12 #3577 ©2003
IDC
Biometry — authentication by fingerprint, retinal scan, voice, or facial geometry — is
particularly good for matching employees or customers with systems and data
records. While biometry represents a key piece of the security puzzle, biometric
information carries no data and cannot in itself support PKI. An improvement over
passwords, biometry provides better security because users cannot alter their
biological qualities.
Passwords are ever useful as an added security step, even though biometric entry
can be a complete substitute for passwords. Still, a password can help prevent ID
spoofing, which hackers can still sometimes practice successfully against systems
protected by only "what you have" methods.
T H E W E A K N E S S O F S O F T W A R E - O N L Y S O L U T I O N S
A key distinction between core security implementations is whether they are software
or hardware based.
There are a number of reasons why hardware-based security is better than software-
based security, speed being among them, but you really only need one good one.
And here it is: Software security is hackable.
In January 2000, researchers at nCipher in Cambridge, England, came up with an
algorithm that can search main memory, looking for a high degree of entropy. A good
private key is going to be exceedingly entropic; that is, the random numbers in the
key will be well dispersed in numeric space. Other elements in memory — such as
the clear text to be encrypted and the encryption program itself — won't be. All three
— the program, the data, and the key — have to be in main memory at the same time
for software encryption to take place. The nCipher algorithm, in combination with a
Trojan horse such as Back Orifice, which, as mentioned earlier, allows someone on
the Internet to commandeer a PC, will let the intruder scan the contents of main
memory and find the user's private key. Back Orifice is good at masking itself,
encrypts its own outgoing traffic, and was released in source code about two years
ago at a hackers' conference. The nCipher program can find a 1,024-bit private key,
the best in commercial use. And if a malicious hacker can get your private key, he
can get your identity — and your right to do business.
Another weakness of software solutions is that they cannot prevent hammering
because they are unable to keep a counter. A hacker can always freeze the state of
the machine and continue to bombard it with attempts. But this flaw pales beside the
problem of leaving highly entropic private keys around in main memory.
Bottom line: Private keys, symmetric keys, credit card numbers, and anything else
stored on clients or servers protected by only software encryption are more
vulnerable than those protected in hardware.
T H E S T R E N G T H O F H A R D W A R E S E C U R IT Y
Because of the weakness of software-only solutions, IBM set out in the direction of
implementing encryption operations in hardware. Initially an in-house project, the
resulting architecture and silicon designs have been widely adopted in the information
technology industry.
The IBM security chip is extremely secure, simple to use, and inexpensive. The chip,
actually a cryptographic microprocessor, can be embedded in the system board of the
client. It supports RSA PKI operations and includes electronically erasable
programmable read-only memory (EEPROM) for storing key pairs. The chip
communicates with the main processor via a local bus and also has a link to the
system BIOS during boot up. An application program interface (API) routes
Bottom line: Private
keys, symmetric keys,
credit card numbers,
and anything else
stored on clients or
servers protected
by only software
encryption are more
vulnerable than
those protected in
hardware.
