Blog

<p><strong>There are two key questions anyone associated with business and data need to ask themselves:</strong></p> <ol> <li><strong>Does our company still have a password database and, if so</strong></li> <li><strong>Why?</strong></li> </ol> <img src="./zero-knowledge-vs-passwords.jpg" alt="Zero Knowledge is more secure than passwords" width="994" height="559"> <p>The simple fact is that there is no reason for any company to have a password database anymore. It is now estimated that 81% of all hacking related breaches involve the use of stolen or weak credentials (<em>source: <a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" target="_blank">DIBR</a></em>). And we need to put this in the context of 8 billion authentication credentials having been stolen since 2013, with all that this implies for damage to a company’s business and brand reputation.</p>…

<img src="./miracl-blog-iStock-680270994.jpg" alt="iStock-680270994.jpg" width="1199" height="899"> <p>In our last blog, <a href="/blog/post-quantum-cryptography-for-grandparents" target="_blank" title="Post Quantum Cryptography for Grandparents">“Post Quantum Cryptography for Grandparents”</a>, (which you really need to read first before reading this one) we pointed out that Post-Quantum cryptography as based on the Ring Learning with Errors (RLWE) problem, can actually be quite easy to understand, despite its rather terrifying terminology.</p> <p>Its based on this one-way function</p> <p><strong><em>B=As+e</em></strong></p> <p>Where <em>A</em> and <em>B</em> are “large” polynomials and <em>s</em> and <em>e</em> are “small” polynomials. Given <em>A</em> , <em>s</em> and <em>e</em> , its easy to calculate <em>B</em>, its just a multiplication followed by an addition. However given <em>B</em> and <em>A</em> , its very hard to calculate <em>s</em> and <em>e</em> . Even a quantum computer can’t do it. That’s why we call it one-way.</p>…

<img src="./miracl-blog-iStock-495007435.jpg" alt="iStock-495007435.jpg"> <p>Its actually not as complicated as it sounds. Let’s get the maths over with first. Remember polynomials?</p> <p><strong>(x+1)(x+1)=x²+2x+1</strong></p> <p>This would be an example of two first degree polynomials being multiplied together to create a second degree polynomial (or quadratic). In general two <em>n</em>-th degree polynomials when multiplied together create a <em>2n</em>-th degree polynomial result. Polynomials can also be added</p> <p><strong>(3<em>x</em>+5)+(5<em>x</em>+6) = 8<em>x</em>+11</strong></p> <p>Don’t tell me that’s hard! For the polynomial 8<em>x</em>+11, the coefficients are 8 and 11.</p>…

<p><strong>As we are all aware we are on the cusp of a major revolution in the auto-mobile industry. In 20 years we will all be driving electric cars and the good old petrol engine will be something we visit in museums. Already governments are legislating, and auto makers are revamping their assembly lines, to be ready in good time.</strong></p> <p><img src="./miracl-blog-hybrid-car-2503566_1920.jpg" alt="Hybrid car"></p> <p>In the meantime the industry has introduced a slew of “hybrid” models, which have two engines, one petrol and one electrical. This is a perfectly rational holding position to take. It avoids putting all of the eggs in one basket, so if the new electric motor fails for any reason, the car still functions.</p>…

<p><strong>In 2018, PSD2, the revised Payment Service Directive will be implemented which will change banking as we know it. Banks and payment services will be required to comply with new legislation which aims to improve innovation, reinforce consumer protection, and improve the security of internet payments and account access within the EU and EEA.</strong></p> <h3 id="what-is-psd2">What is PSD2?</h3> <p>The Payment Services Directive is an EU Directive, administered by the European Banking Authority to regulate payment services and providers. The directive’s purpose is to provide a level playing field by harmonising consumer protection as well as the rights and obligations of payment providers and users. The new requirements are designed to open access to banking customers, both consumers and businesses, through 3rd party providers and open APIs.</p>…

<p><strong>It’s interesting to compare progress in Computer Security with progress in Medicine Science. Think of computing technology as being analogous to the human body, and under attack from multiple potentially damaging external forces. Of course we have for years talked about computer “viruses”, so the comparison is a natural one.</strong></p> <p><strong>So if we were to look at progress in medical science and progress in computer security, hoping to draw optimistic conclusions from the comparison, what would we find?</strong></p>…

<p><strong>In today’s online world of increasing digital crime, internet fraud and database breaches, businesses are left with the growing worry about protecting their online commerce and customers.</strong></p> <h3 id="when-authentication-goes-bad">When authentication goes bad</h3> <p>For years, industry experts have warned that passwords do not provide strong enough security as a sole line of defense against the ever escalating cyber security threats designed to exploit vulnerabilities with stored authentication credentials.</p> <p>Usernames and passwords have proven time and again to be a weak solution for authentication, and the databases where they are stored are a hacker’s dream come true. It is increasingly easy for cyber criminals to gain access to a business’s or user’s private data such as personal details, banking or financial information, and then to use that data to commit fraud, whilst damaging the business’s reputation in the process.</p>…

<p>As described in <a href="/blog/the-essence-of-the-blockchain" target="_blank">my last posting on the ‘Essence of the Blockchain’</a>, the block-chain is just a public ledger supported by the power of the cryptographic hash function.</p> <p>From a “genesis” block, a chain of blocks propagates onwards. Due to the one-wayness of the hash function, it can never be reversed and the contents of a prior block can never be changed. However we can add new blocks on to the end of it.</p>…

<p><strong>By which I mean the Personal Identification Number. Most days we use it in conjunction with our ATM card to perform relatively large value transactions. As such its a pretty proven way of authenticating ourselves. So if we already have the authentication problem solved, why don’t we use the same method when authenticating to services on the Web? Why do we persist with the much more inconvenient and insecure Username and Password combination, rather than a Card and PIN number type of solution?</strong></p>…

<p>The American National Institute for Standards in Technology (NIST) is considering proposals for several modes of operation for Format Preserving Encryption (FPE). The idea behind FPE is quite simple: A plaintext should encipher to a ciphertext with exactly the same format and length. The classic example would be a credit card number, in which case the 18 decimal digit plaintext should encrypt to an 18 decimal digit ciphertext. This is clearly very convenient.</p>…

<p>We propose a new Elliptic curve at a security level significantly greater than the standard 128 bits, that fills a gap in current proposals while bucking the expected security vs cost curve by exploiting the new trick recently described by Granger and Scott. This essentially reduces the cost of field multiplication to that of a field squaring.</p> <p><a href="./curve.pdf" target="_blank" class="cta_button hero-button hvr-radial-out">Download paper and learn about an alternative Elliptic Curve</a></p> <h3 class="sectionHead"><span class="titlemark">1 </span> <a id="x1-10001"></a>Introduction</h3> <p>If a non-cryptographer were asked to guess how much stronger TOP SECRET cryptography is compared with commercial strength cryptography, I would imagine that most would suggest a hundred times, maybe a thousand times, maybe even a million times. But I think many would be surprised that in fact its at least 9,223,372,036,854,775,808 times, a number so big that it is unspeakable. But thats the difference between an elliptic curve at the 128-bit level of security and an elliptic curve at the 192-bit level. Most might consider this a little excessive. </p>…

<p><em>New Service Adopted by NTT Software to Expand Offerings While Eliminating the Largest Security Threat To Enterprise Customers In Digital Businesses (The Password Database).</em></p> <p><strong>Tokyo, Japan, October 19, 2016</strong> — <a href="/">MIRACL</a>, a leading internet cyber-security company, announced today the launch of NTT Software as a Global Distribution Partner for its Multi-Factor Authentication security solution platform.</p> <p>NTT Software has added to its portfolio MIRACL’s world-class security product that can comprehensively address the need for secure and scalable authentication in highly regulated industries such as banking, government, and healthcare. NTT Software’s new “TrustBind® MFA (multi-factor authentication)” is a hosted-cloud service that will allow the company to continue providing the best Identity Management Solutions to security focused enterprise customers.</p>…