Tala Blog

TLS 1.3 and Forward Secrecy

Rajesh Kanungo - Mar 24, 2018 5:04:19 AM
IoT Security just got a boost;  TLS 1.3 is faster, more secure, and provides Perfect Forward Security.  In order to understand why Perfect Forward Security is important one has to understand that many of these devices will be out in the open, vulnerable to attacks and their private keys can be extracted by hackers.  This allows re corded traffic to be easily decrypted. PFS just makes the whole problem disappear.  Speed is important because many IoT devices are resource bound for CPU, memory, storage, and energy. Fewer number of messages, lower CPU usage, etc. is better.  So TLS 1.3 makes available secure communication to a larger, more constrained set of devices.  The one issue that needs to be addressed (better) is the fact that algorithms need better random number generation.
Read More

A Better Way to Approach IoT Security

Rajesh Kanungo - Dec 4, 2017 9:27:21 AM

The current generation of IoT devices have mostly neglected security. Some of the reasons are:

1.    No immediate cost, or penalty for weak or no security: A device manufacturer does not have any reason to make the device secure as there is no penalty to the manufacturer. On the other hand, Smart meter hacks can result in direct losses to the utility and are hence being made secure.  A typical example (see references) is the situation where Tripwire contacted an IP camera manufacture and got a standard dismissal. 

Read More

IoT Minimum Viable Security for a Minimum Viable Product

Rajesh Kanungo - Nov 28, 2017 9:53:00 AM

(c) Rajesh Kanungo

Minimal Viable Security (MVS) is a trademark of Talasecure Inc.

Acknowledgment: Michael Garrison Stuber for pointing me at FAIR.


This article explores security issues with Minimal Viable Products in the IoT space and recommends methodologies for solving them.

What Do You mean by Security

The conversation nowadays has moved from "Is security necessary?" to "How can we make something secure?" . Which begs the question, "What does secure mean and how much security is good enough?" Would you protect your refrigerator IoT device to the same degree as your smart phone?

A Short Definition of Security

Security is about RISK: The probability of something happening multiplied by the resulting cost or benefit if it does. Securing products should protect the essential assets and not harm others.

Read More

Secure Code: Why and How to get your teams to write secure code

Rajesh Kanungo - Nov 21, 2017 9:48:00 AM

Copyright (c) Rajesh Kanungo

If you like this article, feel free to share it!

What if you walk into your CEO’s office and tell him you could get rid of 95% of security bugs in your software by doing just two things?  What would your CEO say?

Some fun facts (short version)

1.     90% of security bugs are due to input validation errors?  Examples are bounds check, SQL validation, HTML/JavaScript checking, etc.

2.     5% of the security bugs are due to ignoring of return values.

Read More

Simple ECC implementations and a Simple Approach to Side Channel Attacks

Rajesh Kanungo - Nov 14, 2017 10:11:00 AM

Side channel attacks as defined in the Wikipedia:

In cryptography, a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system. Some side-channel attacks require technical knowledge of the internal operation of the system on which the cryptography is implemented, although others such as differential power analysis are effective as black-box attacks.

Read More

Crypto Armageddon: NSA says current asymmetric key algorithms are susceptible to quantum computing attacks in the near future with no alternatives.

Rajesh Kanungo - Nov 7, 2017 10:19:00 AM

Crypto Armageddon: In lay-person's terms, the underpinnings of our internet security are going to get yanked out from underneath us. 
Advances in quantum computing will render today's cryptographic methods obsolete. What then?
The February 2016  Scientific American has a wonderful article on it.

The NSA started (QUIETLY) advising some US departments in August to stop using ECC-256 and to move to ECC-384 or higher.  They claimed that quantum computing attacks using Shor’s algorithm made ECC very susceptible to attacks.  They have now made the announcement public:


Read More