , ,

|

July 16, 2012

Another day, another breach

Last Thursday news broke that a hacker group leaked around 450,000 account passwords stolen from Yahoo! Voices, a subsection of the Yahoo! site where users submit their own content. In this case it appears that the passwords were stored in their original plaintext and not even hashed. The stolen data is now publicly available for anyone to download and use to attack other cloud services.

Cyber criminals frequently attack social media sites which have large user databases and are perceived to have weaker security, a topic I discussed in length here. Web users often use the same password for multiple sites so the compromise of a password on one social network can give criminals access to higher value services elsewhere. While this is another high profile attack where the hacker chose to publish details of their exploits, we can assume there may be just as many covert breaches where the motives of the attacker require them to keep details of their attack secret.

This latest Yahoo! breach hammers home how websites need to use strong password hashes and better still application level encryption to protect usernames, passwords and other sensitive data. At the same time, web users must remain vigilant with their online identities and refrain from using the same password for multiple sites or risk their identities being compromised.

Mark Knight

 

Posted at 09:19 in Cloud computing, Encryption | | Comments (0)

|

June 12, 2012

The death of the password?

Last week was a terrible week for password breaches. First LinkedIn revealed that ~6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.

Are these breaches a surprise? No, not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on web servers and datacentre networks every time it is supplied by the user before it is hashed for comparison.

Continue reading "The death of the password?" »

Posted at 11:50 in Encryption, Key management, SSL |

|

June 08, 2012

Why code signing matters

Code signing has been a popular topic over the last fortnight.

  • Yahoo was quick to patch an embarrassing key management error with the signing key used in their new Axis browser extension for Chrome that was discovered by Security blogger Nik Cubrilovic [1].
  • Microsoft has published [2] a security advisory revoking trust in a number of digital certificates that may have been abused to sign parts of the recently discovered “Flame” malware.

The use of code signing technology is an essential tool in helping to establish the trust we now demand from the Internet of things. It’s worth taking a moment to consider the potential impact when there’s a loss of control of a code signing key or certificate.

Continue reading "Why code signing matters" »

Posted at 10:06 in Code Signing, Encryption |

|

May 22, 2012

Harmonising European Audit Standards for Certification Authorities

Ensuring that Certification Authorities (CA), and other trust service providers, operate securely and follow current best practice is essential to the security of modern electronic services.

The European Telecommunications Standards Institute (ETSI), working with the international CA and web browser community, and in line with the emerging European regulatory environment for trust and confidence in electronic transactions, have recently issued a number of standards (follow link and search for Trust Service Provider) for assuring the secure operation of trusted service providers supporting the security of electronic transactions.

Continue reading "Harmonising European Audit Standards for Certification Authorities" »

Posted at 09:15 in Certificate Authority, Encryption |

|

April 25, 2012

Storage encryption still lacking despite enhancements in technology and standards

In the U.S., the state government in Massachusetts requires companies to report when they've lost sensitive information for their employees, customers or other key constituencies.

This week, for the first time, Massachusetts reported back as to what companies have been saying. According to a Boston Globe story, almost half of Massachusetts residents have had their personal information, such as social security and credit card numbers, compromised.

According to the story, Massachusetts companies are further required to encrypt data that is placed on portable devices, but most lost or stolen devices are not encrypted.

Continue reading "Storage encryption still lacking despite enhancements in technology and standards" »

Posted at 09:03 in Data breach notification regulation, Encryption, Key management |

Technorati Tags: , , , ,

|

March 26, 2012

Random or pseudorandom?

If you want to use encryption, you need to use keys. A key is (or rather should be) a random number that can encrypt or decrypt your information. A strong key is strong because the random nature of the chosen number means it could lie anywhere on a virtually endless number line. As readers of this blog will know, once you have a strong key, effective key management is essential to ensure the data it protects remains secure.

A recent study (which I referenced in a previous post) found that a small percentage (0.38%) of over 7 million public keys share a common factor and subsequently can be easily compromised. As Bruce Schneier recognises in his blog post, these 'weak' keys were almost certainly created with a poor random number generator. A poor random number generator does not create 'random' numbers, only 'psuedorandom' numbers i.e. numbers generated by a predictable process. Keys based on pseudorandom numbers are liable to compromise, meaning that data encrypted with such keys are not secure.

Continue reading "Random or pseudorandom?" »

Posted at 09:16 in Encryption, Key management, Standards of due care |

|

March 21, 2012

Mediyes Trojan Shines Spotlight on Mismanaged Signature Keys

Just last week a new example of the consequences of inadequately protected signature keys came to light. As reported in Network World , Kaspersky Lab discovered that a recently distributed Trojan, Mediyes, was digitally signed using a stolen private signature key whose digital certificate was owned by Swiss firm Conpavi AG.

The Network World story notes how digitally signed code is assessed more favorably by anti-virus vendors from a risk perspective, so stealing the key and creating a perfectly valid signature on the code helps further promulgate the nefarious Trojan before it can be detected.

Continue reading "Mediyes Trojan Shines Spotlight on Mismanaged Signature Keys" »

Posted at 09:21 in Encryption, Key management, Standards of due care |

|

February 29, 2012

There’s a new Sheriff in town and his name is KMIP

At this week’s  RSA Conference 2012 in San Francisco – the world’s leading security event – one of the buzz attractions is the leading IT vendors who have come together  to demonstrate KMIP, a new standards-based protocol for key management. Who, or rather what, is KMIP? The Key Management Interoperability Protocol, often simply known by the acronym of KMIP, promises a common specification that allows embedded encryption-enabled applications (clients) to securely interoperate with key management servers that have each implemented the standard.

Driven by OASIS as part of an international consortium, the KMIP Interop, happening live on the RSA expo floor, provides a working snapshot of how this enterprise key management protocol functions in a multi-vendor environment.  In Booth #128, clients from Cryptsoft, IBM, NetApp, and SafeNet communicate securely with key management servers from Cryptsoft, IBM, Quintessence Labs, SafeNet, and Thales. The clients and servers demonstrate the full key management lifecycle including creating, registering, locating, retrieving, deleting, and transferring symmetric and asymmetric keys and certificates between vendor systems. Both the fully ratified KMIP 1.0 OASIS Standard and the KMIP 1.1 Committee Draft specification are being shown.

Continue reading "There’s a new Sheriff in town and his name is KMIP" »

Posted at 16:44 in Encryption |

|

February 22, 2012

No skeleton key – protecting your organisation on the web

Weaknesses in the SSL protocol (the protocol for encrypting information over the internet) or the public certificate authority (CA) ecosystem that underpin it have received a lot of coverage recently and the last couple of weeks have been no exception.  The pervasive nature of SSL and its unique role in securing ecommerce and numerous cloud services makes SSL attractive to security researchers and attackers alike.  However, many of the lessons learnt are in no way specific to SSL and must be applied to other Public Key Infrastructure (PKI) and encryption deployments if we're to avoid handing potential attackers a skeleton key to access our sensitive data or critical infrastructure:

  • Recent research by École Polytechnique Fédérale de Lausanne has reminded us that for encryption or digital signatures to be effective keys must have a strong provenance as well as strong protection for their entire lifecycle.  Keys generated by a software algorithm and without a good source of entropy or randomness can be easy to crack and so are vulnerable to attack.

Continue reading "No skeleton key – protecting your organisation on the web" »

Posted at 12:33 in Certificate Authority, Encryption, IPS, SSL |

|

Next »

Key Management Q&A

  • Want to know more about key management? This Q & A might help provide some answers

Key management resources

Categories

Archives

Subscribe to this blog's feed

Press contact

  • Liz Harris
    Thales
    +44 (0)1223 723612