February 14th is I love Free Software Day, a campaign organised by the Free Software Foundation Europe. We at KeyIdentity want to show our appreciation for the Free Software community too.
Free Software is a fundamental building block of the development tools we use, and also of our open source authentication products. So on this day we would like to express our thanks to all the contributors of free software projects. And in particular, contributors of those projects we use on a daily basis. Keep up the good work! Continue reading We <3 Free Software
KeyIdentity ist Gewinner in der Kategorie „Herausragende Informationssicherheit“ der diesjährigen Outstanding Security Performance Awards (OSPAs). Wir freuen uns, dass unsere Multi-Faktor-Authentifizierungslösung (MFA) LinOTP die strenge Jury überzeugen und damit den begehrten ersten Platz erringen konnte. Continue reading KeyIdentity gewinnt OSPA Award 2017 in der Kategorie “Herausragende Informationssicherheit”
What is a cryptographic back door?
“A backdoor is an intentional flaw in a cryptographic algorithm or implementation that allows an individual to bypass the security mechanisms the system was designed to enforce. A backdoor is a way for someone to get something out of the system that they otherwise would not be able to. If a security system is the wall, a backdoor is the secret tunnel underneath it.”
How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer, by Nick Sullivan, January 6th 2014
For any organisation concerned at the possibility of cryptographic backdoors being built into the authentication solution they invest into, open source software (OSS) can be seen as offering an alternative, for several reasons:
- A closed-source system is easier to contain malicious elements, because OSS has a greater potential of any risk areas being discovered by the open source community.
- Contrary to the perspective that releasing code benefits attackers because hostile audiences can see OSS code, attackers are able to reverse engineer binary (proprietary) code patches in minutes and generate exploits. Security by obscurity has never been a solid approach. Multiple academic papers demonstrate how easy it is, „in some of the cases they tried, they claimed to be able to create an exploit in minutes after receiving the patch and comparing the patched version of the application with the unpatched version.“ https://isc.sans.edu/forums/diary/The+Patch+Window+is+Gone+Automated+PatchBased+Exploit+Generation/4310/
- OSS offers the IT security team the opportunity to audit the code and conduct proper due-diligence.
- OSS gives the IT security team the possibility to even adjust the code to their own needs if possible. Customers can, but do not have to, take part in the development of the code.
- If source-code is public-available, and a maintainer stops working on it for whichever reason, it still can be developed and maintained by anybody else.
For any organisation concerned at the possibility of cryptographic backdoors being built into the authentication solution they invest into, open source software (OSS) can be seen as offering an alternative, for several reasons. A closed-source system is easier to contain malicious elements, because OSS has a greater potential of any risk areas being discovered by the open source community.
While proprietary vendors have argued that their software is more secure because it is secret, this can be countered with the view that closed source is so easy to use that weak crypto or implementing a crypto back door by selecting fixed numbers as parameters can occur, whilst in OSS this is not possible.OSS offers the IT security team the opportunity to audit the code and conduct proper due-diligence and even adjust the code to their own needs if possible.
With Open Source at its core, LinOTP reduces the risks associated with proporietary software.