UPDATED 12:01 EDT / JULY 11 2014

Getting serious about online security

heartbleed security flaw open source bugSoftware developers and system administrators around the world are losing the equivalent of an arms race, trying to detect, fix, and shore up weaknesses exposed by numerous vulnerabilities such as the OpenSSL HeartBleed vulnerability.
More than two months after HeartBleed was reported, it is estimated that more than 300,000 servers are still at risk.

In theory, open-source software should be the most secure kind of software, since anyone can review it and provide security fixes.

However, in practice, there is a shortage of highly skilled people who can properly write and audit cryptographic software. Expenditures for such people are currently most economically beneficial for criminal organizations, since they can directly profit from exploiting victims through discovered or introduced vulnerabilities.

In other words, more money is being made by the bad guys who are introducing and exploiting flaws, than by the good guys who are preventing and fixing these flaws.

Moving beyond software-only security


Unfortunately, the problem of Internet security goes beyond open-source software like OpenSSL. Any general-purpose computing device, such as a computer, a tablet, or a phone, when combined with its operating system, is simply too large and too complex, with too many potential attack vectors, to be fully locked down. As HeartBleed demonstrated, a single software error anywhere in the millions of lines of code can be enough to completely compromise the device.

Dedicated hardware security elements, in the form of secure chips for individual use, and HSMs (Hardware Security Modules) for enterprise and industrial use, are specifically designed with security-hardened cryptographic hardware and software that performs the sole task of protecting secret keys and data.

Integrating security elements into any electronic technology and infrastructure to solely protect secret keys and data is a simple way to mitigate security risks.

Furthermore, security elements support PKI (Public Key Infrascructure) encryption technology, which eliminates the need for individuals and entities to protect secrets, such as passwords, by using far more secure and intricate mutual authentication and key agreements.

Furthermore, with the emergence of the Internet of Things, more and more devices are going online to transmit and receive data. Smart grids, smart hospitals, and other essential services must be impervious to data corruption, to ensure reliable services and data security. All of these devices can be protected by security elements.

Getting serious about security


Relying on the simple combination of a username and password is no longer enough. Advances in computing power have progressed to the point that the average person is no longer able to remember the required length and complexity of a password that cannot be decoded by exhaustive automated searches.

By moving away from the software-only approach and replacing it with an authentication method that also includes a hardware security IC, called a secure element, the process of online access can be made simpler, more private, and more secure.

Secure elements are physical things that can be carried with a person or embedded into a device. The hardware itself can be put in something that’s easy to handle, such as a key fob or a USB keySecure elements essentially do away with passwords. In a tablet, for example, the secure element might be combined with a fingerprint reader. When you want to transfer money, you log onto your bank app using your fingerprint. The secure element authenticates the fingerprint, so you can safely access your account.

There are a number of ways that secure elements can be made available to end users. They can be issued by a government organization (in a passport or electronic ID), or they can be made available for purchase, either online or in a brick-and-mortar store, and then registered for use. They can also be provisioned on a device, such as a thermostat or smartphone, for use with embedded software or a downloaded app.

One group that is advancing the case for secure elements is the FIDO Alliance. Dedicated to “Fast IDentity Online,” FIDO is backed by industry leaders (including NXP), and has already issued a first set of specifications. FIDO has also established the FIDO Ready trademark, which labels products that have met the requirements of FIDO testing.

There will always be hackers and there will always be a risk associated with managing sensitive data. Two things – making the process of releasing open-source software more formal, with certifiable encryption, and using secure elements for authentication – can help stack the odds in our favor.

 

About the Author

Sami Nassar, NXP SemiconductorSami Nassar is VP and General Manager, Business Unit ID at NXP Semiconductors.  In his current role in NXP, Mr. Nassar is heading the digital security products for the cyber security markets.

photo credit: KoFahu meets the Mitropa via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU