2factor: Interesting Encryption Technology (RSA)

2factor is primarily an encryption technology licensing business -- the company sells its technology to OEMs. The core technology is called Real Privacy Management (RPM).

It works by calculating symmetric private keys (i.e., it doesn't use a public/private key pair). Each party in a transaction has a private key, which it presents to a trusted intermediary. The pair of keys defines a series of encryption keys, to be used in sequence.

2factor says the benefits are:

1. Very fast encryption (the calculations can be done using register arithmetic); perhaps 100x as fast as Diffie-Hellman, for example.
   
2. Provably secure, unlike elliptic curves for example.
3. The trusted-intermediary architecture can be generalized, permitting a federated model.
   

Voltage also has a Hybrid Service (RSA)

Hybrid services seem to be quite the theme on this weblog, for some reason. I just talked to Voltage Security, which announced something called "Connected VSN" today.

Now, I know what VSN is -- the Voltage Security Network. It's a hosted service that implements the key management for Voltage-style identity-based encryption (IBE). The idea being that instead of on-premise key management, you centralize the key generation in the cloud. This is similar to the architecture used by Identum (now part of Trend Micro). But what's the "Connected" bit all about?

There's a class of customer who wants to do outbound encryption at the gateway -- possibly driven by local policy -- but doesn't want to provide the decryption service to non-local users. This type of hybrid architecture is what Connected VSN is for.

The sender has an on-premise Voltage appliance that manages keys and performs outbound encryption. Recipients then use the VSN service hosted by Voltage to decrypt the message.

IronKey: an Encrypted USB Flash Drive on Steroids (RSA)

Update (April 16): IronKey yesterday “announced full FIPS 140-2 Level 2 security validation ­ at the product level, rather than the more typical component-level validation.” Shame it’s “only” level 2, but I guess that’s a start and is probably more than adequate for the vast majority of applications.

IronKey isn't just another encrypted USB flash drive-key-stick-thingy. For a start, the company makes a big thing of their claim that IronKey is the only such device designed from the start to be secure (as opposed to a flash drive that's had security "bolted-on", presumably). Well, that's an interesting claim, but of arguable merit. However, there are other aspects that are worth talking about:

1. This key will self-destruct -- if you try to disassemble it, or if you enter the wrong password too many times, the IronKey doesn't just wipe itself, it destroys the flash memory, the company says.
2. It's not just a device, but also a service -- if you register the device on IronKey's Web site, the company offers password recovery/escrow and access to IronKey's own TOR anonimizing network (i.e., a private network, not the usual public one).
3. It also acts as a 2FA device -- a firmware update will add the necessary logic to make it act as a Verisign VIP device, for two-factor authentication. An "enterprise" version of the device will also have similar support for RSA SecurID.
   

Shipping now for Windows XP and Vista. Mac and Linux support are "nearly ready".

Love him or hate him, the episode of Steve Gibson's podcast about IronKey has more about the device, including an interview with IronKey CEO, Dave Jevans (yes, that Dave Jevans).

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).

Email Address Typos can Spell Trouble

A quick extract from yesterday's IT Blogwatch, in which The U.S. Air Force gets caught sending classified data in unencrypted email:

Sensitive information ... swamped Gary Sinnott's email inbox after he established www.mildenhall.com ... Emails intended for Air Force personnel at the Mildenhall Air Force base (who uses the domain mildenhall.af.mil) were being misdirected to the owner of the .com site ... hundreds of classified emails were sent from around the world ... detailing all kinds of secret military information ... I ask you, what sort of drooling idiots do the US Military employ? Do they breed them in special farms?

And so on, and so on...

Reminds me very much of when I helped migrate Ferris Research's email accounts from The Electric Mail Company to Google Apps. -- I set up a catch-all account to make sure we hadn't missed any weird aliases or mailing lists. You've almost always got to do this when migrating an email setup, because it's so easy to miss a useful address. You'd be surprised how many times you can ask the question "Is this alias still needed?", getting the answer "no", and find that in fact it is.

Anyway, I was amazed how much misdirected email we received -- much of it meant for ferris.edu (Ferris State University, Michigan), as well as obviously confidential attorney-client communication, love notes, and more. All of human life was here for a while.

I guess it only goes to prove -- if proof were needed -- that .com is the only game in town, when it comes to domain choice.

Crypto vendor Identum bought by Trend Micro

It's official, so I can now write about it. Trend Micro and Identum today announced that Trend is buying Identum.

Identum is an encryption vendor, which does away with certificates -- which are difficult to manage -- in favour of encryption keys that are based on a user's "identity" -- typically the email address.

On the face of it, this is similar technology to Voltage Security's IBE, but with better performance, simpler administration, and arguably better security.

Identum chose not to offer a federated model. Instead, it's a service, based in a super-secure bunker in "an undisclosed location" (well, I could tell you where, but then I'd have to kill you).

Congratulations to Andy Dancer and the rest of the Identum crew for successfully getting this interesting technology out of Bristol University, incubated, and flipped.