by Ramon Krikken | May 17, 2012 | 2 Comments
A well-known security meme is that “encryption is easy, it’s key management that’s hard.” But while this may be true for certain encryption use cases, it’s most definitely not true across the board. It’s a convenient meme for vendors, of course, who’ll simply point at a “we use AES” or “we’re FIPS 140-2 validated” statement [...]
Category: Uncategorized Tags: cryptography, encryption, FIPS 140, keys, NIST
by Ramon Krikken | April 17, 2012 | 2 Comments
In my last post, commenter Randall Gamby notes that “of course [tokenization is encryption]. ” I wholeheartedly agree. But unfortunately the current PCI guidance does not, and cannot support this notion (and, because of this, people who build and/or implement tokenization cannot do so either without creating a tokenization catch-22). When we look at the [...]
Category: Uncategorized Tags: code book, cryptography, encryption, insanity, PCI, PCI-DSS, politics, tokenization
by Ramon Krikken | April 11, 2012 | 2 Comments
It’s been a while since I blogged about tokenization. My last post on the subject drew some interesting comments – and conflicting comments at that: one commenter argued equating tokenization and encryption is bad for tokenization because tokenization is more secure per se. Another, however, commented that it’s in fact bad for encryption because encryption [...]
Category: Security Tags: code book, cryptography, encryption, PCI, PCI-DSS, tokenization
by Ramon Krikken | December 9, 2011 | Comments Off
My colleague Eric Ouellet recently published “Is OASIS KMIP Yet Another Hollow Key Management Standard?” (subscription required). In the note, he raises several important questions around KMIP becoming a widely adopted standard. I share his concerns, and will be touching on this as well in my upcoming note about key management. Without going into the [...]
Comments Off
Category: Cloud Security Tags: cryptography, encryption, fiefdoms, key management, KMIP, OASIS, vendors
by Ramon Krikken | October 14, 2011 | 1 Comment
Yesterday at RSA EU 2011 I had a chance to present my “towards secure tokenization algorithms and architecture” talk, and it gave me an opportunity to validate some thoughts on the fundamentals of tokenization designs and attacks. One of my slides covered some lines from the PCI tokenization guidance, which I believe are well-intentioned but [...]
Category: Security Tags: cryptography, encryption, keys, PCI-DSS, tokenization
