Sunday, 11 March 2007

Digital Signatures - never quite enough

Digital signatures, the poor cousin of digital certificates, suffer from many of the same issues, but benefit from being slightly more simple.
Digital certificates are a bit of a false friend in many cases. Yes they can assist in authentication, authorisation, access control, session encryption, data encryption, and data signing, but they can never cover all of these things at once to the level required for full security. Just as I am a specialist in one particular area of security, so we need specialist tools to create enough depth of security in any one particular area. PKIs are complex, require constant administration, and can become extremely expensive. I've only ever installed one, and to my knowledge it was never actually used for its intended purpose. The problem is that is purports to do too much, and it can never deliver. Certificates might be a good start to security, but they really need some development.
This is why companies like nCipher, RSA and Decru have done so well, they have leveraged individual areas of digital certificates, protecting the keys which can be so easily copied otherwise, using the keys for secure data transmission and encryption. These are all areas where more work was needed on what was essentially a step in the right direction.
Digital signatures therefore, are in the same boat. They only go half way to being what we need. HMACs, halfway again. A digital signature is the equivalent of having a picture of a piece of data, an application, a system, which we can use only to verify is the data is the same at a later date. My old company, Vormetric, used this to great effect in their Coreguard product, applications had to authenticate themselves to the policy enforcement module before they were allowed to run on any data held in storage.
Great for authentication then, but not for verification. If the data has changed in any way, it's just a negative reply. No explanation of what has changed or where, just an indication that the data you are now looking at is incorrect.
TripWire have come along and moved the goalposts recently by automating everything and constantly monitoring networks by taking a snapshot of the whole system at regular intervals, then reporting on it if there is a change. This is much closer to being secure, but this is not my area, this is still in the network space.
In my next post I will be revisiting data security and explaining what we need to make it fully secure. Digital signatures are a vital part, as they are in so much of IT security, but they will never address any problem you have in full.

No comments: