See links for my presenting videos on the Succeed@Solent online learning portal.
I'll try and get the videos up as soon as possible.
Succeed@research - http://mycourse.solent.ac.uk/course/view.php?id=2361
Succeed@inductions - http://mycourse.solent.ac.uk/mod/book/view.php?id=75969
Succeed@feedback - http://mycourse.solent.ac.uk/mod/resource/view.php?id=52341
Monday, 3 August 2009
Interview with Ken Warren, Smartcard Business Manager at Cryptomathic
What is CryptoFirewall and how does it work?CryptoFirewall is an embedded silicon core designed only to protect keys and crypto-algorithm, it doesn’t burden itself with additional functionality, and it can be implemented on its own or embedded. If you take the example of the pay-tv system and its conditional access module, a crypto-firewall would be embedded and that would be responsible for the components of the control contribution. It’s essentially responsible for one part and doesn’t get involved with all the various permissions. The application compliments the existing system by securing that specific part of the control world so if the system is compromised the overall pay TV system isn’t. We can apply this in other anti -counterfeiting applications such as printers.
How much of a problem is piracy to the pay-tv industry?
Traditionally it’s been huge and continues to be so. There’s an estimate that if piracy was eliminated the suppliers would gain an extra £6bn in revenue worldwide, it’s staggering. Of course, some territories are better than others, and in instances where our CryptoFirewall technology is being deployed we have an unblemished security record. The first deployment was seven years ago and for something to survive in the field for that length of time is almost unheard of. The CryptoFirewall’s design goals were to be as highly tamper-resistant as possible and in the pay TV industry a lot of the attackers are well funded and well equipped. We see it as quite a compliment to our technology that it has survived the test of time. However, we’re not complacent. We recognize that things move along which is one of the reasons that we design CryptoFirewall with overlapping or complimentary systems. We accept that certain elements may be compromised but the whole thing won’t be, because it’s not a single point of sale.
How much of a problem is piracy to the pay-tv industry?
Traditionally it’s been huge and continues to be so. There’s an estimate that if piracy was eliminated the suppliers would gain an extra £6bn in revenue worldwide, it’s staggering. Of course, some territories are better than others, and in instances where our CryptoFirewall technology is being deployed we have an unblemished security record. The first deployment was seven years ago and for something to survive in the field for that length of time is almost unheard of. The CryptoFirewall’s design goals were to be as highly tamper-resistant as possible and in the pay TV industry a lot of the attackers are well funded and well equipped. We see it as quite a compliment to our technology that it has survived the test of time. However, we’re not complacent. We recognize that things move along which is one of the reasons that we design CryptoFirewall with overlapping or complimentary systems. We accept that certain elements may be compromised but the whole thing won’t be, because it’s not a single point of sale.
What sort of threats are companies at risk from?
One of the big issues in the pay-TV space is that set top boxes are sold at a loss or subsidized so the attacker will compromise the conditional access security. Thus, the attacker will receive the access for free and can bypass the subscription and payment mechanisms as well as re-programming the devices to work in the general case. Regularly, on EBay, people offer to sell conditional access cards or pay subscription cards which will get you access to programmes at the fraction of legitimate cost. In the counterfeit goods area, someone will clone copy a component such as printer ink cartridges, usually be refilling the tank. Technology has begun to be deployed whereby authorization is required to verify that the correct ink supplier is correctly validated.
That’s another area for technology like CryptoFirewall where you would have a cryptographic handshake between the cartridge and the printer head to ensure it’s the legitimate procedure and it’s ok to continue. Cloning is a potentially attractive market as goods are sold significantly in excess of the raw manufacturing cost. Another type of attack, remanufacturing, is when the device is worked upon so it can be re-used such as modifying set-top boxes. The final area is repurposing devices where cell phones, limited to a handset provider, are made available for general use by cracking the security.
How does CryptoFirewall provide the solution to these risks?
What CryptoFirewall is doing is providing a cryptographic authentification of the legitimacy of the product. There are a number of other application areas, such as medical devices. The potential vulnerability goes beyond purely financial, because there are life-threatening consequences of people using dodgy sensors. Another area is the aircraft industry. There are huge financial issues and the temptation to use ordinary bolts as opposed to specialist components so there’s a growing requirement to ensure that legitimate products are used. In general terms, the impact overall globally of counterfeit goods is something like £200 billion, that ranges from bags and perfumes to all sorts. There are legal remedies to catch the perpetrators but the other solution is to use technology to ensure that only legitimate products and parts will be used.
How does CryptoFirewall provide the solution to these risks?
What CryptoFirewall is doing is providing a cryptographic authentification of the legitimacy of the product. There are a number of other application areas, such as medical devices. The potential vulnerability goes beyond purely financial, because there are life-threatening consequences of people using dodgy sensors. Another area is the aircraft industry. There are huge financial issues and the temptation to use ordinary bolts as opposed to specialist components so there’s a growing requirement to ensure that legitimate products are used. In general terms, the impact overall globally of counterfeit goods is something like £200 billion, that ranges from bags and perfumes to all sorts. There are legal remedies to catch the perpetrators but the other solution is to use technology to ensure that only legitimate products and parts will be used.
What challenges or competition does CryptoFirewall face in the industry?
It is undoubtedly a change to the existing legacy, and there’s no doubt there is a cost implication. However, if someone is losing a certain amount of money then it becomes an economic decision to cover the cost of deploying what is essentially a chip solution to solve that problem. There are other approaches that aren’t so rigorous. In the ink cartridge market, there are several manufacturers that provide chip solutions to authenticate the ink. In most part, these are simple and easy to bypass and in some cases it might just be picking a chip off one product and putting it on another. We believe that with the CryptoFirewall we have a very robust and cost-effective solution. We’re keeping the design solely security focused and not burdening it with additional non-necessary functionalities.
Currently, what sort of take-up has CryptoFirewall had?
Currently 75 million CryptoFirewall devices are deployed globally, predominantly in the pay-TV space. To date, as far as we’re aware it hasn’t been compromised. We work in industries where if they have been compromised we’d know about it pretty quickly!
What does the future hold for CRI and CryptoFirewall?
Currently 75 million CryptoFirewall devices are deployed globally, predominantly in the pay-TV space. To date, as far as we’re aware it hasn’t been compromised. We work in industries where if they have been compromised we’d know about it pretty quickly!
What does the future hold for CRI and CryptoFirewall?
We’re working with a number of customers to design CryptoFirewall into their products. We’ve announced initiatives in the pay-tv space and we’re working in other industries as well. The CryptoFirewall is quite a design intensive process and there’s an awful lot of work involved. One of the difficulties in designing something which is secure and tamper proof is that it has an impact on everything because you’re explicitly taking out the testing features that would help you. The verification process is time consuming and we put a lot of effort into that. One of the longer term objectives that we’re looking to achieve is to get a generic CryptoFirewall product supported by major manufacturers and we announced collaboration with Infineon to develop CryptoFirewall products. Ultimately, CRI’s objectives are to increase our capability to be able to relay CryptoFirewall solutions to those that would benefit from it, particularly anti-counterfeiting protection.
(Smartcard News Ltd, 2009)
Interview with Morten Landrock, UK Managing Director of Cryptomathic
What is Cryptomathic?Founded in 1986, Cryptomathic’s origin is contained in the company’s name: cryptology and mathematics. Initially, our core area of business was to deliver cryptographic algorithms to banks which in turn were integrated into their own solutions. Technology has advanced significantly and now a rising number of new markets require complex and highly secure systems and procedures to maintain the confidentiality and integrity of data.
We capitalised on this trend and today Cryptomathic is a leading provider of bespoke security solutions to organisations operating across a wide range of sectors including finance, smart card, digital rights management and government. We offer systems for e-banking, two-factor authentication (2FA), public key infrastructure (PKI) initiatives, EMV card issuing, ePassport and advanced key management, which contribute directly to our customers’ core business activities. Essentially, we specialise in areas where cryptographic security is an essential and critical requirement.
We capitalised on this trend and today Cryptomathic is a leading provider of bespoke security solutions to organisations operating across a wide range of sectors including finance, smart card, digital rights management and government. We offer systems for e-banking, two-factor authentication (2FA), public key infrastructure (PKI) initiatives, EMV card issuing, ePassport and advanced key management, which contribute directly to our customers’ core business activities. Essentially, we specialise in areas where cryptographic security is an essential and critical requirement.
In what sectors has Cryptomathic experienced the most success?
Cryptomathic has been successful across a number of different industry sectors, in particular banking, government and digital rights management:
Banking: Although the migration to EMV and the banking sector’s continued use of the internet to deliver services has created new opportunities for banks and improved convenience for customers, such advances have also resulted in increasingly sophisticated financial attacks from fraudsters. It is a continuing and complex process to ensure banking networks are successfully protecting sensitive data from existing and future threats, as most banks are operating a legacy IT system which was originally created for functionality and not security.
This is made even more challenging by the pace at which technology has advanced over the last decade, which would have been unimaginable when these IT systems were first introduced. With the 2008 APACS fraud figures (published in March 2009) revealing an ongoing increase in card-not-present fraud and a startling rise in identity theft – up by a third from six to eight per cent of total fraud - it is without doubt that Cryptomathic’s expertise will continue to be in strong demand from this market.
Government: By transferring our knowledge from securing highly sensitive data within the banking sector into the progressive ePassport landscape, we have developed and implemented solutions which guarantee the security of the biometrics data held within a machine readable travel document or eID card. Taking this one step further, Cryptomathic has designed the technology required to ‘speed up’ the ability of border controllers to access biometric details without impacting the integrity of the infrastructure or application. Due to our work with the UK Identity and Passport Service to deliver a public key infrastructure (PKI) solution in 2006, our consultancy, product offering and visibility in this area has gone from strength to strength. This skill-set has also been used to support the delivery of government ID initiatives.
Digital Rights Management (DRM): As technology becomes increasing mobile, so does data which raises new concerns regarding the protection of copyright information and its management. Interest has grown considerably in the creation of a trusted environment for protecting data which will still enable access by authorised users. PKI is mostly known for electronic commerce and personalised digital signatures with the aim of preventing illegal use of digital contents by unauthorised users. However, there are currently a number of very large, ‘transparent’ PKI solutions for DRM in mobile phones and Trusted Platform Modules in PCs. Cryptomathic has witnessed an increase in demand for these specialised large scale solutions.
Banking: Although the migration to EMV and the banking sector’s continued use of the internet to deliver services has created new opportunities for banks and improved convenience for customers, such advances have also resulted in increasingly sophisticated financial attacks from fraudsters. It is a continuing and complex process to ensure banking networks are successfully protecting sensitive data from existing and future threats, as most banks are operating a legacy IT system which was originally created for functionality and not security.
This is made even more challenging by the pace at which technology has advanced over the last decade, which would have been unimaginable when these IT systems were first introduced. With the 2008 APACS fraud figures (published in March 2009) revealing an ongoing increase in card-not-present fraud and a startling rise in identity theft – up by a third from six to eight per cent of total fraud - it is without doubt that Cryptomathic’s expertise will continue to be in strong demand from this market.
Government: By transferring our knowledge from securing highly sensitive data within the banking sector into the progressive ePassport landscape, we have developed and implemented solutions which guarantee the security of the biometrics data held within a machine readable travel document or eID card. Taking this one step further, Cryptomathic has designed the technology required to ‘speed up’ the ability of border controllers to access biometric details without impacting the integrity of the infrastructure or application. Due to our work with the UK Identity and Passport Service to deliver a public key infrastructure (PKI) solution in 2006, our consultancy, product offering and visibility in this area has gone from strength to strength. This skill-set has also been used to support the delivery of government ID initiatives.
Digital Rights Management (DRM): As technology becomes increasing mobile, so does data which raises new concerns regarding the protection of copyright information and its management. Interest has grown considerably in the creation of a trusted environment for protecting data which will still enable access by authorised users. PKI is mostly known for electronic commerce and personalised digital signatures with the aim of preventing illegal use of digital contents by unauthorised users. However, there are currently a number of very large, ‘transparent’ PKI solutions for DRM in mobile phones and Trusted Platform Modules in PCs. Cryptomathic has witnessed an increase in demand for these specialised large scale solutions.
Who would you say to date is Cryptomathic’s main competition?
As one of the first companies to commercialise cryptographic algorithms, Cryptomathic has used its academic base to pre-empt new security requirements brought about by emerging technologies or regulatory decisions. This enables us to react to specific and individual client and industry needs in a timely manner. Our biggest competition comes from organisations that decide to develop solutions in-house rather than use an outside agency, which is usually a commercial decision.
What are the benefits of Cryptomathic products over those of its competitors?
All of Cryptomathic’s products are designed and built to specifically meet customer requirements today and are adaptable to future needs. Ensuring a solution is sustainable in the long-term is core in all our services, but is something that many systems developed in-house fail to acknowledge or accommodate, resulting in expensive amendments and time intensive upgrades.
Despite the current economic circumstances do you still see a significant demand for your products in the industry?
Not only is there still a strong demand for our offering, but we have also witnessed new business growth, particularly from the financial sector. Although banks are under increasing pressure to economise without compromising levels of security, fraud costs the industry millions of pounds each year and implementing e-security solutions can eliminate this criminal exposure and the associated losses. Such systems are automated, which can also reduce demand on internal resources and human error; all of which save banks money.What security products do you see as having the greatest potential for adoption?Due to the convergence of industry sectors, and the fast pace at which innovative multiple-partnership solutions are coming to market, scalable, reliable, flexible and secure server solutions have the greatest potential for adoption. Products that span payments and mobile in particular are currently experiencing a rapid rise in demand.
What are the main challenges facing the company in 2009?
Cryptomathic’s main challenge at present is the management of our global expansion strategy. We have an established office network throughout Europe and last year opened a new office in Canada to provide our US and Canadian-based customers with local business and technical support. With a rising demand in North America, Middle East and Asia for security solutions, in particular orders for EMV data preparation solutions for contact and contact less payment cards, as well as automated key management systems, 2FA technologies and PKI expertise, it is logical for us to raise our global visibility.
What does the future hold for Cryptomathic?
The security solutions market we address is likely to continue growing strongly for the foreseeable future, as there will always be a demand for cryptography-based products. In the coming years, a key area of focus will be the integration of biometrics with cryptography based solutions. Both technologies are very effective and offer different benefits in a range of scenarios. Cryptographic solutions - particularly when combined with a Hardware Security Module (HSM) - are so robust that the only challenge that has arisen has been from other sources.
For example, a bank will never experience a threat on the cryptography of its systems. The weaknesses originate from connections to the customer/bank interface and are most commonly exploited by attacks based on trojan, phishing, pharming techniques. In this instance, and many others, cryptography and biometrics can work together advantageously to provide increased assurances of security.
In the long-term, we intend to grow our company and further extend our portfolio of proven solutions through a pre-determined acquisitions strategy. Our overarching aim is to continue to deliver functional solutions and support, with a real return on investment, to a portfolio of happy and loyal customers.
For example, a bank will never experience a threat on the cryptography of its systems. The weaknesses originate from connections to the customer/bank interface and are most commonly exploited by attacks based on trojan, phishing, pharming techniques. In this instance, and many others, cryptography and biometrics can work together advantageously to provide increased assurances of security.
In the long-term, we intend to grow our company and further extend our portfolio of proven solutions through a pre-determined acquisitions strategy. Our overarching aim is to continue to deliver functional solutions and support, with a real return on investment, to a portfolio of happy and loyal customers.
(Smartcard News Ltd, 2009)
Subscribe to:
Posts (Atom)
