When will we be secure? Nobody knows for sure – but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services.

When we look at the standards and defacto-standards based security system as a whole we can readily identify that the whole, and many of its parts, are not fit for purpose.

Case example: RFID. The vast majority of RFID devices are designed to promiscuously identify themselves to ANY reader that queries them. The RFID ecosystem has not been designed to protect the identity of users from disclosure to unauthorised persons. The best example is the Banking RFID case where the first generation American RFID enhanced credit card discloses the full name of the card holder to anyone that asks. See also the recent RFID attack (July 2008) that compromised the security of over 2 billion smart cards.

Case example: certificate authorities. Speaking simply, certificate authorities are paid money to testify to the identity of a users and web servers on the Internet: Banks pay certificate authorities money to allow customers to validate they are talking directly to the bank, and not a criminal. An attack in November 2008 demonstrated that a malicious party can falsely represent itself as the  'trusted' certificate authority RapidSSL, a company owned by Verisign. This mean the attackers could convince almost all users that it was ANY bank, financial institution, government organisation, or commercial website in the world. This is a fault with both (a) the choice of weak cryptographic algorithm, and (b) an ongoing structural weaknesses in the certificate authority ecosystem.

Case example: central points of failure. The above example with the certificate authority illustrated that a SINGLE compromised certificate authority is capable of arbitrarily forging an identity to every person that trusts that certificate authority. Another example of central point of security failure exist in the Kerberos federated authentication protocol. The security industry is littered with central points of failure, such as those with public key cryptography...

Case example: public key cryptography. All e-commerce and secure website browsing is performed using cryptographic algorithms that are at risk of abrupt and catastrophic failure by large code-breaking quantum computers. The arrival of such computers would be a simultaneous global security failure. Unfortunately increasing the strength / key-length of the algorithm does not protect against these attacks. To protect communications against quantum computers you must stop encrypting data using RSA, D&H and ECC asymmetric algorithms.

Large scale security failures of this kind are currently the norm in the commercial security sector. There is no question that a new security ecosystem that is fit for purpose needs to be built.

Synaptic is designing such a security ecosystem, one that comprehensively addresses all the above mentioned problems in an integrated coherent framework.