Why Elliptic Curve Cryptography is Necessary for Secure Remote Access

Recently, there have been many advances in cracking encryption algorithms that are the basis for the most common cryptography systems, such as Diffie-Hellman, RSA and DSA. Experts warn that within the next several years, the RSA public key cryptography system could even potentially become obsolete. If that is the case, how will enterprises be able to ensure secure remote access in the near-future? First, let’s take a look at the problem itself. Encryption algorithms ensure security by utilizing the assumption that certain mathematical operations are exponentially difficult, such as the problems of integer factorization and the discrete logarithm, to prevent the decryption of public and private keys. As the key length increases, it becomes exponentially harder to decrypt, which is why key sizes are typically 128 bits and above. After more than 30 years of little progress, researchers have recently started creating faster algorithms for limited versions of the discrete logarithm problem, which has rung the alarm for the entire cryptographic community. It has made us realize that we need to implement a more secure standard, Elliptic Curve Cryptography (ECC). ECC is the best option moving forward for secure remote access via VPNs, because it is based on an operation that not only is difficult to solve but also is a very different problem from the discrete logarithm and integer factorization. Due to its unique characteristics, it is not impacted by advances in decrypting cryptography systems that utilize either of those problems. Currently, ECC is still not widely in use, but that is starting to change. It is particularly important for enterprises to implement ECC over the next several...

Countering Advanced Persistent Threats with Comprehensive Network Security

The technological savvy and tenacity of cyber criminals has never been greater, and IT administrators trying to prepare for impending attacks are often left backpedaling. With all of the different ways a corporate network may be attacked, IT administrators must strive to implement a comprehensive remote access security framework within their enterprises.  Especially with the proliferation of mobile devices, with a wide variety of operating systems, being used to access the network, companies need to make sure they have all of their bases (or, in this case, endpoints) covered. While traditional attacks, such as viruses, spyware or bot infections are far from extinct, advanced persistent threats (APTs) have recently been garnering a lot of attention. APTs give IT teams headaches, because they are extremely stealthy in nature and are almost always aimed at a very specific target. Traditional attacks are generally created to quickly harm the machine and network they’re infiltrating, leaving before they can be detected by the network’s intrusion detection system (IDS). APTs, on the other hand, are designed to remain in the network undetected for extended periods of time, all the while stealing sensitive company data. The wide range of methods and vulnerabilities that these attacks use to gain access is what makes them so tricky to discover. Unfortunately, once an attack has commenced, it usually requires an IT administrator to notice anomalies in outbound data before anyone realizes there is a problem at all. Sophisticated APTs can be very difficult to spot, especially without the right framework in place. One recent example of an APT struck the New York Times. It appears that the cyberespionage...

Black Hat 2013: Key Takeaways on Remote Access Security

With the books closed on what was quite possibly the most controversial Black Hat conference ever, let’s take a few minutes to reflect on all of the hot button issues relating to remote access that spurred vigorous discussions and debates at this year’s event. Here are a few of our favorite remote access-related topics from Black Hat 2013: PRISM: A Spectrum of Opinions When it was announced that NSA Director General Keith Alexander would be a keynote speaker, everyone attending knew they were in for an interesting show. He stood in front of a crowd of information security professionals and proclaimed, “If you disagree with what we’re doing, you should help make it better.” He’s right on that statement, but not for the reasons that he gave. It’s up to the information security industry in general to prevent programs like PRISM. More widespread use of technologies that make network communications difficult to intercept, such as VPNs, proxy servers, HTTPS and file encryption will certainly help, but a comprehensive network security framework is what is really necessary. Information security professionals need to work together to create open standards and improve network security across the board, so that programs that invade the privacy of users are not even feasible. IT security must go outside of the boundaries of individual components to prevent intrusions of all kinds by using an approach that lets organizations adjust their network security more rapidly if solutions interoperate than if components are siloed and not communicating. Securing Privacy and Identities Despite increasingly sophisticated security technologies such as biometrics, two-factor authentication, tokens, etc., hackers are becoming more adept...

PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection. PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary. The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages. The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs...