PKI Blog

Authentication in an Ultra-Connected World: Internet of Things

Posted by Ted Shorter on Oct 1, 2015 6:05:00 AM

As PKI practitioners, we’ve been asked the question for years: “What’s the best way to get a digital certificate on _____?” What gets filled into the blank has expanded dramatically over time, however. Ten years ago, certificates landed primarily on what I’d describe as “traditional” IT infrastructure – servers, desktops, laptops, smart cards, RADIUS servers, or VPN concentrators. But since then, things have gotten much more interesting. Handheld scanners. Surgical robots. VOIP phones. Set-top boxes. Cable modems. Even heart monitors and IV pumps.

Read More

Topics: install certificates onto devices, digital certificates, cert, embedded systems, certificate, Microsoft Security Partner, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, Microsoft Public Key Infrastructure, Cisco Internet of Things, embedded certificates, embedded devices, Microsoft PKI, X.509 digital certificates, Internet of Things, IoT, Blog, Internet of Things (IoT), certificate install, BYOD, PKI Assurance

Two-factor Authentication via SMS Messaging for FIM 2010 R2 SSPR

Posted by CSS Technical Team on Sep 17, 2014 11:11:00 AM

Recently I worked on a customized self-service password reset (SSPR) solution leveraging FIM 2010 R2. The SSPR functionality provided out of the box by FIM 2010 R2 is quite comprehensive. In the design sessions with the customer, they decided that they wanted to use a higher level of security for users on the Internet to be able to reset their passwords. This certainly makes sense—exposing an interface where corporate users can reset their passwords is a boon to the service desk, but introduces a significant threat surface and associated security risk.

Read More

Topics: Infrastructure Management, Industry Trends, SMS, strong authentication, Identity Management, SSPR, OTP, Blog, Self-Service Password Reset, one-time password, FIM 2010 R2, two factor authentication

Where Does My Heartbleed Now?

Posted by Chris Hickman on Apr 15, 2014 6:00:29 AM

Vulnerabilities tend to morph over time. Upon initial identification, researchers, companies, and experts tend to rush to offer opinions, sometimes factual and sometimes less so.

Read More

Topics: Heartbleed, private key ssl, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, private keys, OpenSSL, Heartbleed vulnerability, private key, SSL certificate, Azure PKI, PKI, PKI as a Service (PKIaaS), heartbleed bug, SSL bug, private key heartbleed, Heartbleed android, Blog, private keys vulnerable

When RMS Goes Wrong: Samsung Security Flaw

Posted by Sarah Duncan on Apr 14, 2014 9:57:45 AM

Awhile back, I wrote a post (Shocked by an Android) singing the praises of Samsung for supporting RMS in their native Microsoft Exchange ActiveSync email client for Android. Today, however, I'm here to report on a security flaw we've discovered in that implementation of RMS.

Read More

Topics: Rights Management Services, Samsung security flaw, Android Security flaw, Industry Trends, Microsoft Exchange ActiveSync, RMS, Samsung email, Android, Blog, Android RMS, Samsung

Publicly Trusted versus Trustworthy SSL Certificates

Posted by Wayne Harris on Apr 11, 2014 10:52:23 AM

In the wake of the Heartbleed bug, many are faced with the daunting (and expensive) prospect of replacing the SSL certificates on those vulnerable systems. This is due to the possibility that the private keys of exposed SSL certificates may or may not have been compromised. In the end, since there is no way to know for sure if your private keys have been compromised, many are opting to replace the SSL certificates of the affected system(s).

Read More

Topics: SSL certificates, cert, certificate, IT Security, Microsoft Security Partner, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, OpenSSL, Microsoft Public Key Infrastructure, Azure PKI, PKI, PKI as a Service (PKIaaS), heartbleed bug, SSL PKI, Blog

Heartbleed Vulnerability: What You Need to Know

Posted by Wayne Harris on Apr 9, 2014 10:56:36 AM

On April 7, 2014 a severe vulnerability called “Heartbleed” was announced. Heartbleed is a vulnerability within the OpenSSL 1.0.1 series software that is described in the NIST CVE-2014-0160 announcement. In short, this vulnerability allows hackers access to portions of a vulnerable system’s memory, leading to the potential exposure of passwords, sensitive data, and certificate private keys on affected systems. Heartbleed accomplishes this by exploiting a weakness in the “TLS Heartbeat Extension,” exposing server memory. Even worse, this heartbeat attack can be repeated without the awareness of the victim, and each iteration reveals another 64k snapshot of memory to the attacker. This very serious vulnerability exposes the most sensitive data of affected systems.

The good news: the vulnerability has a patch. However, the widespread adoption of the OpenSSL 1.0.1 series software, coupled with the two years that this vulnerability has existed, means that the risks attributable to Heartbleed are enormous. Current estimates predict that over 500,000 systems may be vulnerable. Specifically, the Heartbleed vulnerability affects those systems that use OpenSSL 1.0.1 (a-f). Unfortunately, since this software is so widely implemented, many popular OS platforms are affected and thus vulnerable. I would suggest visiting the CERT Web Site for a more list of affected platforms. It is worth mentioning that this is a developing story, and as such, the list of affected platforms is likely to change.

Read More

Topics: 64k, Heartbleed SSL, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, SSL vulnerability, OpenSSL, Heartbleed vulnerability, TLS Heartbeat Extension, Azure PKI, PKI as a Service (PKIaaS), NIST CVE-2014-0160, heartbleed bug, Internet of Things, Blog, heartbleed help

Apple’s SSL Bug: Another Man-in-the-Middle Attack

Posted by Ted Shorter on Feb 22, 2014 6:38:25 PM

The Problem

Read More

Topics: digital certificate, Apple’s SSL Flaw, Apple flaw, iOS 7, IT Security, Microsoft Security Partner, apple MITM attack, apple security flaw, on device key generation, Industry Trends, SSL attack, Man in the Middle Attack, ODKG, Blog, Mac SSL, Apple SSL, client-side SSL certificates, MITM, apple ssl attack, iOS 7 SSL

SHA-1 Signed Certificates No Longer Trusted?

Posted by Ted Shorter on Dec 10, 2013 4:47:24 AM

By now, you may have already heard that Microsoft will start deprecating trust in certificates with SHA-1 signatures in 2016. In our view, this is a prudent move by Microsoft. We've long known that SHA-1 was weakening, and showing signs that a practical attack similar to the 2008 demonstration against MD5 could appear in the next few years.

Read More

Topics: expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, RSA Keys, PKIaaS, Azure PKI, PKI, Secure Hash Algorithm, PKI as a Service (PKIaaS), PKI as a Service, SHA1, SHA2, MD5 hash, Blog, SHA-1, SHA-2

1024-bit RSAs Days are Numbered

Posted by Ted Shorter on Jul 9, 2013 6:49:48 AM

In December of 2011, the CA/Browser Forum, comprised of representatives from the major Certification Authorities such as Symantec, Comodo, GoDaddy, and DigiCert, as well as browser vendors such as Microsoft, Apple, Mozilla, and Opera, published a document called "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates.” This document outlines an agreed-upon set of minimum standards for SSL/TLS cert vendors.

One of these standards essentially calls of the elimination of certificates with 1024-bit RSA public keys by the end of 2013: any RSA-keyed certificate, even end-entity (“subscriber”) certificates, that expire after Dec. 31, 2013, must have a key of at least 2048-bits. This is big news in some circles; a number of public cert vendors have had to change their procedures, and, more significantly, start migrating their customer bases to 2048-bit certs. Many started this process quite a while ago.

Read More

Topics: digital certificate, RSA cert length, apple, Symantec, Public Key Infrastructure, Comodo, certificate 2013, RSA certificate length, Industry Trends, DigiCert, SSL certificate, 1024-bit RSA, PKI, TLS cert, Microsoft PKI, digital certificate length, Blog, 1024 certificate length, cert length 2013, GoDaddy, Mozilla

SHA-3 Announcement

Posted by Wayne Harris on Oct 4, 2012 8:16:30 AM

As many know, the cryptographic hash function known as Secure Hash Algorithm 1 (SHA-1) has been deemed weak by NIST, and is no longer recommended. The NSA addressed the weaknesses in SHA-1 by publishing the SHA-2 hash function standard back in 2001. SHA-2 builds on SHA-1 by using similar algorithms with larger block and state sizes.

Read More

Topics: Keccak, Public Key Infrastructure, Industry Trends, NIST, Microsoft Public Key Infrastructure, PKI, Secure Hash Algorithm, Blog, SHA-1, SHA-2, SHA-3, NSA

Posts by Topic

see all

Subscribe to Email Updates

Want to Learn more about CSS?