Click here to close now.

Welcome!

MICROSERVICES Authors: Liz McMillan, Elizabeth White, Michael Kanasoot, Carmen Gonzalez, Dana Gardner

Related Topics: Security, Java, MICROSERVICES, Virtualization, Web 2.0, SDN Journal

Security: Article

Time to Ditch Cryptographic Keys?

Will keyless signatures overtake PKI as the wave of the future? Governments, flying drones, and big telecom all say so

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys' without blinking. But recent headline events - and a ‘biggie' last year - have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data.

Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware.

In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple's OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products.

The original Arstechnica article (McAfee revoking keys) noted that the administrator intended to revoke his individual user key, but "instead revoked the code-signing keys Apple uses to help keep the Mac ecosystem free of malware."

The bottom line: the mistake left customers with no safe options to install or upgrade their programs. The big takeaway: this episode paints a graphic picture of the challenges of administering the digital certificates at the heart of public key infrastructures (PKI) - certificates used to validate software and websites, and to encrypt email and other forms of Internet communication.

Also in February, a private key that security firm Bit9 uses to certify software was stolen by crooks and used to put a trusted seal of approval on malware that infected a few Bit9 customers.

However, those sorry episodes pale in comparison to a massive security breach last year when hackers used a stolen master private key from RSA to attack Lockheed Martin (RSA/EMC losing its master private key.) Lockheed, a major defense contractor to the U.S. government, makes the F-16, F-22 and F-35 fighter aircraft, the Aegis naval combat system, and the THAAD missile defense.

Sources close to Lockheed said compromised RSA SecurID tokens - USB keychain dongles that generate strings of numbers for cryptography purposes - played a pivotal role in the Lockheed Martin hack.

Hackers apparently entered Lockheed Martin's servers and accessed the company's virtual private network (VPN). The VPN allows employees to connect over virtually any public network to the company's primary servers, using information streams secured by cryptography.

With the RSA tokens hacked, those supposedly secure VPN connections were compromised.

Predictably, Lockheed said it detected the attack almost immediately, repulsed it quickly, and that the risk was minimal. The company also claimed that no customer, program or personal employee data was compromised.

All of the above examples not only undermine the security of using cryptographic keys but leave people wondering whether there is a better way to authenticate.

The better way - Keyless Signature Infrastructure (KSI) - has been around since 2007, when it was invented by scientists in Estonia. KSI generates digital signatures for electronic data on a massive scale but uses only cryptographic hash functions, meaning there are no keys to be compromised or trusted humans in sight.

Some six years ago, Estonian scientists at Tallinn Technical University posed the question: How can you rely on electronic data if you assume that your entire network has been compromised and nobody - not even the system administrators within your own organization - can be trusted?

KSI, the fruit of those scientists' work, is used by governments and companies around the world. It helps them to authenticate electronic data generated from the Smart Grid, the Connected Car, and networked routers and machines (either virtual or physical) - basically any type of electronic data. In November, China Telecom, the largest fixed line telecommunications service provider in China, became a keyless signature service provider via its Tianyi 3G platform. Most recently Japan Drones, a developer of custom software for miniature Unmanned Aerial Vehicles (UAVs) announced it was using keyless signatures for its drone security. The U.S. military could use the good PR, given publicity over a white hat hacking scheme done by University of Texas students as reported in June by The Huffington Post, which went as far as to say, "Turns out it's not too difficult to hack a drone."

Chaozong Chen, general manager of Ningbo CA, the Certificate Authority for the city of Ningbo in Zhejiang province in China, said, "KSI's unique features such as independency of verification, intrinsic time binding for data, universal accessibility cross platforms and lack of keys allow us to provide functions and values where traditional public key infrastructure (PKI) is limited. The future proof from quantum computing is of course a major benefit."

Here's another example of KSI in action: every payment within the Estonian banking system comes with a keyless signature, ensuring that insiders cannot modify transactions intent on fraud.

In addition, the Estonian government has embarked on a huge project to integrate KSI technology into the rsyslog utility - a project that will enable every system event across all government networks to be authenticated by time, data integrity and server identity. (Note: rsylog is an open source utility used on Unix and Unix-like computers for forwarding log messages in an IP network.)

Further demonstrating Estonia's confidence in KSI, the Estonian Government's Centre of Registers and Information Systems (RIK) recently embraced the technology.

RIK is using keyless signature technology for validating the authenticity of documents that it is digitizing from the archives of the Succession Register and Chamber of Notaries.

Using keyless signature infrastructure, the authenticity of all the records is periodically verified, the re-verification happens automatically, meaning that the information about the integrity of the stored records is always up to date and any breaches create an alert immediately.

As KSI has proven itself for years in various government and commercial entities, the time is ripe to consider it the logical successor to cryptographic keys, which are starting to look outdated and very vulnerable.

"While our PKI based solutions have been widely adopted, we see a growing need to prove data integrity and time on a massive scale, with cases where customer identification registration is unpractical and less important, such as electronic receipts for cash based transactions," said Chaozong Chen. "These are where KSI can help. It is strategically important for us to start integrating KSI with our successful PKI solutions and this will help us maintain our leadership in the field."

More Stories By Herman Mehling

Herman Mehling has been an IT writer and consultant for more than 25 years. He has written thousands of articles for leading trade magazines and websites. His work has appeared in such publications as Computer Reseller News, eWeek, Forbes, Network World and InformationWeek. In the ’80s and ’90s, he worked as a PR executive at many San Francisco Bay Area high-tech agencies, including Niehaus Ryan Haller, which helped to launch Yahoo! and to re-cast the image of Apple as an Internet player. He was a staff editor and reporter at Computer Reseller News for many years.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborat...
Hosted PaaS providers have given independent developers and startups huge advantages in efficiency and reduced time-to-market over their more process-bound counterparts in enterprises. Software frameworks are now available that allow enterprise IT departments to provide these same advantages for developers in their own organization. In his workshop session at DevOps Summit, Troy Topnik, ActiveState’s Technical Product Manager, will show how on-prem or cloud-hosted Private PaaS can enable organ...
Cloud computing is changing the way we look at IT costs, according to industry experts on a recent Cloud Luminary Fireside Chat panel discussion. Enterprise IT, traditionally viewed as a cost center, now plays a central role in the delivery of software-driven goods and services. Therefore, companies need to understand their cloud utilization and resulting costs in order to ensure profitability on their business offerings. Led by Bernard Golden, this fireside chat offers valuable insights on ho...
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Thi...
Exelon Corporation employs technology and process improvements to optimize their IT operations, manage a merger and acquisition transition, and to bring outsourced IT operations back in-house. To learn more about how this leading energy provider in the US, with a family of companies having $23.5 billion in annual revenue, accomplishes these goals we're joined by Jason Thomas, Manager of Service, Asset and Release Management at Exelon. The discussion is moderated by me, Dana Gardner, Principal A...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and eas...
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional S...
Modern Systems announced completion of a successful project with its new Rapid Program Modernization (eavRPMa"c) software. The eavRPMa"c technology architecturally transforms legacy applications, enabling faster feature development and reducing time-to-market for critical software updates. Working with Modern Systems, the University of California at Santa Barbara (UCSB) leveraged eavRPMa"c to transform its Student Information System from Software AG's Natural syntax to a modern application lev...
SYS-CON Events announced today Sematext Group, Inc., a Brooklyn-based Performance Monitoring and Log Management solution provider, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), search analytics (S...
In the midst of the widespread popularity and adoption of cloud computing, it seems like everything is being offered “as a Service” these days: Infrastructure? Check. Platform? You bet. Software? Absolutely. Toaster? It’s only a matter of time. With service providers positioning vastly differing offerings under a generic “cloud” umbrella, it’s all too easy to get confused about what’s actually being offered. In his session at 16th Cloud Expo, Kevin Hazard, Director of Digital Content for SoftL...
When it comes to microservices there are myths and uncertainty about the journey ahead. Deploying a “Hello World” app on Docker is a long way from making microservices work in real enterprises with large applications, complex environments and existing organizational structures. February 19, 2015 10:00am PT / 1:00pm ET → 45 Minutes Join our four experts: Special host Gene Kim, Gary Gruver, Randy Shoup and XebiaLabs’ Andrew Phillips as they explore the realities of microservices in today’s IT worl...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on T...
SYS-CON Media announced that IBM, which offers the world’s deepest portfolio of technologies and expertise that are transforming the future of work, has launched ad campaigns on SYS-CON’s numerous online magazines such as Cloud Computing Journal, Virtualization Journal, SOA World Magazine, and IoT Journal. IBM’s campaigns focus on vendors in the technology marketplace, the future of testing, Big Data and analytics, and mobile platforms.
For those of us that have been practicing SOA for over a decade, it's surprising that there's so much interest in microservices. In fairness microservices don't look like the vendor play that was early SOA in the early noughties. But experienced SOA practitioners everywhere will be wondering if microservices is actually a good thing. You see microservices is basically an SOA pattern that inherits all the well-known SOA principles and adds characteristics that address the use of SOA for distribut...
Microservice architectures are the new hotness, even though they aren't really all that different (in principle) from the paradigm described by SOA (which is dead, or not dead, depending on whom you ask). One of the things this decompositional approach to application architecture does is encourage developers and operations (some might even say DevOps) to re-evaluate scaling strategies. In particular, the notion is forwarded that an application should be built to scale and then infrastructure sho...
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Ras...
Microservices are the result of decomposing applications. That may sound a lot like SOA, but SOA was based on an object-oriented (noun) premise; that is, services were built around an object - like a customer - with all the necessary operations (functions) that go along with it. SOA was also founded on a variety of standards (most of them coming out of OASIS) like SOAP, WSDL, XML and UDDI. Microservices have no standards (at least none deriving from a standards body or organization) and can be b...
Our guest on the podcast this week is Jason Bloomberg, President at Intellyx. When we build services we want them to be lightweight, stateless and scalable while doing one thing really well. In today's cloud world, we're revisiting what to takes to make a good service in the first place. Listen in to learn why following "the book" doesn't necessarily mean that you're solving key business problems.
Right off the bat, Newman advises that we should "think of microservices as a specific approach for SOA in the same way that XP or Scrum are specific approaches for Agile Software development". These analogies are very interesting because my expectation was that microservices is a pattern. So I might infer that microservices is a set of process techniques as opposed to an architectural approach. Yet in the book, Newman clearly includes some elements of concept model and architecture as well as p...
Microservices, for the uninitiated, are essentially the decomposition of applications into multiple services. This decomposition is often based on functional lines, with related functions being grouped together into a service. While this may sound a like SOA, it really isn't, especially given that SOA was an object-centered methodology that focused on creating services around "nouns" like customer and product. Microservices, while certainly capable of being noun-based, are just as likely to be v...