In PGP, each user is responsible for generating his own public and private keys. Pretty Good Privacy (PGP), also called a web of trust, was initially built on a decentralized model, primarily because PGP’s initial mission was to protect emails sent between parties from being intercepted and read. Having end users responsible for their own security infrastructure, such as keys and certificates, has been problematic for quite some time. But think about this: What would you do if, for some reason or other, your enterprise could not access important data because the key belonged to an employee who was out sick? Or worse? Leaving key management to users is a bad idea The San Bernardino shooting case drew national attention to government attempts to circumvent encryption. But if the encryption on this employee's phone had been centrally managed, the city would have had access to the key to unencrypt the phone, and the problem could have been solved quickly. In February, the FBI obtained a judgment against Apple to provide “reasonable technical assistance” to recover the phone’s data.Īpple refused, a court ruled in Apple’s favor, and the FBI withdrew the request in this hotly contested case, saying it had found a way to obtain the data for $1 million. But the device had been locked using the the data encryption built into iOS. Last December, after police shot and killed a couple in San Bernardino in the wake of a mass shooting, the FBI obtained an Apple iPhone 5C that belonged to one of the shooters, Syed Farook, a city employee. There's a better way, and the recent incident in the city of San Bernardino, California, offers a good illustration as to why you need to retake control from your end users. But you might also be thinking about recent government behavior that should have you thinking about the importance of encryption in general, and the use of key control and escrow in particular.ĭecentralized key management, where users have all of the control, is fraught with risks. If my paraphrase of Mel Epstein’s 1967 public service announcement has a familiar ring to it, that might be because you remember the original PSA, which ran for almost 30 years. Do you know where your encryption keys are?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |