Embed Size (px)
Citation preview
ne
ws
5In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
Gemplus has announced the
first smart card
implementation of Identity-based
Encryption. Based on the Boneh-
Franklin scheme, it works by
using the recipient’s name, phone
number or email address as the
public key enabling message
encryption or signature
verification.
Identity-based Encryption (IBE)
can typically allow one subscriber
to encrypt an SMS for another
subscriber, using the receiver's
phone number as the public key.
“The implementation of such a
protocol in a SIM card gets
around the time constraints
associated with the decryption of
the message and makes the whole
process much simpler for the end-
user and the telecom operator”
said Dr. David Naccache, vice-
president, Research and
Innovation, at Gemplus. “The
message itself is directly
encrypted with the identity of the
recipient, meaning that he alone
can open his messages”.
He said that "the simplicity of
identity-based encryption is
bought at the cost of calculations
— it is not easy to perform this
kind of encryption and
decryption on a small device like
a smart card. We have come up
with an extremely optimized
implementation of this identity
based encryption in a smart
card".
Naccache said that it will be
three to four years before the
concept is embodied in products.
He also said the company has yet
to talk to operators about the
implementation.
"It simplifies the management
of certificates. We are abolishing
the notion of certificates"
Naccache added that the
technology will enable Gempus to
provide new functionalities, such
as encrypting credit card
payments via SMS on a mobile.
Gemplus abolishes need for PKIcertificates using smart cardsBrian McKenna
UK government to stiffen professionalism ininformation assuranceBrian McKenna
The British government is
taking a fresh look at
information risk management
professional accreditation as part
of a wider review of the state of
UK state and industry information
assurance.
Speaking at the launch of a new
report, Sir David Omand, Security
and Intelligence Co-ordinator and
Permanent Secretary at the
Cabinet Office, said: "we can see a
need for more professional
training and accreditation in this
area”.
He also said that awareness
around information assurance has
to be raised in the general public
and among small businesses, and
cited the National Hi-Tech Crime
Unit’s ‘Operation Endurance’ as a
positive development.
At the same event, Stephen
Marsh, Director, Central Sponsor
for Information Assurance at the
Cabinet Office said: “A few years
ago it was possible to look at these
issues as the concern of IT
departments. But the complexity
of IT systems and our
dependability on them means that
is no longer valid. This has to be a
Board level issue”.
And so, he said: “We are
looking to improve the training of
information risk managers. We
need to go beyond what exists in
terms of understanding
technology and processes to
assuring competency and
trustworthiness – so that you are
someone that a company can rely
on”.
The British Computer Society
(BCS) “has an interest in this”, he
added.
Sir David commented: “we now
have senior owners of information
risk in every government
department, and we need to
enhance their training also.
"You also can’t afford to skimp
on IT systems, such as the
National Health Service IT
programme, on which you have
bet the shop. Information
assurance is a major item on the
government’s agenda”.
Information assurance: a review
of UK Government and industry
initiatives
• Published by the Cabinet Office,
written by Nick Coleman,
Chair of SAINT (Security
Alliance for Internet and New
Technologies).
• First time an overview of pri-
vate, voluntary and public sector
information assurance initiatives
has been published in the UK.
• Report includes a ‘Framework
for Information Assurance’
designed to improve
communication with relevant
stakeholders.
SecureWave givesthe finger to USBsticks
News In Brief
Caught outthere
Two undergraduates have
paid the price for trying to
hack into Oxford University’s
computer system.
Patrick Foster and Roger
Waite have both been
‘rusticated’ until 2005, after
trying to prove that the
university’s IT security was
weak,using a program
downloaded from Google.
Publishing their attempts in
their paper, the Oxford
Student, the pair drew too
much attention to their
exploits. Oxford’s Court of
Summary Jurisdiction
described their activities as an
“attack on the university”.
“We were simply trying to
expose the security failings in
Oxford's IT network”, said
Foster, who has been
suspended until May 2005.
'Whitelist' vendor
SecureWave has
launched an auditing product that
tracks data written to authorized
portable devices while blocking
unauthorized ones.
'Sanctuary Device Control with
Device Shadowing' enables IT
departments to determine what
I/O devices are allowed and who
can use them.
Chief Executive Officer Bob
Johnson said: "it provides a way
of closing down a hole in terms of
the escape of sensitive
information". The audit capability
goes with an ability to "shadow or
copy information copied to one of
these removable devices".
The product offers a fine level
of granularity, he said. "So Joe is
only allowed to use USB device A
and only A, and you can audit
that use.
"Since the introduction of XP
especially, with plug and play,
businesses have had growing
problems with these devices".
Sanctuary Device Control is
described as a centralized
management tool through which
an administrator can manage a
whitelist of devices that are
permitted on the network, while
excluding all unknown or
unauthorized devices.
Devices are managed according
to their types (scanner, zip drive,
PDA, modem, and so on) rather
than by their methods of
connection (USB, LPT, FireWire,
WiFi, and so on). Temporary
access can be granted to a given
device type: for example, certain
kinds of devices might be usable
on the network only during work
hours and not at night.
Sanctuary also audits I/O
device use as well as attempts to
use unauthorized devices. The
shadowing feature provides a
complete record and copy of data
transferred to authorized devices
from corporate endpoints,
databases and servers.
The price: $45 per user.
