Superconductor

Our marketing people were just looking at some sort of web site analytics tool and showed me the relative popularity of the posts on this blog so far. I found the results somewhat surprising. The most popular post by far (in terms of page views) was "How to get a strong password." The second most popular was "Hyperelliptic curves." The fact that I wouldn't have guessed this at all probably explains why I don't work in marketing. Both of these were 10 to 20 times more popular than the typical post.

It looks like there's actually an international conference dedicated to having fun with algorithms. This is the Fun with Algorithms conference, and it has been held every three years since 1998.

Implementing the Tate pairing can be fun. Maybe I'll submit a paper on that when this conference is held in 2013. Maybe I'll talk about implementing it in Lisp, like I did on one of Voltage's Jack Bauer Days a few months ago.

Our marketing people are having another of their fine webcasts. This one tells you about what sort of new encryption technology is available for protecting data on z/OS mainframes. It's sponsored by IBM and will take place at 10 a.m. (Pacific) on November 15, 2011 and will last for 60 miniutes. If this sounds interesting, you can sign up for this event here.

Here's an overview of what this webcast will cover:

Mainframes remain the core of business-critical operations in most of the world's largest and most successful enterprises, including those in banking, insurance, healthcare, and retail. But as IT management will attest, there can be issues with complexity when it comes to securing critical information on the mainframes running on z/OS.

Implementing an encryption solution can be disruptive to business operations and require hundreds of lines of code to acquire and store keys and perform cryptographic operations. Adding to the complexity are the deep expertise and highly specialized knowledge needed to keep all the moving parts working. Not only that, roughly 80% of z/OS customers use CICS, yet many vendors offer no developer abstraction to make it easy to encrypt from CICS transactions.

In this webcast we'll discuss proven strategies for easily implementing data security in the z/OS environment.

We'll also cover:

• Extending the proven security and defenses of the mainframe to protect information assets against new world threat to data 
• Pros and cons of various types of encryption and key management
• Achieving system interoperability with a data security platform approach
• Simplified key management that virtually eliminates key management issues
• A native z/OS encryption implementation that's easy to use with CICS or any z/OS environment

It looks like we won't be using anything except elliptic curves or hyperelliptic curves for a while. At least that's what the almost-certainly-authoritative Cleverbot thinks will happen.

 *** Only 23 spaces left ***

Voltage Security invites you to "Voltage Security Live 2011" at Bridgewaters in New York City on November 9, 2011. This customer summit will focus on data-centric security and will feature several leading Voltage customers, such as American Express, Wells Fargo, State Street and others, who will discuss how they have implemented encryption projects for email encryption, data-centric encryption and end-to-end payment encryption. Also presenting will be Eric Ouellet, research vice president with Gartner Group, who is currently working on a new analysis of how companies use encryption. The goal of the summit is to enable Voltage customers to network with each other and pick up valuable best practices.

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now at www.voltage.com/live

Join Voltage customers including: ADP, American Express, Bank of America, AT&T, Citigroup, Deloitte, Deutsche Bank, Elavon, Fidelity Investments, Heartland, JPMorgan Chase, McGraw-Hill, UBS and Wells Fargo. 
.
Highlights of the agenda include:

• CxOs Panel – Business dynamics for data-centric encryption security – How to get your security project funded
• Key Note – Eric Ouellet, Vice President Research, Gartner Group                      
• How to maximize customer adoption – Kim Mroczkowski, Wells Fargo
• 4. How to structure a data-centric encryption project – Emily Mossberg, Deloitte
• 5. “Birds of a Feather” Networking lunch
• 6. Tracks: Customer and Best Practices – American Express, State Street, Thales, PwC, Coalfire 
• 7. Security Leadership Panel – Gartner Group, State Street, American Express, Wells Fargo

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now atwww.voltage.com/live 

To some, mainframes are seen as dinosaurs, technology that is obsolete or should be. However, this veteran platform has shown its resilience in enterprise computing for a reason. The benefits it offers to the corporate infrastructure - extreme scalability, high throughout, high availability - are matchless.

However, as IT executives responsible for running mainframes or other platforms with z/OS can attest - there are issues regarding complexity. For example, traditional encryption solutions can require hundreds of lines of code to acquire and store keys and perform cryptographic operations. And that isn't even the biggest problem; it's the knowledge required of all the moving parts of an application to ensure effective operation. And of course, with all that code and other complexities, there's more room for error. 

That's why developing an encryption solution based on Format-Preserving Encryption to address the mainframe environment was an interesting challenge - and it's been met. 

In response to customer requests, Voltage has now developed command line tools and a simple API that dramatically reduces the number of lines of code needed - from hundreds to just three. Now, companies of all sizes benefit from using Format-Preserving Encryption on the mainframe, including the ability to "encrypt here, decrypt there." This helps avoid the ASCII/EBCDIC issues that plague most cross-platform encryption solutions.

But that's not all. Engineers at IBM Hursley - the software development lab in Winchester, U.K., home to many of these technologies - point out that 80% of z/OS customers use CICS, the transaction server that's critical for mainframe operation. Unfortunately, many vendors still don't support CICS. Even IBM, which provides advanced encryption interfaces built into z/OS, has no developer abstraction to make it easy to encrypt within CICS environments. Traditional solutions for encrypting data rely on POSIX facilities, which are incompatible with CICS. 

Now, in a major step forward for cryptographic operations encompassing CICS and other z/OS environments, Voltage is introducing z/Protect, part of the Voltage SecureData product family. z/Protect provides even higher application data-level abstraction, requiring just one line of code to accomplish what used to take hundreds. More to the point, no one likes to mess with mainframe applications, and the z/Protect approach means even fewer modifications. 

To learn more about this innovative approach, which perfectly complements IBM's advanced cryptography on z/OS, here's a presentation introducing Voltage SecureData z/Protect.

The ate pairing can be very useful for implementing pairing-based cryptography because it can be much faster that either the Tate or Weil pairing. It's what all of our shipping products are moving to for that very reason.

Note that the first letter of "ate" isn't capitalized while the first letters of "Tate" and "Weil" are. That's because the Tate pairing is named after John Tate and the Weil pairing is named after André Weil. The ate pairing isn't named after anyone, however, so the word "ate" isn't capitalized.

And that's a good thing. It turns out that if you capitalize it, you end up with the Greek goddess Ate. Here's how the Encyclopedia Mythica describes her:

The Greek personification of infatuation, the rash foolishness of blind impulse, usually caused by guilt and leading to retribution. The goddess of discord and mischief, she tempted man to do evil, and then lead him to ruin. She once even managed to entrap Zeus, but he hurled her down from the Olympus. Now she wanders the earth, as a kind of avenging spirit, but still working her mischief among mankind. Her sisters, the Litai, follow her and repair the damage she has wrought to mortals.

So never capitalize "ate." That may give you a pairing that you really don't want to use.

At the J.P. Morgan Technology Innovation Symposium, yesterday afternoon, JPMorgan Chase inducted Voltage Security into its Innovation Hall of Fame in front of hundreds of Silicon Valley executives. 

Only two vendors were selected in this year's awards which recognize top emerging technology vendors for business impact, measured in terms of driving value for the firm, disruptiveness of technology and the overall quality of the partnership. Voltage was selected by top IT executives at JPMorgan Chase for its innovative data-centric encryption approach for protecting structured and unstructured data across datacenters, the cloud and mobile devices.

Since it's so much fun to run data visualiaztion applications on random stuff, I thought that I'd see what happens when I made a word cloud visualization of the Common Criteria using Wordle. Here's one version of it. Just looking at it gives me unsettling flashbacks to when we did an EAL2 evaluation of SecureMail a while ago.

 Posted by Terence Spies, CTO of Voltage Security:  

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

I was just asked one of the best questions ever about data breaches. It happened roughly like this.

"You guys seem to do a lot of analysis of data breaches. I just have one question for you about it."

"OK."

"I see why you're doing it, but why isn't anyone else also doing it, too?"

That's a very good question.

Looking at the available data isn't really very hard, and there are lots of companies who you'd think would also be interested in understanding it. I have no idea why they're not.

Nathan Carter's book Visual Group Theory tries to help you understand group theory through a set of pictures. Some of these made sense to me while others didn't. Here's the illustration of the structure of dihedral groups from a presentation that Carter gave before the book was available. That seems to show their structure in a very useful way.

 

Carter's book runs 297 pages, many of which are illustrations like this one. It's a book that I would have found very useful back when I was taking classes in group theory. It would have definitely helped to make some concepts clearer. If you're interested in group theory, this is probably a book that you'll want to have a copy of.

Carter has also developed software that lets you create visualizations of groups. This is Group Explorer, and it's something that I wish I had time to actually try. Maybe I'll do that on Voltage's next Jack Bauer Day.

Because the machinery that Voltage's IBE algorithms use comes from algebraic geometry, the engineers who work on our core cryptography need to understand at least a little of it. So I wasn't too surprised this morning when I was asked what the connection is between the spectrum of a ring and the spectrum of a matrix. Here’s the totally non-rigorous answer that I came up with.

Suppose that we have an n x n matrix A over the complex numbers ℂ. The spectrum of A is the set of eigenvalues of A, or the solutions to

f(x) = det(A – x I) = 0

The spectrum of a ring is the set of prime ideals of the ring.

These two ideas sound like they’re totally unrelated at first, but there’s actually a connection. Here’s an example that shows this.

The Cayley-Hamilton theorem tells us that the matrix A satisfies f(x). So if we write

f(x) = a₀ + a₁ x + a₂ x² + … + a_n-1 x^n-1 + xⁿ

then we also have that

f(A) = a₀ I + a₁ A + a₂ A² + … + a_n-1 A^n-1 + Aⁿ = 0

To make things simpler, let's suppose that A has n distinct eigenvalues, and let's write

f(x) = (x - λ₁) (x - λ₂) ... (x - λ_n)

Now consider the ring ℂ[A] where

ℂ[A] = {z₀ + z₁ A + z₂ A² + …, z_i∈ℂ}

Because we have that

f(A) = a₀ I + a₁ A + a₂ A² + … + a_n-1 A^n-1 + Aⁿ= 0

we can reduce elements of ℂ[A] modulo f(A) to get rid of powers of A higher than n - 1. That's just like working in the quotient ring

ℂ[A] / (f(A))

But we can also think of this quotient as

ℂ[A] / ((A - λ₁ I) (A - λ₂ I) ... (A - λ_n I))

From there, the correspondence between the eigenvalues λ_i and the prime ideals (A - λ_i I) seems fairly natural. Or at least it's where most people seem to say, "Ah, I see the connection now." So if you're going to generalize this idea to other rings, calling the set of prime ideals the spectrum of the ring actually seems to make sense.

Dan Brown recently wrote a paper that described what he calls "identity-based decryption." Here’s how he describes this in this paper’s abstract:

Identity-based decryption is an alternative to identity-based encryption, in which Alice encrypts a symmetric key for Bob under a trusted authority’s public key. Alice sends Bob the resulting ciphertext, which Bob can send to the trusted authority. The trusted authority provides Bob the symmetric key only upon verifying Bob’s identity.

I’m not quite sure that this is really a new idea. It’s very similar to what existing implementations of identity-based encryption currently let you do.

Products like Voltage's SecureMail that use IBE to encrypt email let you do the IBE either with or without client software. If you have client software installed, they work like you’d expect:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob gets his IBE private key from a key server
4. Bob decrypts the symmetric key with his IBE private key
5. Bob decrypts the message with the symmetric key

But if Bob’s in an environment where he can’t install client software or his IT department won’t let him install any client software, a slightly different approach is used. In Voltage's SecureMail, we call this the Voltage Zero Download Messanger. Here’s how it works:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob sends the encrypted message to a secure server
4. The secure server gets Bob’s IBE private key
5. The secure server decrypts the symmetric key with Bob’s IBE private key
6. The secure server decrypts the message with the symmetric key
7. The secure server sends the decrypted message to Bob

That’s extremely close to Brown’s IBD. It just does an additional step or two for Bob.

And by using IBE to do this instead of IBD, you get some important advantages. The biggest of these is probably the fact that you don’t need to securely archive any private keys. This makes an IBE system very simpler to buy and operate, and that gives the technology a big advantage when it’s compared to other alternatives.

So IBD looks like an interesting idea, but I doubt that it would ever get the commercial acceptance that IBE has seen. The last numbers that I saw said that there are somewhere between 40 and 50 million users of IBE worldwide, and I’d guess that most of those users use it because some CISO liked the fact that systems that use it are much cheaper to buy and operate than the alternatives.

We recently had another one of Voltage's Jack Bauer Days. These are days when everyone in engineering gets to work on whatever they want to for 24 hours. I always seem to miss these. I actually missed this one too, so I decided to do whatever I wanted to do from airplane seats and airports.

My first thought was to try to understand abelian varieties, but then I realized that I had a few hours hours instead of a few months, so I decided to try something a bit easier: implementing the Tate pairing and the ate pairing in Lisp. This turned out to actually be fairly easy.  

The ate pairing is useful in many applications of pairing-based cryptography because it can be much faster than the Tate pairing. That's why we're moving to in all of our shipping products. But my Jack Bauer Day implementation didn't seem to have that particular advantage. And now there seems to be a shortage of parentheses at Voltage. Maybe we'll get some more in our next weekly office supply shipment. 

There are lots of good reasons to be interested in format-preserving encryption. Most of them involve getting encryption to work in IT environments that have lots of older technologies in them. Lots of these don't handle encrypted data gracefully, and you never quite know which part of your IT environment will choke on even a slight change in data format until you try it.

But if you're going to use FPE, it's probably best to just use either a shipping product that implements this for you or to use someone else's encryption toolkit that does this. It's probably not a good idea to implement it yourself.

But that's just what one of our competitors is recommending. Here's what they said on their web site when someone asked about for FPE. (I've tried to make this anonymous, because I know that this vendor is actually very careful about security, and that this questionable advice probably doesn't really reflect the company's point of view.)

What you could try is:

• Re-format your plain text from the restricted key space format to binary format plain text.
• AES encrypt the binary format plain text to produce binary format cipher text.
• Re-format your cipher text from binary format cipher text to resticted key space format cipher text.

where "restricted key space format" is the restrictions placed on the text based on the format you are trying to preserve. For instance, if your plain text was only ASCII numbers '0' to '9', before encrypting the numbers, you would need to convert the number to the range 0x00 to 0xFF.

Unless you really know what you're doing, following that advice is very likely to lead to an approach that isn't as secure as you think it is. The way that Voltage does FPE uses a technique that's provably secure. Our approach and the proof that it's secure is actually due to Phil Rogaway, which is about as good as you can get when it comes to symmetric encryption. Other approaches may not be as sound.

(As an aside, I actually have seen fairly non-technical QSAs arguing with Phil over this on various Internet forums. It's sort of like seeing an undergraduate English major telling Einstein that his theory of general relativity is totally wrong. But that's probably getting too far off topic. ) 

In any event, it's still true that creating your own cryptographic algorithms is probably not a good idea. It's easy enough to buy products or to license a toolkit that will do FPE in a secure way. That's probably a much better approach than trying to do it yourself.

Working for a vendor of encryption technology is a bit different than working for many other technology companies. I was recently reminded of this when I heard some of the engineers at Voltage describing how their current job is different from ones that they've had in the past.

Our engineers seem to be well above average in many ways, and this often made them the "go to" person for math questions in their previous jobs. At Voltage, however, because we deal with public key cryptography a lot, we have lots of people who understand this technology, and that means that they also understand way more math than your typical engineer does. This means that some of the people who previously found themselves as the "go to" person for math questions now find that they don't get those sort of questions at all. One of the people who work on our core cryptography tends to fill that role instead.

I was a bit surprised to hear that, probably because I've worked around people who deal with numbers for most of my life so that I often (incorrectly) assume that the rest of the world is also that way.

In today's Forbes CIO Blog, Voltage co-founder, Matt Pauker, shares his vision for how corporations can reduce the risks associated with sensitive data being in the hands of 3rd party cloud/service providers - insist on a mandatory data encryption clause in all service provider contracts.

I just read CDW's "Elevated Heart Rates: EHR and IT Security Report" (PDF - giving personal information may be required). It looks like lots of people are concerned about the privacy implications of electronic health records. Here's how CDW's survey found that people thought that EHRs would affect the privacy of personal information and  health data:

Significantly negative: 9 percent

Somewhat negative: 40 percent

No effect: 24 percent

Somwhat positive: 20 percent

Significantly positive: 7 percent

So 49 percent, or almost half, think that the use of EHRs will have a negative effect on their privacy.

The other 51 percent are wrong.

We really don't quite know how to protect sensitive information in a cost-effective way yet, and this applies to EHRs as well as it does to other types of sensitive information.

National governments do a reasonable (but not perfect) job of protecting classified information, but they way that they do it is very expensive and doesn't work well when you're actually worried about things like costs and people being able to do their jobs efficiently.

Or you could just encrypt your sensitive information, but using that approach relies on having strong key management to support the use of encryption, and how to do interoperable key management securely and in a cost-effective way is still an unsolved problem. (This is why a big fraction of Voltage's R&D focuses on key management and lots of our products are really designed to make key management easier - we want to be the first to solve this problem.)

But in the absence of a good way to protect EHRs, we're definitely going to see them compromised. That's whey I get worried every time I hear people in Congress talking about EHRs as a good way to reduce the cost of health care in the US. They might actually allow some cost savings, but it would almost certainly also allow the disclosure of sensitive information on an enormous scale. So because the technology to adequately protect EHRs really isn't there yet, it probably isn't time to move to them yet. Let's work out how to address the privacy concerns first.

The 2011 Key Management Summit is almost here. This year it's being held in Pacific Grove, California, right down the street from the Monterey Bay Aquarium, the Pebble Beach golf course and 17-mile Drive. Previous events were sponsored by the IEEE and were collocated with the IEEE MSST conference. But because key management has moved away from its roots in storage, this year's event isn't being held with MSST. It's not even an IEEE event this year. That means that the IEEE won't cover any losses that the event might suffer, so key management vendors Voltage, Thales and SafeNet volunteered to handle that responsibility. It's still an industry event, just one that vendors are picking up the tab for this time.

But there are more reasons to go to this event besides a nice location. It's a great chance to learn about key management from people working in academia, the government and industry. Each of these types of participants usually have very different points of view, and you can learn lots of interesting things from each of them.

The academic point of view might not be very helpful for solving today's key management problems, but it will probably a good indication of what's coming in five to 10 years.

The government speakers probably have some interesting things to say also. Some of the biggest key management systems in the world are run and used by government agencies, and the people behind these projects often have lots of interesting insights that are hard to find elsewhere.

And when it comes to knowing who's actually buying what, there's no better of point of view than that of the vendors who are making and selling key management solutions today.

From the most recent program for this event, it certainly looks like there are couple of excellent opportunities to hear things that will be of interest to anyone working in the information security field. These two talks look particularly interesting:

Dorothy Denning, Naval Postgraduate School, "The History of Key Management"

Dan Boneh, Stanford University, "Social Keys: New Directions in Public Key Management"

Back in the dot-com era, Dorothy Denning was one of the most vocal supporters of the Clinton administration's key escrow plans, which would have required all users of strong cryptography to use a version of the technology that the government could get the keys for and decrypt. With a court order, of course. She's seems to have changed her mind in the past 10 years or so, but it will still be interesting to hear her description of what really happened in the political battles over key escrow.

Dan Boneh is probably very well known to people in touch with the academic cryptography research community, although he might be less well known by people in the business world. In addition to being the inventor of the first practical and secure identity-based encryption scheme, he won the 2005 RSA Award for the field of mathematics for his work in public-key cryptography. He's one of the world's leading researchers in the field and can definitely give you a good idea of where academic research in data security is headed.

But it's not just academics that will be at this year's event. Here's a list of the other talks that are confirmed as of today:

Tony Steiber, Wells Fargo, "Crisis and Opportunity of Cryptographic Key Management"

Chris Kostick, Ernst & Young, "Auditing an Enterprise Key Management Project"

Elaine Barker, NIST, "Key Management Framework"

Ramon Krikken, Burton Group, "So we're managing a bunch of keys… now what?"

Bob Griffin, RSA, "The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem"

Rami Shalom, SafeNet, "Universal Key Management in an Age of Encryption Fragmentation"

Bob Griffin, RSA, "Where Are My Keys?"

Jon Geater, Thales, "Key Management Control Strategies in the Cloud Information System"

Boris Schumperli, Cryptomathic, "A New Approach to Key Management in the Cloud"

A panel discussion on cloud key management, led by Ramon Krikken, Burton Group.

And even though it's not an official part of the event, the best part might actually be what you learn from talking to people working in the field over lunch or dinner. That's when you'll often learn all sort of things that you wouldn't hear in a more formal setting. Past events have also had very interesting discussions between the major key management vendors about which of their products were selling and which ones weren't. And at one past event, one leading key management vendor even learned from one of their biggest customers that they weren't happy with certain features of the vendor's products. The sort of stuff that you want to hear but that's hard to learn in other ways. For only $325, that's a pretty good deal.

But it's even better than it already sounds. (Try to imagine that being said by either Billy Mayes or Anthony Sullivan, the famous infomercial pitchmen.) 

That $325 even includes a room at the Asilomar Conference Grounds and your meals while you’re at the meeting. I’m not part of the program committee for this year’s event because people didn’t want to see too much participation from a single vendor so I haven’t see the budget for this event, but I’m very surprised that they were able to do this for only $325. In many cases, just the cost of the meeting rooms and insurance that hotels make you get for events like this can put a floor of around $200 to $250 on what you can charge to break even, so the fact that they were able to get the meeting facilities plus a room and meals for only $325 is quite impressive.

And although the web page for the KMS doesn’t mention it, I’ve been told that attendees will also get a KMS 2011 t-shirt.

So there will be lots of interesting discussions and a cost that’s probably well below what you’d expect. Milton Friedman would probably suggest that you take this opportunity to buy something at a low price instead of selling something at a low price, and you can do that by signing up for this event here.

Just in case you haven't heard, this year's RSA Conference marks the 20th anniversary of this event. This year's event start in just a few days. I'm not sure what's being planned for this year, but there will almost certainly be an event worth attending. The best part will probably be the party that Voltage puts on. That was definitely one of the high points of last year's event.

And that's coming from a person who just worries about arcane issues in cryptography and information security and sometimes doesn't actually talk to another person for days at a time.

So if you haven't received an invitation to this year's party yet, be sure to contact your Voltage sales rep and ask for one.

Sure, Voltage sells several millions of dollars of enterprise software each year, but what is the domain name "voltage.com" itself worth? I recently came across a web site (that I can't seem to find again after cutting and pasting these values) that had the following estimates for the value of this domain name: 70 bars of gold, 16 camels, 42,115 bottles of beer or 4,761 bottles of vodka.

Really.

I have absolutely no idea how they came up with those values. They might even be just random values meant to entertain instead of being based on some sort of useful information, but I'm now sort of curious exactly how much software we sell each year as measured by those values. Just not curious enough to actually figure out what a reasonable conversion from dollars to bars of gold, camels, bottles of beer or bottles of vodka is.

The best part of stumbling across this bit of Internet trivial might have been learning that our competitors all have much less valuable domain names, even when measured in camels or other unconventional units. Maybe I'll mention that to them when I stop by their booths to talk to them at the RSA Conference that's starting in just a few weeks.

Just in case the discussion of cryptographic key strength here isn't enough for you, here's a You Tube video that also talks about it:

There's an interesting interview with Nassim Taleb, the author of The Black Swan, on The Economist's web site. In this interview Taleb talks about how some systems actually benefit from shocks.

When I saw the video of this interview, I was reminded how the invention of IBE may be exactly the sort of shock that he's talking about. IBE lets you encrypt sensitive data, and it does this in a way that's very easy for users and very inexpensive for administrators. This means that it makes encrypting lots of data feasible that wouldn't be feasible otherwise, and it's probably no coincidence that the dramatic increase in the use of encrypted email over the past few years coincides with the introduction of IBE and widespread use of IBE.

Taleb didn't use IBE as an example of a case where a big change can actually end up having a big benefit, but that's probably because he's not a big user of enterprise software. Among people like that, particularly the ones who worry about information security, IBE seems to be much more widely known.

These days, when our sales guys are tied up and I end up manning the Voltage booth at trade shows, I'm rarely asked to explain what IBE is and how it works. Five years ago, that wasn't the case. These days it seems that the more common questions are from existing customers, and they're often about how they can use their existing key management system that they got when they bought Voltage SecureMail for other applications.  That's definitely a big change.

Today is apparently Voltage Day, the first of many to come. Here's what my calendar shows:

It actually looks like every day will be a Voltage day this year. At least the weekdays.

A few times per year, Voltage has Jack Bauer Days, where the people in engineering can do whatever they want to for 24 hours. Although taking the day off to stay home and watch episodes of 24 on Netflix is certainly allowed, most people stay up all night working on some sort of programming project that they've always wanted to try. While using the sucks/rocks web site to compare HTTPS and S-HTTP, I also used the site to compare the popularity of common programming languages. Here's what I got:

Based on this, I think that I'll try using LISP to implement the Tate pairing for our next Jack Bauer Day. (That's if I manage to be around for it. I've actually missed every one of them so far because I've been out of town at some standards meeting. Maybe I'll have better luck this time.)

Just in case anyone asks why I'm implementing the Tate pairing in LISP, I have a response prepared that justifies it as an important project. After all, my justification goes, there are still people out there who use EMACS. They'd probaby love to have a way to implement identity-based encryption in that environment, but the lack of an implementation of the Tate pairing in LISP is probably the biggest single obstacle to letting them do this. So if I do the hard part for them, they might become big users of identity-based encryption. Or at least that's the best reason that I've come up with so far.

Because we've grown too big for our current building, Voltage will be moving soon. But not before I had a chance to notice that Google Maps actually labels Voltage's location as "Voltage Security" if you zoom in on our current address.

Seeing this reminded me of the following exchange from The Jerk, in which an excited Navin R. Johnston (played by Steve Martin) tells his less-than-excited boss Harry Hartounian (played by Jackie Mason) how excited he is that the new phone book has arrived:

NAVIN: The new phone book's here! The new phone book's here!

HARRY: Boy, I wish I could get that excited about nothing.

NAVIN: Nothing? Are you kidding? Page 73 - Johnson, Navin R.! I'm somebody now! Millions of people look at this book everyday! This is the kind of spontaneous publicity - your name in print - that makes people. I'm in print! Things are going to start happening to me now.

So maybe because we're in Google Maps, things are going to start happening for us. (Although if you look at the number of businesses using our technology and our current rate of growth, you'd probably think that that's actually happened already.)

We recently had another Jack Bauer Day at Voltage. These are days when everyone in engineering can do pretty much anything that you want to for 24 hours.

It's truly amazing to see what our engineers can pull off in 24 hours. One of them completely overhauled a feature of our existing products to make it much more user-friendly. Another one single-handedly added a very complicated feature that a big customer was asking for. Yet another managed to implement an identity-based encryption algorithm in JavaScript. Others did more research-oriented things, like implementing a homomorphic encryption scheme.

After the event, each of the teams gave a short presentation on what they had accomplished. It was hard to fit all of these into the two-hour slot that we had, but it was a very interesting two hours.

I just learned that Despair.com, the people who are probably best known for their parodies of corporate motivational posters, sells calendars that you can customize. In addition to picking which demotivational poster appears for each month, you can also customize each day with up to 120 characters so that you'll never miss important events like National S'mores Day or Hug Your Cat Day. A better use might be to label every day as Send an Encrypted Email Using VoltageSecureMail Day. At only 68 character (counting spaces), that's well within the allowed limit for a customization string.

(When I ordered my custom calendar, I didn't actually have every day as Send an Encrypted Email Using Voltage SecureMail Day - I had April 1 marked as Send an Encrypted Email Using XXX Day, where XXX is actually the name of one of our competitors.)

it looks like our marketing guys are having another webinar. This one's Understanding EMV – Future Directions for the U.S. Market, and here's a quick description of what it will cover:

Merchants, issuers and acquirers need to understand the elements that comprise EMV, how EMV adoption may impact PCI compliance initiatives and what additional security needs to be implemented to ensure comprehensive data protection from Point-of-Sale (POS) and Card Not Present (CNP) to back-end Merchant IT systems.

In this webcast you will learn:

Why EMV is gaining more awareness in the United States as the standard for securing interactions from the card to the payment terminal

What threats EMV is designed to mitigate and how EMV affects PCI compliance

Why organizations need to address the complete security of cardholder data across their back-end IT systems

This webinar will be October 12, 2010 at 11 am Pacific/2 pm Eastern and will last 60 minutes.

If that sounds interesting, you can register for this webinar here.

In a previous post I mentioned how a recent press release from our marketing people mentioned that we now have over 4.5 million licensed users of SecureMail, but due to the way that we license the software, it's not clear exactly how many total users that represents.

I was recently talking to the people who run our cloud computing offering, VSN, about what their experience says that the right multiple should be. Their answer was about 7, which means that those 4.5 million licensed users represent a total of about 31.5 million total users of SecureMail. That's even more than I first thought.

It looks like I'll be talking at the Rochester Security Summit next month about what we've learned at Voltage about the patterns that we can find in data breaches. Some of this material will be what I've mentioned on this blog as well as the article on this topic that I wrote for CSO Magazine, but there will also be lots of new material. If you're interested in this subject, you might want to stop by and see this talk.

Unfortunately, Rochester is three hours ahead of California, so a talk that's scheduled at 9 AM in Rochester feels like it's really at 6 AM to me, and for those of use who aren't morning people, this can be extremely unpleasant. Fortunately, I'll be out in New York a few days before the Rochester Security Summit, so the people that I'm visiting earlier in the week will probably be the ones that get to see me suffering the worst of the effects of the jet lag.

Our marketing people issued an interesting press release last week. There was some stuff in it about a huge growth rate, lots of consecutive quarters of profitability, and similar things, but what I found the most interesting is that we now have over 4.5 million licensed users of our SecureMail product.

Note that that's 4.5 million licensed users. Our sales guys typically license our email product to an enterprise by the number of internal users, so the actual number of users is actually much greater than that. Perhaps even much greater. So although it's impossible to get an accurate estimate for how many users we really have, it's not hard to believe that there are probably over 20 million users of SecureMail now.

That's a lot of users.

It looks like some researchers at RWTH Aachen University have an on-line tool for creating BN curves. These are elliptic curves that are particularly useful for pairing-based cryptography, like the identity-based encryption that Voltage uses. If you're interested in implementing pairing-based cryptography, this is a very useful resource to have.

It's generally true that there's no such thing as a free lunch, and this even applies to identity-based encryption. From the user's point of view IBE is great because it's simpler to use than alternatives. From an administrator's point of view IBE iss great because it's extremely simple to keep running. These two combine to make its TCO much lower than the TCO of alternatives.

On the other hand, all of these good features don't come for free, but they really involve things that users and administrators don't see. In particular, it can be very difficult to find elliptic curves that are suitable for use in IBE algorithms. Most elliptic curves don't work very well for this and it can be a bit tricky finding ones that do. BN curves happen to be an example of a type of curve that do work well, so having a place where you can get parameters for such curves can be very useful.

The parameters that you can get from this on-line tool aren't optimized to give you very good performance, so they're not what you'd want to use in a shipping commercial product, but if you're just doing development and testing they're very useful.

In 2009, Mihir Bellare and Phil Rogaway shared the ACM's prestigous Paris Kanellakis Theory and Practice Award for their creation of the idea of "Practice-Oriented Provable-Security." Here's the citation for the award that explains why they received it:

Historically, cryptographic schemes used in practice were designed in ad hoc ways and subject to failure. Practice-Oriented, Provable-Security (POPS), developed by Bellare and Rogaway in a series of papers in the 1990s, changed this, giving us the means to create high-assurance practical cryptography, meaning schemes that were backed by the theoretical guarantee of provable security while meeting practical needs and expectations.

Today, POPS-based schemes are cornerstones of Internet security, implemented in most communication security protocols and software - these schemes are used every time someone makes a credit card-based Internet purchase. Meanwhile, the models, techniques and approaches that Bellare and Rogaway introduced, including the random oracle model, have become the foundation of a new subfield of cryptography, inspiring a great amount of follow-on work. Their papers are amongst the most cited in cryptography and their work is discussed in dozens of textbooks.

Bellare and Rogaway changed the perception of theory in practice. Prior to their work, practitioners ignored theory or were even antagonistic to it. Today, they not only choose to implement and standardize proven-secure schemes, but make provable security a requirement in some of their calls for algorithms. That this requirement can be met owes much to Bellare and Rogaway's work. 

In other words, Bellare and Rogaway created a framework for cryptographers to use to prove the security of their inventions and this framework is really the single thing that's most responsible for transforming cryptography from an art into a science.

Before POPS, the only way to ensure that a cryptographic scheme was secure was to wait a while to see if anyone could find a weakness with it. With the invention of POPS that's no longer necessary. It might even be a waste of time to wait to see if a weakness can be found because if there's a valid proof because the very existence of the proof tells you that there can't be one.

Many of the technologies that we use at Voltage have proofs of security. This includes both our Identity-based Encryption and Format-Preserving Encryption. The things that we use that don't have proofs of their security are just things that older standards define: techniques standardized before POPS typically don't have proofs of their security, but there's no really alternative to using them.

I'd hope that newer standards won't have this problem. All of the discussions that I've seen recently in various standards groups have required a proof of security before a new crypotgraphic scheme is taken seriously.

Phil Smith of Voltage will be talking at the SHARE meeting in Boston next month. His talk will be on Tuesday, August 3 from 9:30 - 10:30 am, and the topic is Enterprise Encryption 101. Here's a quick summary of what he'll be talking about:

We've all seen the seemingly weekly news about yet another data breach: millions of credit card numbers, SSNs, or other personal information exposed. Encryption is the technology that minimizes the cost of such data breaches, by making the "leaked" data useless to the thief. So more and more sites are investigating encryption, some even before a breach occurs. But where do you start with this technology? How do you make a sensible choice among dozens of vendors, between hardware and software? Where and when do you encrypt data, and is that sufficient? What about emerging standards and legislation, such as PCI DSS, Red Flag, GLBA, SB1386, Directive 95/46/EC, et al.? Come hear about implementing encryption from a business perspective -- what you need to worry about and how to approach it. This is not a comparison of encryption technologies per se, but rather a look at the issues surrounding them. While the presenter works for an encryption vendor, this is a general presentation, with minor content at the end that discusses the Voltage SecureData product as an example.

If you can't make it to Phil's talk, you can download the slides for his talk here. That's probably not quite the same as seeing the talk in person, but it's probably much cheaper.

Last weekend I took my sons to a local game store where they run demos of various boardgames. This particular weekend the demo took longer that usual so I had some time to kill and I tried making entertaining anagrams for "Voltage Security."

One of them, "cattle ye vigours," seemed the one that might be deemed "most likely to be said by a pirate." Maybe this September 19 (talk like a pirate day), I'll hear a few people saying something like "Arr, cattle ye vigours matey!"

Another one, "evil cages tryout" seemed to be a reflection on our fairly rigorous hiring process.

When I got to "lots creative guy" I stopped, thinking that that particular anagram was fairly appropriate. We are known for our innovative technologies, after all.

It looks like another big credit card processor has signed up to use Voltage's encryption technologies. This time it's Elavon, which means that three of the top five processors (Heartland, Fifth Third and Elavon) are now Voltage customers. Four of the top six POS vendors (Hypercom, Exadigm, UIC, XAC) are also.

This might explain why you don't actually see our sales guys in the office much. When they're not around it's much quieter and easier for the rest of us to work, so I certainly hope that their success in the payments industry continues.

Our marketing guys have yet another webinar planned, this time it will be held on June 16, 2010 from 10 am Pacific/1 pm Eastern and will last for 60 minutes. The topic this time is Managing 3rd Party Data Privacy - Protecting Your Own and Your Partners Information. Like some of our previous webinars, this one's also sponsored by FS-ISAC, the Financial Services - Information Sharing and Analysis Center.

Here's what they plan to talk about:

• How to ensure the protection of partner information and confidently manage third-party access to card holder and personal data, including protecting terabytes of files on mainframe and legacy systems
• Why a comprehensive end-to-end approach to data protection is critical to ensure the privacy of personal and sensitive information
• What market-leading organizations — such as AAA — really require in an enterprise data protection solution

The fact that one of the infrastructure consultants for AAA will be talking about his experiences is probably a good enough reason to check out this webinar. Every industry has it's own interesting set of problems that it faces and it's fascinating to see how they find clever uses of IT to solve these problems. I've never dealt with an organization like AAA, so I have no idea of the particular challenges that they face, but I'm certainly looking forward to hearing about them on this webinar.

Interesting news article by industry reporter Rob Westervelt who has been following business and technology trends in the payments sector:

	PCI tokenization guidance could benefit payment processors By Robert Westervelt, News Editor 27 May 2010 | SearchSecurity.com

Hyperelliptic curves are interesting for many reasons. The reason that we’re particularly interested in them at Voltage is that you can implement pairings using them and it might turn out that pairings on hyperelliptic curves can be more efficient than pairings on elliptic curves.

An elliptic curve is the set of points defined by an equation like

y² = x³ + ax + b

This gives you a structure that’s much like a torus – a shape that has a single hole in it, like a doughnut.

A hyperelliptic curve is defined by an equation like

y² = f(x)

where f is a monic polynomial of degree 2g + 1.

(There's really no reason to restrict the degree of f to being odd, and a polynomial of degree 2g + 2 will also work just as well. This makes some things trickier, so most people just stick to the odd degree case. One complication is that you actually get two different points at infinity instead of just one. More about that in a future post.)

When g = 1 this reduces to an elliptic curve, but the term “hyperelliptic curve” is usually reserved for the case where g is 2 or greater.

The number g defines the genus of the curve, a number which tells you how many holes the structure corresponding to an elliptic curve’s torus has. If the genus is 2, then the curve has a structure much like a doughnut with 2 holes, etc. The graph above is the graph of a hyperelliptic curve of genus 2.

Working with hyperelliptic curves causes some problems that aren’t there for elliptic curves. It’s possible to easily define a way to add points on an elliptic curve using the usual connect-the-dots algorithm, but this can’t be done for hyperelliptic curves. It’s possible, however, to add sets of g points on a hyperelliptic curve instead of single points. On a curve of genus 2, for example, we might add P = {P₁,P₂} to Q = {Q₁,Q₂} to get R = {R₁,R₂}. (Note that I've used brackets here instead of parentheses to make the notation more set-like. The order in which you list the elements isn't important for a set, and the order of the points isn't important here, either.)

The way that we add these sets of points is by thinking them as divisors, so that we're really adding divisors instead of adding points on a curve. The set of divisors on a curve, along with the rule that defines how to add them is called the Jacobian of the curve.

For a curve of genus g, we can reduce any divisor to one no bigger than one of the form

∑_i=1:g(P_i) – g(O)

For a curve of genus g = 2, for example, we can reduce any divisor to one like

P = (P₁) + (P₂) – 2(O)

So that when we calculate something like

P + Q = R

for a hyperelliptic curve we actually calculating

(P₁) + (P₂) – 2(O) + (Q₁) + (Q₂) – 2(O) = (R₁) + (R₂) – 2(O)

How we find R₁ and R₂ from P₁, P₂, Q₁ and Q₂ is very similar to how we add points on an elliptic curve. In the case of an elliptic curve, we fit a line through two points, find the third point where the line intersects the curve, and reflect this point across the x-axis.

In the case of a hyperelliptic curve of genus 2, we fit a cubic polynomial to the points P₁, P₂, Q₁ and Q₂. We then find the two additional points where this polynomial intersects the curve and then reflect each of those points across the x-axis to get R₁ and R₂. Here’s a picture that shows what it looks like when we add the points P (the two red dots) and Q (the two green dots) to get R (the two black dots).

Because doing operations on hyperelliptic curves are defined in terms of divisors, it shouldn't be much of a surprise that pairings, that are also calculated using divisors, work just as well on hyperelliptic curves as they do on elliptic curves. That means hyperelliptic curves might end up be useful in pairing-based cryptography. If there's a good use for them, they'll probably appear in Voltage's products in the future. Right now, however, elliptic curves seem to be good enough.

After reading the recent post about the usability lessons that software vendors could learn from the MMORPG Progress Quest, an alert reader suggested another good candidate for a very usable product, and that's the Holly Hop Drive, as seen in the episode "Parallel Universe" of the TV Show Red Dwarf.

Here's how the Holly Hop Drive is described in Red Dwarf:

LISTER: (Holding up the Holly Hop Drive) Is this it?

HOLLY: What do you think?

LISTER: It’s just a box with “STOP” and “START” on it!

HOLLY: It’s fairly straightforward. If you want to start it you press “START,” and you can work out the rest of the controls for yourself.

I can't say for sure whether or not the usability of Voltage's SecureMail was modeled on the Holly Hop Drive, but I don't recall it ever being mentioned. They do seem somewhat similar, though. In one case you just need to press "START" to get it working; in the other case you just need to click on "Send Secure."

An alert reader recently pointed me to an on-line comment that said the following about using computers in the classroom:

My school district blocks content but students are very good at finding and sharing proxy sites. They are also not as tech savvy as administrators and school board members seem to think they are. They are no more interested in using the laptops to learn than they are in using books. The laptops simply give them a more exciting way to be off task.

The alert reader then suggested that a similar comment about cloud computing security might be appropriate. Something like "CIOs are no more interested in cloud security than they are in other aspects of security. Cloud security just gives them a more exciting way to waste time."

I don't know how well it's actually understood by CIOs, but one of the biggest security challenges of cloud computing, is also the easiest to solve, and that's the problem of not exposing sensitive data in cloud computing environments. If you just encrypt your sensitive data that goes into the cloud then most of your problems disappear. That's not wasting time. It's solving a real security problem.

The main reason that all of your problems don't totally disappear is that key management is still a problem. There's actually a good discussion of this in the report Using Encryption to Protect Sensitive Data in Cloud Computing Environments that's available from the Burton Group. That's why Voltage is now developing key management technologies that work well in cloud computing. We have some fairly good solutions or this right now and we'll have some even better ones soon.

You'll probably see those discussed at future Voltage webinars.

Voltage is known for its innovative encryption technologies, but we're also known for how easy our products are to use. Not too many years ago, it was extremely hard for the average person to encrypt their email. The classic paper "Why Johnny Can't Encrypt" describes exactly how hard this can be for a typical user and anyone interested in the usability of encryption should read it.

With Voltage's SecureMail, on the other hand, a user doesn't have to do anything more than click on the "Send Secure" button instead of the "Send" button. If you're implementing SecureMail at a gateway appliance, they don't even have to do that – it can just happen automatically. Decrypting is just as easy.

Because we worry so much about the usability of our products, I'm very interested in seeing any enterprise security products that might actually be easier to use than SecureMail. If we ever find one of these, we'll probably be able to learn a thing or two from it. That's why I got so excited when I recently learned of an application that may actually be easier to use than SecureMail. In this case, however, it's not enterprise software. It's the game Progress Quest.

Progress Quest is a massively multiplayer online role-playing game (MMORPG). Before I heard of Progress Quest, I had never actually played a MMORPG, but that didn't stop me from being a government expert on the topic. I say that because I was actually the invited speaker at a government workshop on MMORPGs a couple of years ago. Unfortunately, the fact that I had to sign an NDA for this event means that I can't say much more about it.

Here's how the manual for Progress Quest describes the game:

Progress Quest is a next generation computer role-playing game. Gamers who have played modern online role-playing games, or almost any computer role-playing game, or who have at any time installed or upgraded their operating system, will find themselves incredibly comfortable with Progress Quest's very familiar gameplay. Progress Quest follows reverently in the footsteps of recent smash hit online worlds, but is careful to streamline the more tedious aspects of those offerings. Players will still have the satisfaction of building their character from a ninety-pound level 1 teenager, to an incredibly puissant, magically imbued warrior, well able to snuff out the lives of a barnload of bugbears without need of so much as a lunch break. Yet, gone are the tedious micromanagement and other frustrations common to that older generation of RPG's.

You start Progress Quest by picking the class and race of the character that you'll be playing. After that, the game does everything else for you. I even created a Progress Quest character: Elrond Hubbard, a Demicanadian Ur-Paladin with a name that's almost funny. If you're more adventurous you can pick races like Double Wookiee or Enchanted Motorcycle and classes like Fighter/Organist or Battle-Felon. I wasn't.

If you let Progress Quest run, your character will gradually increase in power and gain useful magical treasures. As I write this, Elrond Hubbard is currently Level 60 and has +23 Fine Gilded Plasma Vambraces. I'm not really sure if that's good or bad, but I certainly didn't have to pay any $9.95 monthly fees to get my character to where he is now.

Surprisingly enough, or at least surprisingly enough to surprise to a one-time government expert like me, Progress Quest seems to be fairly popular. The good reviews of it dramatically outnumber the bad reviews. And that's for a game where the player does absolutely nothing.

I'm never surprised to learn that most people really don't want to worry about encryption at all - they're too busy doing their jobs to worry about fighting with software that's hard to use. But I never would have thought that people would actually enjoy a game in which they do absolutely nothing.

In any event, I suppose that the bottom line is that we haven't quite figured out what we can learn from Progress Quest that will help us make SecureMail better, but that doesn't mean that we won't keep trying.

(If anyone wants to quote me about Progress Quest, here's my position on it: "Of all the games available for the PC, this is one of them.")