Perimeter
11/23/2011
11:12 AM
Taher Elgamal
Taher Elgamal
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Embedding Digital Certificates In Hardware

A natural evolution, but there are a few potential pitfalls to avoid

It was always known that if we chain trust to a known trusted source that the overall trust is improved. Most of the implementations of PKI certificates use some hardware to store the private keys so that forging a signature or obtaining a key is difficult. At this time, the hardware takes the form of hardware security modules (HSMs) in the case of server operations, or a USB device for client machines.

The question is: What if these keys were embedded in the processor itself?

It is only natural for the industry to attempt to combine the trusted hardware into the main processor -- that will enhance the value of the hardware and make strong authentication part of the mainstream industry. The growth of applications that require strong authentication and the growth of e-commerce and other applications that handle sensitive data will perhaps make these feature very important additions to the standard “faster, better, cheaper” way of the growth of the processor industry.

A couple of issues about trust models: First, we should avoid the full flexibility that we did in the browser world since its beginning. A good number of the weaknesses of the current e-commerce environment can be avoided if we prevent “suspect” CAs from being trusted at the root, for example.

Second, we don't want to swing the pendulum the other way completely and create monopolies. Instead, we should embark on designing a good system that will allow us to build this industry correctly. Allowing a trusted CA to be a part of the system should be easy to do, assuming that we know how to revoke a CA key and that revocation checking is a standard part of all operations -- all standard operations.

Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. In addition to serving on numerous corporate advisory boards, Dr. Elgamal is the Chief Security Officer at Axway, a global provider of multi-enterprise solutions and infrastructure. He holds a Ph.D. and M.S. in Computer Science from Stanford University. View more of his blog posts here.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web