I’ve been watching the recent announcements about how hackers—some speculate foreign countries—have cracked the security infrastructure of a system and have stolen the names and passwords of thousands—sometimes millions—of customers.

The details of all these disasters are not what I want to talk about. Just this simple and seemingly obvious point.

Any system that stores the names and passwords of anyone is a failed security design.

Symmetric vs. Asymmetric keys

In the late seventies, these three guys—Rivest, Shamir and Adleman (you probably know them as “RSA”)—published a paper describing a scheme for public-key cryptography.

They later formed a company based on this patented technology. Pretty much every systems company on the planet has ponied up and bought a license for some aspect of the technology.

If PKI is so good and so revolutionary to security design, why is this malicious theft of names and passwords happening?

I keep reading about how the RSA product line has been cracked and is not longer secure. We need to distinguish between the one time password product (SecureID and asymmetric cryptography.)

The bigger question for me is, why are there secrets that allow access being stored on the server in the first place.

Cryptographic protection can be implemented with symmetric keys or asymmetric keys. With the symmetric design, both the endpoint and the server keep copies of the keys. With an asymmetric design, the server NEVER sees or knows the keys. The key is only stored at the endpoint. To me, this is the main point for private and public key pairs in the first place.

With that knowledge in hand, one has to ask, “Why would anyone—including RSA’s SecureID product—design a system that uses symmetrical keys?”

Good question. Answer: Poor cryptographic implementation decisions.

So now you can always spot a failed identity design. Anytime the details of a security compromise includes the theft of user ID’s and passwords you can nod wisely and say—“Symmetric keys. What were they thinking?”

If you want to protect the names and passwords of your customers, an asymmetrical cryptography implementation is desirable.

By the way, just to stick it to whoever the idiot was at Microsoft that decided that the CardSpace design should be scrapped—CardSpace is the BEST security design at Microsoft that uses an asymmetric key design.

In hindsight, dumping CardSpace was clearly a political move, not a technical one.