Jump to content
Toggle sidebar
JookWiki
Search
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Navigation
Main page
Recent changes
Random page
All pages
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information
Editing
Security usability
(section)
Page
Discussion
English
Read
Edit
Edit source
View history
More
Read
Edit
Edit source
View history
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Key management== It's hard to discuss any security solution without discussing key management, so allow me to sidetrack for a minute. Keys are private tokens used in almost all modern security software to gain some useful security property such as confidentiality or authenticity. Unfortunately almost all modern security software requires manual key management. This dumps a few tasks on people. The first task is verifying keys. There are a few ways to do this: *Skip verifying the key *Send the key using another communication service or method *Ask for the key from someone you trust *Meet the person in real life and exchange the key directly * Verifying the key incorrectly If I had to guess which method is the most common, it's skipping verification. This is the option I pick all the time now for two simple reasons: It's easy, and it's reliable. The second task is backing up keys. People have to: # Create a secure storage location # Copy the keys to the location # Backup the secure storage location as well Unless keys are used for something very important like signing packages or cryptocurrencies, people don't put much effort in to this task. Skipping this task can result in wasted time or loss of data, or even loss of finances. People who take steps to back things must have enough knowledge to do it securely and create redundant backups. Doing this wrong (such as by backing up a key to cloud storage) can result in compromised keys. The third step is to manage revoking and rotating keys. People have to: * Replace keys regularly in case of unknown compromise * Revoke keys in case of known compromise As far as I know almost no security software supports doing these tasks in the first place. That means if someone steals your key they can impersonate or access some resource you have for an unlimited amount of time. The only way around this is to inform people through social networks and other insecure communication methods that your old key is compromised and you have a new one, and go through the steps of verifying and backing up the keys again. Yikes.
Summary:
Please note that all contributions to JookWiki are considered to be released under the Creative Commons Zero (Public Domain) (see
JookWiki:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
To edit this page, please answer the question that appears below (
more info
):
Who owns this wiki?
Cancel
Editing help
(opens in new window)