Category Archives: Cyberculture

image_pdfimage_print

Cyber Resilience Act: a European regulation to strengthen the cybersecurity of digital products

European Commission logo symbolizing the Cyber Resilience Act and NFC HSM technology.

The CRA: Strengthening Cybersecurity Across the EU

Cyber Resilience Act (CRA) is a pivotal European regulation, enhancing cybersecurity standards for digital products. This legislation aims to safeguard users and businesses from cyber threats, ensure market competitiveness, and foster innovation in the cybersecurity field. In this article, we delve into the CRA’s essential features, its advantages and potential challenges, and the implications for manufacturers and distributors of digital products. Discover how the CRA aims to fortify digital security and resilience throughout the European Union.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Explore our Cyberculture section for detailed information on the Cyber ​​Resilience Act CRA, authored by Jacques Gascuel, a pioneer in contactless, serverless, databaseless sensitive data security solutions. Stay up to date and secure with our frequent updates.

The Cyber Resilience Act: a European regulation to strengthen the cybersecurity of digital products

The Cyber Resilience Act (CRA) is a European regulation that imposes cybersecurity standards on digital products. It aims to protect users and businesses from cyber threats, harmonise the digital internal market and support innovation in cybersecurity. In this article, we’ll walk you through the key features of the CRA, its pros and cons, and its implications for manufacturers and distributors of digital products.

Introduction au Cyber Resilience Act (CRA)

The EU proposed the Cyber Resilience Act in 2022 to set uniform safety standards for products with digital components, such as internet-connected devices, software and online services. These products can be exposed to cyberattacks that affect their availability, integrity and confidentiality. The CRA aims to protect users and businesses from these risks, by requiring common rules for market entry and cybersecurity measures throughout the product lifecycle. It also establishes a CE marking system to indicate compliance with cybersecurity standards. Moreover, the CRA distinguishes critical products, which have higher obligations according to their level of criticality. The CRA is part of the 2020 EU Cybersecurity Strategy, which seeks to enhance the EU’s collective resilience against cyber threats and foster a secure and trustworthy digital environment for all.

The CRA was approved by the Council and the Parliament in november 2023, and will enter into force in 2024, 20 days after its publication in the Official Journal of the EU. However, it will not be applicable until 2027, to allow a transition period for existing products and software. Moreover, the CRA will be revised every five years, to adapt to technological developments and stakeholder needs.

In this subject, we will explain the main provisions of the CRA, its pros and cons, and its impact on the digital market and society. So,the CRA aims to increase the security and resilience of digital systems in the EU, by imposing strict and binding requirements for the design, development and maintenance of digital products. It also introduces a CE marking system for digital products, ensuring their compliance with established cybersecurity standards.

Strengthening the EU’s Cybersecurity Framework: The Provisional Agreement on the Cyber Resilience Act

A Milestone for a Secure Digital Single Market

The Council presidency and the European Parliament have struck a landmark agreement on the proposed Cyber Resilience Act (CRA), taking a major step forward in fortifying the European Union’s cybersecurity landscape. This critical legislation outlines EU-wide cybersecurity requirements for digital products, addressing the urgent need for a harmonized approach to securing connected devices before they reach consumers.

Hailed as a crucial step by Spanish Minister of Digital Transformation José Luis Escrivá, the agreement emphasizes the essential need for a basic cybersecurity level for all connected devices sold within the EU, ensuring robust protection for both businesses and consumers.

Key Features and Amendments of the Agreement

The provisional agreement preserves the core principles of the European Commission’s proposal, focusing on several key areas:

  • Rebalancing Compliance Responsibility: Manufacturers now take primary responsibility, handling tasks like risk assessments, conformity declarations, and cooperation with authorities.
  • Vulnerability Handling: The agreement mandates processes for manufacturers to ensure ongoing cybersecurity and outlines specific obligations for importers and distributors as well.
  • Transparency and Consumer Protection: Measures are introduced to enhance transparency regarding the security of both hardware and software for consumers and businesses, empowering informed decision-making.
  • Market Surveillance Framework: A robust framework will enforce the regulations, ensuring compliance and safeguarding the EU’s digital space.

Co-legislators have also proposed adjustments, including:

  • Simplified Product Classification: A streamlined approach for classifying regulated digital products, facilitating easier compliance and understanding.
  • Product Lifetime Determination: Manufacturers must specify the expected lifespan of digital products, with a minimum five-year support period, unless shorter use is anticipated.
  • Reporting Obligations: A focus on reporting actively exploited vulnerabilities and incidents, enhancing the role of national authorities and ENISA in managing cybersecurity threats.

Looking Forward: Implementation and Impact

With the provisional agreement in place, technical work continues to finalize the regulation’s details. The compromise text will be presented for endorsement by member states, marking a critical moment in the EU’s journey towards a cohesive and secure digital ecosystem.

The CRA is set to apply three years after enactment, providing manufacturers with ample time to adapt. Additionally, specific support measures for small and micro enterprises have been agreed upon, including awareness-raising, training, and assistance with testing and compliance procedures.

The Path to the Cyber Resilience Act

This provisional agreement marks the culmination of a journey that began with the Council’s 2020 conclusions on the cybersecurity of connected devices, emphasizing the need for comprehensive legislation. Reflecting the urgency expressed by Commission President von der Leyen in 2021 and subsequent Council conclusions, the CRA proposal submitted by the Commission in September 2022 aims to complement the existing EU cybersecurity framework, including the NIS Directive and the EU Cybersecurity Act.

This agreement represents a significant milestone in the EU’s commitment to enhancing cybersecurity resilience, marking a new era of digital product security and consumer protection across the Union.

Business Requirements and Responsibilities

Under the CRA, manufacturers and distributors of digital products are required to ensure the compliance of their offerings from the moment they are placed on the market and throughout their lifecycle. This involves actively monitoring for vulnerabilities and working closely with security researchers to identify and fix potential vulnerabilities within 90 days of discovery.

Cooperation and Sanctions

Another cornerstone of the CRA is the enhanced cooperation between EU Member States and the European Commission to monitor the application of the Regulation. In the event of non-compliance, companies risk severe penalties, up to 10% of their annual global turnover. This underlines the EU’s commitment to ensuring a high level of digital security.

Application and Exclusions of the CRA

The CRA applies to a wide range of digital products, with the notable exception of those already regulated by other EU legislation, such as medical devices or vehicles. Its aim is to close legislative gaps and strengthen coherence in the field of cybersecurity.

Conclusion and Outlook

Following its approval by the Council of the EU and the European Parliament, the CRA is scheduled to enter into force in early 2024. Manufacturers then have 36 months to comply with the new rules. This initiative marks an important step towards a more secure and resilient European Union in the face of digital threats.

Benefits of the Cyber Resilience Act for the Digital Ecosystem

The Cyber Resilience Act (CRA) is envisaged not only as a regulatory framework, but also as a lever for improving cybersecurity at the European Union level. It brings several significant benefits, both for users and for the digital economy as a whole.

Strengthening Consumer and Business Protection

One of the main strengths of the CRA is its ability to raise the level of security for consumers and businesses. By imposing high and constantly updated cybersecurity standards, the regulation ensures that digital products purchased or used offer optimal protection against cyber threats. This helps to create a safer digital environment for all.

Harmonization of the Digital Internal Market

The CRA plays a crucial role in harmonising cybersecurity rules across the EU. By eliminating the fragmentation and divergence of national laws, it facilitates the free movement of digital products within the Single Market. This is essential to support economic integration and boost intra-European trade in digital solutions.

Driving Innovation in Cybersecurity

Finally, the CRA is a driver of innovation in the cybersecurity sector. By increasing demand for secure digital products, it encourages investment in research and development. This dynamic creates valuable opportunities for European companies, allowing them to stand out as leaders in the field of cybersecurity on the global stage.

In sum, the benefits of the CRA are manifested in enhanced protection for users, regulatory harmonisation beneficial to the European single market, and increased support for innovation in the cybersecurity sector. Through these measures, the CRA aims to establish a solid foundation for a safe, competitive and innovative digital ecosystem in the European Union.

Analysis of the Challenges Posed by the Cyber Resilience Act

The Cyber Resilience Act (CRA), while aiming to strengthen digital security within the European Union, raises concerns about its potential impact on various aspects of the digital landscape. These drawbacks deserve special attention to understand the challenges associated with the implementation of this legislation.

Impact on Vulnerability Disclosure

A major criticism is the possible reluctance of security researchers to report discovered vulnerabilities. The fear of sanctions or legal action, due to failure to comply with deadlines or procedures dictated by the CRA, could deter these key players from sharing their findings, thus limiting collective efforts to strengthen cybersecurity.

Effects on Free and Open-Source Software

The CRA is also suspected of slowing down the development and adoption of free and open-source software. The latter, known for their security and transparency, could be subject to disproportionate and onerous compliance requirements. These risks hindering innovation and the use of these valuable resources in the digital ecosystem.

Standardization of Disclosure Models

Another sticking point is the potential reduction in the effectiveness and diversity of vulnerability disclosure models. The one-size-fits-all and rigid approach advocated by the CRA may not be appropriate for all situations, requiring flexibility to adapt to the specifics of each case.

Potentially disproportionate penalties

The penalties envisaged by the CRA for non-compliance are considered by some to be excessive. The prospect of severe financial penalties could jeopardize the economic viability of digital manufacturers and distributors, as well as their ability to innovate. This approach could, therefore, have negative repercussions for the entire digital sector.

In sum, although the CRA aims to establish a strengthened security framework for the European Digital Space, it is crucial to assess and address its possible negative impacts. Careful consideration of these issues will allow the regulation to be adjusted and refined so that it effectively supports cybersecurity without hindering innovation or collaboration in the digital domain.

Cyber Resilience Act Compliance Guide for the Digital Industry

The Cyber Resilience Act (CRA) is a major initiative by the European Union to increase cybersecurity across its Member States. Compliance with this regulation requires a series of targeted and structured actions, applicable to both manufacturers and distributors of digital products.

Actions Required for Digital Product Manufacturers

  • Conducting Cyber Risk Assessments: The first step involves analyzing and documenting the risks associated with the products. This includes identifying threats, vulnerabilities, impacts, and protective measures, with this information regularly updated.
  • Application of the CE Marking and Information to Users: Products must bear the CE marking, a symbol of their compliance with EU safety standards. It is essential to provide comprehensive information on the cybersecurity characteristics of products, including conditions of use and maintenance.
  • Security Updates: Manufacturers must establish and maintain procedures for updating the security of products, ensuring the ability of products to receive and install these updates. Proactive communication about the need for and availability of updates is crucial.
  • Vulnerability Reporting: Discovered or reported vulnerabilities must be reported within 90 days. It is important to communicate corrective actions to users using appropriate channels and adhering to the principles of responsible disclosure.
  • Cooperation with Cybersecurity Authorities: Collaboration with competent authorities, participation in audits and provision of the necessary documents for compliance verification are key elements.

Obligations of Digital Product Distributors

  • Product Conformity Verification: Distributors must ensure that the products marketed comply with the requirements of the CRA, including the CE marking. They must also provide adequate information about the cybersecurity of the products.
  • Security Update Information and Support: Distributors are responsible for notifying users of security updates and assisting them with their installation. Communication about vulnerabilities and remediation is also required.
  • Audit and Cooperation with Authorities: Submission to controls, cooperation with competent authorities and provision of the necessary information to demonstrate compliance are essential.

Importance of Compliance

Failure to comply with CRA guidelines can result in significant penalties, including fines of up to 10% of annual worldwide turnover. The adoption of internal compliance and governance mechanisms is therefore crucial to avoid such consequences.

CRA compliance is not only a legal imperative but also an opportunity to improve the security and resilience of the European digital ecosystem. With these measures, the digital industry makes a significant contribution to data protection and user trust in digital technologies.

Which products are covered by the Cyber Resilience Act?

General definition of the products concerned

The CRA applies to all products with digital elements that are directly or indirectly connected to another device or network, with the exception of those already covered by other EU rules, such as medical devices, aviation or cars. The CRA aims to fill gaps and ensure consistency in existing cybersecurity legislation.

Distinguishing between critical and non-critical products

The CRA applies to a wide range of products with digital components, such as internet-connected devices, software and online services. However, not all products are subject to the same level of scrutiny and obligations. The CRA distinguishes between critical and non-critical products, based on the level of risk they pose to users and society.

The scope of the CRA

The CRA covers all products that have a digital component and that are connected directly or indirectly to another device or network. This includes all connected hardware (computers, phones, household appliances, cars, toys, virtual assistive devices, etc.) as well as systems such as VPNs, antivirus, password managers, software essential to the management of cloud services, or the operating systems of the aforementioned hardware.

For the sake of clarity, the draft CRA provides a list of affected products and software. However, this list is not exhaustive and may be updated by the Commission to take into account technological developments.

The classification of critical products

As you will discover by reading further, this CRA regulation makes a distinction between a general category of products containing digital elements, and those considered “critical”. The latter category represents 10% of the objects covered by this regulation. While critical products are those which, if compromised, would have significant impacts on the security of property and people as well as society.

In summary, this regulation is subdivided into critical products and two other classes according to the level of criticality of the risks. Thus, depending on the class to which they belong, software or hardware will be subject to more or less strict supervision and obligations.

The obligations for different classes of products

To streamline the understanding of the impact of the Cyber ​​Resilience Act (CRA) on product classes, let’s take a look at this simplified guide. This is a table that succinctly classifies products according to their criticality under CRA regulations. As a result, this has the advantage of highlighting the specific obligations as well as their impacts on manufacturers and their potential effects on the market. Therefore, this has the effect of presenting this information in a clear and organized manner. We also aim to facilitate the smooth adaptation process for stakeholders to this Cyber ​​Resilience Act regulation. So prepare now to take this information into account to effectively improve and anticipate your strategies. Anticipate your compliance with its new and evolving European cybersecurity standards.

Table 2: CRA Obligations by Product Class
Product Class Obligations Impact on Manufacturers Market Effects
Most Critical
  • Certification by an independent body before market entry.
  • Incurs significant costs and delays.
  • May hinder innovation and competitiveness, especially in electronics and embedded systems.
Intermediate
  • Self-assessment and declaration of conformity by manufacturers.
  • Reduces administrative burden and time to market.
  • Demands high responsibility and transparency.
Less Critical
  • Compliance with essential requirements, no formal certification needed.
  • Ensures basic security levels without excessive costs.
  • Enhances trust in less critical digital products.

Key Insights:

  • First, the Cyber ​​Resilience Act classifies products based on their impact on cybersecurity and imposes specific compliance obligations on them.
  • This is why the most critical products are subject to strict certification processes.
  • In fact, this affects market dynamics. Whereas, intermediate and less critical classes follow simplified compliance pathways. This balances security needs and market viability.
  • Finally, this concise overview facilitates informed decision making and strategic planning for market positioning and observation.

Navigating the Cyber Resilience Act (CRA): A Quick Guide

We’ve compiled a simplified guide to help you quickly navigate the complexities of the Cyber ​​Resilience Act (CRA). Thus, this table details the objectives of this regulation on the products it covers and the essential requirements it imposes. Additionally, it also highlights the main benefits and potential obstacles of the law. Thus, this brief overview aims to inform you of the essential knowledge to understand and adapt to the implications of the ARC. By familiarizing yourself with these critical aspects now, you can advantageously stay one step ahead. This therefore guarantees you preparation for the expected developments over three years in the cybersecurity landscape within the EU by 2027.

Table 1: Overview of the CRA

Aspect Details
Aim of the CRA
  • To strengthen the cybersecurity of products and software within the EU.
Covered Products and Software
  • Hardware: Smartphones, tablets, smartwatches, desktops, laptops, routers, smart home appliances, POS systems, medical devices, etc.
  • Software: Operating systems (Windows, macOS, Linux), browsers (Chrome, Firefox, Safari), mobile apps, security software, cloud services, etc.
  • Data Storage/Processing: Hard drives, cloud storage, PCs, servers, software handling sensitive data.
Key Requirements
  • Conduct risk assessments
  • Implement security measures
  • Provide information to users
  • Report vulnerabilities
  • Cooperate with authorities
Main Benefits
  • Enhanced user security
  • Increased trust in the digital economy
  • Accelerated innovation in cybersecurity
Potential Challenges
  • Increased costs for compliance
  • Regulatory complexity
  • Risk of market fragmentation
Staying Informed
  • Regular updates and compliance checks are crucial for adherence to the CRA.

Key Takeaways

  • First, the CRA is an essential regulation having an impact on the European cybersecurity framework.
  • Then, this involves compliance with the requirements of the mandatory CRA for manufacturers, distributors and importers.
  • Finally, this has the effect of offering significant advantages but at the same time generates certain additional cost challenges.

In summary, this table format provides a concise and organized summary of the ARC. This makes it easier for you to understand its scope, requirements, benefits and challenges.

Hardware Security Module with the CRA

Under the Cyber ​​Resilience Act (CRA), Hardware Security Modules (HSMs) play a crucial role in securing Europe’s digital infrastructure. Indeed, they are the Guardians of the cryptographic keys. They are in fact the pillars of data security and digital transactions. Without question, HSMs are essential tools to meet the strict requirements of the CRA.

Definition of HSMs

Hardware and digital security modules (HSMs) play a crucial role in securing cryptographic processes. They generate, protect, and manage encryption, decryption, digital signature, and certification keys. Their importance for the protection of sensitive data and digital trust classifies them as critical products according to the Cyber Resilience Act (CRA).

Features of the HSM Hardware

Hardware HSM comes in the form of a physical device, ensuring high security against physical and logical attacks. It can be integrated into a computer system such as a PCI card or an external enclosure. These devices are evaluated and certified according to international safety standards, such as FIPS 140 and Common Criteria EAL4+, attesting to their reliability and robustness.

Benefits of Digital HSM

At the same time, digital HSM offers a software solution that provides security comparable to that of a hardware HSM. With virtualization and advanced encryption, it can be deployed on servers, cloud environments, or mobile devices. Certifications, such as FIPS 140-2 Level 1 or Common Criteria EAL2+, validate the compliance of these software solutions with rigorous security standards.

Cyber-resilience regulation certification process in force

In accordance with the requirements of the CRA, HSMs, whether physical or digital, must obtain certification from an independent body before they are placed on the market. This certification assures users that the devices meet high standards of security and protection of sensitive information.

Importance of HSMs in Cybersecurity

Hardware and digital HSMs are critical components of an organization’s security infrastructure. They secure the exchange of information by providing a reliable and certified method of protection for critical data. By facilitating secure management of cryptographic keys, HSMs build digital trust and support regulatory compliance.

In short, both hardware and digital HSMs are indispensable tools in the modern cybersecurity landscape. Their role in securing cryptographic keys and encryption processes is vital for data protection and trust in digital systems. The mandatory certification emphasizes their importance and ensures that they comply with the highest safety standards.

Hardware Security Modules (HSMs) Under the Cyber Resilience Act

Definition and Features of HSMs

HSMs are specialized devices designed for the secure management of cryptographic keys, crucial for data encryption and transaction security. These modules embody the core principles of the CRA, providing foundational security capabilities across critical and less critical sectors.

Fixed HSMs

Embedded within infrastructural setups, fixed HSMs offer enduring security solutions. These devices are pivotal in safeguarding essential services, from energy distribution to financial transactions, aligning with the CRA’s high-security benchmarks.

Removable HSMs

Offering versatility, removable HSMs, such as USB HSMs, enable secure key management across varied operational contexts. They facilitate a balance between security and mobility, catering to diverse needs within the CRA framework.

NFC HSMs

Merging NFC technology with HSM security, NFC HSMs introduce a new paradigm in contactless transaction security. Although categorized as non-critical, their adherence to CRA standards exemplifies the act’s comprehensive approach to cybersecurity, spanning from retail to access control applications.

NFC HSM and the Cyber Resilience Act (CRA): A Closer Look at Secure Technology

NFC HSM (Near Field Communication Hardware Security Module) represents a technological fusion. It integrates a hardware security module with Near Field Communication (NFC) technology like those manufactured by the Freemindtronic company in Andorra. They also have the particularities of being patented, of operating without a server, without a database and without the user needing to identify themselves or create an account to use them. They are not connected by default. This device provides secure, on-demand wireless interaction between devices over short distances, further protecting the data exchanges they encrypt.

They represent a significant advancement in secure short-range wireless communication by integrating near-field communication (NFC) with the robust security of hardware security modules (HSM). These devices provide enhanced protection of cryptographic keys and sensitive data, facilitating secure, contactless transactions and interactions with ease and flexibility.

Features and Advantages:
  • Enhanced Security: Embedded HSMs safeguard against external threats, ensuring the integrity of cryptographic keys and sensitive data.
  • Secure Authentication: NFC technology supports mutual authentication, minimizing fraud and counterfeiting risks.
  • Ease of Use: Simplified transactions through touch, eliminating manual data entry.
  • Versatility: Can be integrated into a wide array of devices and applications.
Applications:
  • Contactless Payments: Devices equipped with NFC HSM technology facilitate fast and secure transactions, enhancing user convenience and safety.
  • Access Control: These systems manage entry to secure areas, safeguarding physical and digital assets by regulating access to buildings and sensitive data.
  • Tracking and Traceability: NFC HSMs play a crucial role in supply chain management, enabling the authentication and monitoring of goods, ensuring their integrity from origin to destination.
  • Electronic Tickets: Ideal for storing digital tickets for transportation, events, and other services, streamlining the user experience while ensuring security.
  • Contactless Hardware Secrets Manager: A novel application where NFC HSMs manage passwords, encryption keys, secret keys, PIN codes, and 2FA credentials, offering a secure and convenient solution for managing digital identities and access rights across various platforms.

These examples underscore the versatility and security enhancements provided by NFC HSM technology, aligning with the objectives of the Cyber Resilience Act to foster a secure and resilient digital environment across the EU.

Exemplifying CRA Compliance: Freemindtronic’s NFC HSM

Incorporating Freemindtronic’s NFC HSM as a case study offers an insightful lens through which to view the Cyber Resilience Act’s (CRA) implications for digital product security. Freemindtronic’s approach exemplifies adherence to the CRA through its innovative security measures and compliance practices.

Exemplifying CRA Compliance: Freemindtronic’s NFC HSM

As we delve into the CRA’s extensive requirements and scope, practical examples like Freemindtronic’s NFC Hardware Security Modules (HSMs) illuminate how digital products are aligning with heightened security standards.

Meeting CRA’s Fundamental Compliance Demands:

  • Risk Assessment: Freemindtronic has not just conducted a thorough risk evaluation but has also embedded stringent risk management practices from inception through to development, manufacturing, and usage of NFC HSMs. This includes countermeasures against both invasive and non-invasive threats, reflecting the CRA’s directive for integrated risk management.
  • Security Implementations: With patented multi-security functions such as segmented key authentication and customizable trust criteria, alongside post-quantum considered AES-256 encryption in NFC HSM memories, Freemindtronic exceeds the CRA’s requirements for advanced security measures.
  • Vulnerability Disclosure: Freemindtronic’s immediate vulnerability disclosure mechanism, especially through its website, aligns with the CRA’s demand for timely vulnerability reporting to authorities, despite over seven years without detected vulnerabilities in NFC HSM products.
  • Regulatory Cooperation: Freemindtronic’s proactive partnership with Andorran regulatory bodies, including the National Cybersecurity Agency of Andorra (ANC), signifies a commitment to enhancing security collaboratively, as encouraged by the CRA.

Freemindtronic’s NFC HSM Features Enhancing CRA Compliance:

  • Serverless and Database-Free Operation: This minimizes potential attack vectors, aligning with the CRA’s focus on cybersecurity risk reduction.
  • User Anonymity and No Account Creation: By operating anonymously without user identification or account creation, It embodies a contactless plug-and-play principle, making it physically impossible to identify the NFC HSM users. Freemindtronic supports the CRA’s emphasis on user privacy and data protection.
  • End-to-End Anonymization: Freemindtronic’s NFC HSMs are not active by default, given their battery-less design. They are inert products that become active for less than a second during the use of the secret contained within the NFC HSM. Secrets used on the phone or computer are not stored in the systems; everything is conducted ephemerally in volatile memory. This approach is in strict adherence to the CRA’s data protection and confidentiality principles.
  • Innovation Patent Protection: Freemindtronic’s security solutions, underpinned by innovation patents, set a high compliance standard with the Cyber Resilience Act.

Industry Advantages:

  • Simplified Compliance Process: Freemindtronic’s NFC HSMs provide a pre-compliance solution that simplifies adherence to CRA regulations, saving time and resources for businesses.
  • Enhanced Data Security: Freemindtronic sets a security benchmark for sensitive data and cryptographic keys, embodying the CRA’s aim to standardize protection across digital products.
  • Adaptability to Diverse Applications: The flexibility of Freemindtronic’s NFC HSMs showcases the adaptability of security solutions to meet various application needs within the CRA framework.

By showcasing Freemindtronic’s NFC HSMs, we highlight how innovative security technologies can not only meet but surpass the rigorous expectations of the CRA. This insight into Freemindtronic’s compliance strategy offers a practical perspective on adhering to CRA guidelines, reinforcing the regulation’s role in boosting the cybersecurity posture of digital products within the EU.

Key Features of the CRA at a Glance

In summary, the Cyber ​​Resilience Act aims to strengthen the cybersecurity of products sold within the European Union.

This concerns a very large number of products, such as Internet-connected devices, software and online services.

Indeed, manufacturers and distributors will be required to comply with the various requirements of this European CRA regulation. In particular, they will have to carry out risk assessments on their products, implement security measures and inform users.

Thus, the Cyber Resilience Act should offer many advantages. This is characterized by increased user security. But it should also promote trust and the digital economy and help accelerate European innovation in the cybersecurity sector. However, the downside is that the ARC will impose certain challenges, such as increased costs for manufacturers and distributors, increased regulatory complexity and potential fragmentation of the single market.

Overall, the CRA constitutes an important piece of legislation that will have a major impact on the European cybersecurity landscape. It is important that all stakeholders are aware of the ARC requirements and take steps to comply with them.

The table below provides a summary of the CRA’s key features.

Table 1: Summary of the Cyber Resilience Act (CRA)

Feature Benefits Challenges
Scope
  • Wide range of products
  • Exclusion of certain products
Requirements
  • Harmonization of cybersecurity requirements
  • Costs and delays for manufacturers
Compliance
  • Certification process for critical products
  • Market fragmentation
Sanctions
  • Fines for non-compliance
  • Discouragement of vulnerability reporting
Objectives
  • Improved security and resilience
  • Impact on innovation
Impact
  • Protection of users and businesses
  • Difficulty balancing security and innovation

Finally, this table above constitutes a simple summary of the main characteristics of the CRA. So you have a more complete visual understanding of the Cyber ​​Resilience Act.

In conclusion on the European cyber-resilience act regulation

In conclusion, the Cyber Resilience Act (CRA) represents a significant step forward in the European Union’s efforts to strengthen cybersecurity and protect consumers in the digital age. While challenges remain, the CRA has the potential to create a more secure and resilient digital ecosystem for all. As the regulation comes into effect and evolves over time, it will be crucial to monitor its impact and adapt it as needed to ensure its continued effectiveness in a rapidly changing technological landscape. Ultimately, the success of the CRA will depend on the collective efforts of governments, businesses, and individuals to embrace its principles and work together to build a more secure and trustworthy digital world.

Sources

Here are some official sources which confirm this information:

Encrypted messaging: ECHR says no to states that want to spy on them

ECHR landmark ruling in favor of encrypted messaging, featuring EviCypher NFC HSM technology by Freemindtronic.

Protecting encrypted messaging: the ECHR decision

Encrypted messaging is vital for digital privacy and free speech, but complex to protect. The historic ECHR decision of February 13, 2024 supports strong encryption against government surveillance. We discuss the importance of this decision. You will discover EviCypher NFC HSM encryption technology from Freemindtronic, guardian of this decision but for all messaging services in the world.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Stay informed in our posts dedicated to Cyberculture to follow its evolution thanks to our regularly updated topics

Learn more through this Cyberculture section on your data encryption rights to protect your personal and professional data written by Jacques Gascuel, creator of data security solutions. Stay informed and secure with our regular news.

Encrypted messaging: ECHR says no to states that want to spy on them

The historic judgment of the European Court of Human Rights (ECHR) elevates encrypted messaging to the rank of guardian of privacy and freedom of expression. But this also poses security and public order problems. On February 13, 2024, she spoke out in favor of strong encryption, against state interference.

The ECHR has rejected Russian authorities’ request to Telegram, a messaging application, to provide private keys for encrypting its users’ communications, or to install backdoors that would allow authorities to access them. The Court considered that this request violated the rights to privacy and correspondence, as well as freedom of expression, of Telegram users.

The context of the case

The case background Six journalists and human rights activists challenged the request of the Russian authorities to Telegram before the ECHR. They claimed that this request violated their fundamental rights. They relied on Articles 8 and 10 of the European Convention on Human Rights. These articles protect the right to privacy and correspondence, and the right to freedom of expression.

The reasoning of the Court

The Court’s reasoning The Court acknowledged that the request of the Russian authorities had a legitimate aim of national security and crime prevention. However, it found that the interference with the rights of the applicants was not proportionate to the aim pursued. It emphasised that encryption plays a vital role in ensuring the confidentiality of communications and the protection of personal data. It held that the request of the Russian authorities was too general and vague. It did not offer enough safeguards against abuse. It could deter people from using encrypted messaging services.

The Court also noted that encryption helps citizens and businesses to defend themselves against the misuse of information technologies, such as hacking, identity theft, data breach, fraud and undue disclosure of confidential information. It stated that this should be duly taken into account when assessing the measures that could weaken encryption.

The Court further observed that, in order to be useful to the authorities, the information must be decrypted at some point. It suggested that the authorities should use other means to obtain the necessary information, such as undercover operations, metadata analysis and international cooperation.

The consequences of the decision

The decision’s implications The decision of the Court is final and binding for Russia. It has to implement it within a reasonable time. It also has a broader impact. It sets out principles applicable to all member states of the Council of Europe, which comprises 47 countries. It sends a strong signal in favour of the respect of fundamental rights on the internet. It aligns with the position of several international organisations, such as the UN, the EU or the OSCE. They have stressed the importance of encryption for the protection of human rights online.

The official link of the ECHR decision is: AFFAIRE PODCHASOV c. RUSSIE and AFFAIRE PODCHASOV c. RUSSIE and AFFAIRE PODCHASOV c. RUSSIE. You can access it by clicking on the title or copying the address in your browser.

The position of other countries in the world

Encryption of communications is not a consensual topic. Countries have different, even opposite, positions on the issue. Here are some examples:

  • The Netherlands have argued for the right to strong encryption. They considered it a human right that must be safeguarded, in the country’s own interest.
  • The United States have repeatedly asked technology companies to provide them with access to encrypted data. They invoked the need to fight terrorism. These requests have been challenged by companies, such as Apple. They refused to create backdoors in their encryption systems.
  • China adopted a cybersecurity law in 2016. It requires companies to cooperate with authorities to provide encryption keys or means to bypass encryption. This law has been denounced by human rights defenders. They fear that it will be used to strengthen the surveillance and censorship of the Chinese regime.
  • The European Union adopted a directive on the protection of personal data in 2016. It recognizes encryption as a technical measure suitable for ensuring the security of data. The EU also supported the development of end-to-end encryption. It funded projects such as the free software Signal, which allows to encrypt calls and messages.

These examples show the divergences and convergences between different countries on the subject of encryption. They also reveal the political, economic and social issues that are at stake.

The world’s reactions to the ECHR decision on Encrypted Messaging

The ECHR decision on Encrypted Messaging has sparked different reactions in the world. Some countries praised the judgment, which boosts the protection of human rights on the internet. Other countries slammed the position of the Court, which undermines, according to them, the judicial cooperation and the national security.

The supporters of the ECHR decision

The Netherlands are among the countries that supported the ECHR decision. They argued for the right to strong encryption, considering it a human right that must be safeguarded, in the country’s own interest. The European Union also backed the Court, reminding that encryption is a technical measure suitable to ensure the security of data, in accordance with the directive on the protection of personal data adopted in 2016. The EU also stressed that it funds the development of end-to-end encryption, through projects such as the free software Signal, which allows to encrypt calls and messages.

The opponents of the ECHR decision

The United States are among the countries that opposed the ECHR decision. They have repeatedly asked technology companies to provide them with access to encrypted data, invoking the need to fight terrorism. These requests have been challenged by companies, such as Apple, which have refused to create backdoors in their encryption systems. China also expressed its disagreement with the Court, stating that encryption of communications fosters the dissemination of illegal or dangerous content, such as terrorist propaganda, child pornography or hate speech. China recalled that it has adopted in 2016 a cybersecurity law, which requires companies to cooperate with authorities to provide encryption keys or means to bypass encryption.

The non-signatories of the European

Convention on Human Rights Some countries have not reacted to the ECHR decision, because they are not signatories of the European Convention on Human Rights. This is the case for example of Russia, which ceased to be a member of the Council of Europe on March 16, 2022, after the invasion of Ukraine decided by the Kremlin. The country no longer participates in the activities of the ECHR. This is also the case of many countries in Africa, Asia or Latin America, which are not part of the Council of Europe and which have not ratified the Convention.

The signatory countries of the European Convention on Human Rights

The European Convention on Human Rights is an international treaty adopted by the Council of Europe in 1950, which aims to protect human rights and fundamental freedoms in the states parties. It entered into force in 1953, after being ratified by ten countries: Belgium, Denmark, France, Ireland, Italy, Luxembourg, the Netherlands, Norway, Sweden and the United Kingdom .

Since then, the Convention has been ratified by 36 other countries, bringing the total number of states parties to 46. They are: Albania, Germany, Andorra, Armenia, Austria, Azerbaijan, Bosnia and Herzegovina, Bulgaria, Cyprus, Croatia, Estonia, Finland, Georgia, Greece, Hungary, Iceland, Latvia, Liechtenstein, Lithuania, Malta, Moldova, Monaco, Montenegro, North Macedonia, Poland, Portugal, Romania, Russia, San Marino, Serbia, Slovakia, Slovenia, Spain, Czech Republic, Turkey and Ukraine.

All these countries recognize the jurisdiction of the European Court of Human Rights (ECHR), which is in charge of ensuring the respect of the Convention. The ECHR can be seized by any person, group of persons or non-governmental organization who claims to be a victim of a violation of the Convention by one of the states parties. The ECHR can also be seized by a state party who alleges that another state party has violated the Convention. The ECHR delivers judgments that are final and binding for the states parties.

An innovative and sovereign alternative: the EviCypher NFC HSM technology

Facing the challenges of encryption of communications, some users may look for an alternative more innovative and sovereign than the traditional messaging applications. This is the case of the EviCypher NFC HSM technology, developed by the Andorran company Freemindtronic. This technology makes it possible to generate, store, manage and use AES-256 encryption keys to encrypt all communication systems, such as WhatsApp, sms, mms, rcs, Telegram, webmail, email client, private messaging like Linkedin, Skype, X and even via postal mail with encrypted QR code messages, etc.

EviCypher NFC HSM: A Secure and Innovative Solution for Encrypted Messaging

Firstly, it guarantees the confidentiality and integrity of data, even if the messaging services are compromised for any reason, including by a court order. Indeed, it is physically impossible for Freemindtronic, the manufacturer of the DataShielder products, to provide encryption keys generated randomly by the user. These keys are stored encrypted in AES-256 via segmented keys in the HSM and NFC HSM. Only the user holds the decryption keys, which he can erase at any time.

Secondly, it preserves the anonymity and sovereignty of users, because it works without server and without database. It does not require internet connection, nor user account, nor phone number, nor email address. It leaves no trace of its use, nor of its user. It does not depend on the policies or regulations of the countries or companies that provide the communication services.

Thirdly, it offers an extreme portability and availability of encryption keys, thanks to the NFC technology. The user can carry his encryption keys on a physical support, such as a card, a bracelet, a key ring, etc. He can use them with any device compatible with NFC, such as a smartphone, a tablet, a computer, etc. He can also share them with other trusted users, in a simple and secure way.

Lastly, it is compatible with the EviCore NFC HSM or EviCore HSM technology, which allows to secure the access to equipment and applications. The user can thus use the same physical support to encrypt his communications and to authenticate on his different digital services.

The EviCypher NFC HSM technology guarantees the confidentiality and integrity of data, even if the messaging services are compromised for any reason, including by a court order. Indeed, it is physically impossible for Freemindtronic, the manufacturer of the DataShielder products, to provide encryption keys generated randomly by the user. These keys are stored encrypted in AES-256 via segmented keys in the HSM and NFC HSM. Only the user holds the decryption keys, which he can erase at any time.

Transforming Encrypted Messaging with EviCypher NFC HSM

The European Court of Human Rights (ECHR) decisively highlights encrypted messaging’s vital role in protecting privacy and freedom of speech. EviCypher NFC HSM, aligning perfectly with these principles, emerges as a pioneering solution. It confronts the challenges of state surveillance and privacy breaches head-on, providing unmatched defense for private communications. EviCypher NFC HSM goes beyond the ECHR’s conventional security and privacy requirements. It crafts an inviolable communication platform that honors users’ privacy rights profoundly. With its innovative approach, EviCypher NFC HSM introduces new data protection standards, forging a robust barrier against government intrusion.

Global Reach and User Empowerment

EviCypher NFC HSM’s technology has a broad global impact, seamlessly addressing the varied encryption landscapes worldwide. It provides a consistent answer to privacy and security issues, disregarding geographic limits. This global applicability makes EviCypher NFC HSM an indispensable tool for users worldwide, solidifying its position as a guardian of global privacy.

Despite potential skepticism about new technologies, the user-friendly and accessible nature of EviCypher NFC HSM aims to dispel such doubts. It promotes wider adoption among those seeking to enhance their communication security. Its compatibility with diverse devices and straightforward operation simplify encryption, facilitating an effortless shift towards secure communication practices.

EviCypher NFC HSM: A Beacon of User Autonomy

EviCypher NFC HSM technology deeply commits to empowering users. It allows individuals to generate, store, and manage their encryption keys independently, giving them direct control. This autonomy not only improves data security but also demonstrates a strong commitment to protecting users’ fundamental rights. It resonates with the values emphasized across the discussion, providing an effective way to strengthen online privacy and security. EviCypher NFC HSM marks a significant leap forward in the movement towards a more secure and private digital landscape.

This technologie HSM stands out as a state-of-the-art, self-sufficient solution, perfectly in line with the ECHR’s decisions and the worldwide need for secure encrypted communication. It leads the charge in advancing user autonomy and security, signaling a crucial evolution in encrypted messaging towards unparalleled integrity.

Incorporating EviCypher’s distinctive features—its operation without servers or databases, interoperability, and backward compatibility with all current communication systems, such as email, SMS, MMS, RCS, and social media messaging, even extending to physical mail via encrypted QR codes—highlights its adaptability and innovative spirit. EviCypher’s resistance to zero-day vulnerabilities, due to encrypting communications upfront, further underscores its exceptional security. Operating anonymously and offline, it provides instant usability without requiring user identification or account creation, ensuring seamless compatibility across phone, computer, and communication systems.

Summary at encrypted messaging

Encrypted Messaging is crucial for the digital society. It protects internet users’ privacy and freedom of expression. But it also challenges security and public order. The European Court of Human Rights (ECHR) supported strong encryption on February 13, 2024. It defended the right to encryption, against states that want to access it. Several international organizations agree with this position. They emphasize the importance of encryption for human rights online. However, the ECHR decision sparked diverse reactions worldwide. Different countries have different views on encryption.

Our conclusion on Encrypted Messaging

EviCypher NFC HSM technology is an innovative and sovereign alternative for Encrypted Messaging. Users can generate, store, manage and use AES-256 encryption keys. They can encrypt all communication systems, such as WhatsApp, sms, mms, rcs, Telegram, webmail, email client, etc. EviCypher NFC HSM technology ensures data confidentiality and integrity. It works even if messaging services are compromised. It preserves users’ anonymity and sovereignty. It does not need server or database. It offers extreme portability and availability of encryption keys, thanks to NFC technology. It is compatible with EviCore NFC HSM or EviCore HSM technology. They secure access to equipment and applications.

DataShielder products provide EviCypher NFC HSM technology. They are contactless encryption devices, guardians of keys and secrets. Freemindtronic, an Andorran company specialized in NFC security, designs and manufactures them.

Human Limitations in Strong Passwords Creation

Digital image showing a confused user at a computer surrounded by complex password symbols

How to Create Strong Passwords Despite Human Limitations

Human Limitations in Strong Passwords are crucial in safeguarding our personal and professional data online. But do you know how to craft a robust password capable of thwarting hacking attempts? In this article, we delve into the impact of human factors on password security. Furthermore, you will gain insights on overcoming these limitations and creating formidable passwords.

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

For comprehensive threat assessments and innovative solutions, delve into “Human Limitations in Strong Passwords.” Stay informed by exploring our constantly updated topics..

Human Limitations in Strong Passwords,” authored by Jacques Gascuel, the visionary behind cutting-edge sensitive data security and safety systems, offers invaluable insights into the field of human-created password security. Are you ready to improve your understanding of password protection?

Human Limitations in Strong Passwords: Cybersecurity’s Weak Link

Passwords are essential for protecting our data on the Internet. But creating a strong password is not easy. It requires a balance between security and usability. In this article, we will explain what entropy is and how it measures the strength of a password. We will also explore the limitations and problems associated with human password creation. We will show that these factors reduce entropy and password security, exposing users to cyber attacks. We will also provide some strategies and tips to help users create stronger passwords.

What is Entropy and How Does it Measure Password Strength?

Entropy is a concept borrowed from information theory. It measures the unpredictability and randomness of a system. The higher the entropy, the more disordered the system is, and the harder it is to predict.

In the context of passwords, entropy measures how many attempts it would take to guess a password through brute force. In other words, entropy measures the difficulty of cracking a password. The higher the entropy, the stronger the password is, and the harder it is to crack.

However, entropy is not a fixed value, but a relative measure that depends on various factors, such as the length, composition, frequency, and popularity of the password. We will explain these factors in more detail later.

How Do Cognitive Biases Influence Password Creation?

Cognitive Biases in Password Creation

Cognitive biases, such as confirmation bias and anchoring bias, significantly influence how users create passwords. Understanding “Human Limitations in Strong Passwords” is essential to recognize and overcome these biases for better password security.

Cognitive biases are reasoning or judgment errors that affect how humans perceive and process information. They are often the result of heuristics, mental shortcuts used to simplify decision-making. These biases can have adaptive advantages but also lead to errors or distortions of reality.

In password creation, cognitive biases can influence user choices, leading to passwords that make sense to them, linked to their personal life, culture, environment, etc. These passwords are often predictable, following logical or mnemonic patterns, reducing entropy.

For example, humans are subject to confirmation bias, thinking their password is strong enough because it meets basic criteria like length or composition, without considering other factors like character frequency or diversity.

They are also prone to anchoring bias, choosing passwords based on personal information like names, birthdates, pets, etc., not realizing this information is easily accessible or guessable by hackers.

Availability bias leads to underestimating cyber attack risks because they haven’t been victims or witnesses of hacking, or they think their data isn’t interesting to hackers.

Human Factors in Strong Password Development: Cognitive Biases

Strategies to Overcome Cognitive Biases

To mitigate the impact of cognitive biases, consider adopting better password practices:

  • Utilize a different password for each service, especially for sensitive or critical accounts, such as email, banking, or social media.
  • Employ a password manager, which is a software or application that securely stores and generates passwords for each service. Password managers can assist users in creating and recalling strong, random passwords, all while maintaining security and convenience.
  • Implement two-factor authentication, a security feature that necessitates users to provide an additional verification method, such as a code sent to their phone or email, or a biometric scan, in order to access their accounts. Two-factor authentication can effectively thwart hackers from gaining access to accounts, even if they possess the password.
  • Regularly update passwords, but refrain from doing so excessively, in order to prevent compromise by hackers or data breaches. Users should change their passwords when they suspect or confirm a breach or when they detect suspicious activity on their accounts. It’s also advisable for users to avoid changing their passwords too frequently, as this can lead to weaker passwords or password reuse.

Addressing Human Challenges in Secure Password Creation with Freemindtronic’s Advanced Technologies

Understanding Human Constraints in Robust Password Generation

The process of creating strong passwords often clashes with human limitations. Freemindtronic’s EviPass NFC HSM and EviPass HSM PGP technologies, integral to the PassCypher range, acknowledge these human factors in strong password development. By automating the creation process and utilizing Shannon’s entropy model, these technologies effectively mitigate the cognitive biases that typically hinder the creation of secure passwords.

Password Security and the Fight Against Cyber Attacks

In the context of increasing cyber threats, the security of passwords becomes paramount. Freemindtronic’s solutions offer a robust defense against cyber attacks by generating passwords that exceed conventional security standards. This approach not only addresses the human challenges in creating strong passwords but also fortifies the digital identity protection of users.

Leveraging Entropy in Passwords for Enhanced Security

The concept of entropy in passwords is central to Freemindtronic’s technology. By harnessing advanced entropy models, these systems ensure a high level of randomness and complexity in password creation, significantly elevating password security. This technical sophistication is crucial in overcoming human limitations in generating secure passwords.

Cognitive Biases in Passwords: Simplifying User Experience

Freemindtronic’s technologies also focus on the human aspect of password usage. By reducing the cognitive load through features like auto-fill and passwordless access, these systems address common cognitive biases. This user-friendly approach not only enhances the ease of use but also contributes to the overall strategy for strong password management.

Adopting Strong Password Strategies for Digital Identity Protection

Incorporating strong password strategies is essential in safeguarding digital identities. Freemindtronic’s technologies empower users to adopt robust password practices effortlessly, thereby enhancing digital identity protection. This is achieved through the generation of complex passwords and the elimination of the need for manual password management.

Elevating Password Security in the Digital Age

Freemindtronic’s EviPass NFC HSM and EviPass HSM PGP technologies are at the forefront of addressing human limitations in strong password creation. By integrating advanced entropy in passwords, focusing on user-centric design, and combating the risks of cyber attacks, these technologies are setting new benchmarks in password security and digital identity protection. Their innovative approach not only acknowledges but also effectively overcomes the human challenges in secure password creation, marking a significant advancement in the field of digital security.

Human Constraints in Robust Password Generation

There are various methods to help users create strong, memorable passwords. These methods have pros and cons, which should be understood to choose the most suitable for one’s needs.

Mnemonic Passwords: Balancing Memory and Security

Mnemonic passwords are based on phrases or acronyms, serving as memory aids. For example, using the phrase “I was born in 1984 in Paris” to create the password “Iwbi1984iP”.

Advantages of mnemonic passwords:

  • Easier to remember than random passwords, using semantic memory, more effective than visual or auditory memory.
  • Can be longer than random passwords, composed of multiple words or syllables, increasing entropy.

Disadvantages of mnemonic passwords:

  • Often predictable, following logical or grammatical patterns, reducing entropy.
  • Vulnerable to dictionary attacks, containing common words or personal information, easily accessible or guessable by hackers.
  • Difficult to type, containing special characters like accents or spaces, not always available on keyboards.

The Trade-Off Between Mnemonics and Entropy

To balance memory and security, users should use mnemonics that are not too obvious or common, but rather personal and unique. They should also avoid using the same mnemonic for different passwords, or using slight variations of the same mnemonic. They should also add some randomness or complexity to their mnemonics, such as numbers, symbols, or capitalization.

Random Passwords: Entropy and Ease of Use

Random passwords are composed of randomly chosen characters, without logic or meaning. For example, the password “qW7x#4Rt”.

Advantages of random passwords:

  • Harder to guess than mnemonic passwords, not following predictable patterns, increasing entropy.
  • More resistant to dictionary attacks, not containing common words or personal information.

Disadvantages of random passwords:

  • Harder to remember than mnemonic passwords, not using semantic memory.
  • Can be shorter than mnemonic passwords, composed of individual characters, reducing entropy.

Phrase-Based Passwords: Entropy and Ease of Use

Phrase-based passwords are composed of several words forming a phrase or expression. For example, the password “The cat sleeps on the couch”.

Advantages of phrase-based passwords:

  • Easier to remember than random passwords, using semantic memory.
  • Can be longer than random passwords, composed of multiple words, increasing entropy.

Disadvantages of phrase-based passwords:

  • Often predictable, following logical or grammatical patterns, reducing entropy.
  • Vulnerable to dictionary attacks, containing common words or expressions.
  • Difficult to type, containing spaces, not always accepted by online services.

Evaluating Phrase-Based Password Effectiveness

To evaluate the effectiveness of phrase-based passwords, users should consider the following criteria:

  • Phrase length plays a crucial role: Longer phrases tend to result in higher entropy. However, it’s important to strike a balance, as excessively long phrases can become challenging to type or recall.
  • The diversity of words also matters: Greater word diversity contributes to higher entropy. Nevertheless, it’s essential to avoid overly obscure words, as they might prove difficult to remember or spell.
  • Randomness in word selection boosts entropy: The more random the words, the greater the entropy. Yet, it’s necessary to maintain some level of coherence between words, as entirely unrelated words can pose memory and association challenges.

Human-Generated Random Passwords: Entropy and Ease of Use

Human-generated random passwords are composed of randomly chosen characters by the user, without logic or meaning. For example, the password “qW7x#4Rt”.

Advantages :

  • Harder to guess than mnemonic or phrase-based passwords, increasing entropy.
  • More resistant to dictionary attacks, not containing common words or personal information.

Disadvantages:

  • Harder to remember than mnemonic or phrase-based passwords.
  • Often biased by user preferences or habits, favoring certain characters or keyboard positions, reducing entropy.

The Risks of Low Entropy in Human-Created Passwords

Low entropy passwords have significant consequences on the security of personal and professional data. Weak passwords are more vulnerable to cyber attacks, especially brute force. Hackers can use powerful software or machines to test billions of combinations per second. Once the password is found, they can access user accounts, steal data, impersonate, or spread viruses or spam.

Consequences of Predictable Passwords on Cybersecurity

The consequences of predictable passwords on cybersecurity are:

  • Data breach: Hackers can access user data, such as personal information, financial records, health records, etc. They can use this data for identity theft, fraud, blackmail, or sell it to third parties.
  • Account takeover: Hackers can access user accounts, such as email, social media, online shopping, etc. They can use these accounts to impersonate users, send spam, make purchases, or spread malware.
  • Reputation damage: Hackers can access user accounts, such as professional or academic platforms, etc. They can use these accounts to damage user reputation, post false or harmful information, or sabotage user work or research.

Understanding the Vulnerability of Low Entropy Passwords

Password Length and Entropy

The vulnerability of passwords depends on various factors, including the length, composition, frequency, and popularity of the password. Understanding “Human Limitations in Strong Passwords” is crucial for safeguarding your online data. Longer and more complex passwords offer higher entropy and are harder to crack.

Composition Complexity

Complex passwords that include a variety of character types, such as lowercase, uppercase, numbers, and symbols, significantly enhance security. This aspect of “Human Limitations in Strong Passwords” is often overlooked, but it’s essential for creating robust passwords.

Common vs. Rare Passwords

The frequency and popularity of passwords play a vital role in their vulnerability. Common passwords, like “123456” or “password,” are easily guessed, while rare and unique passwords, such as “qW7x#4Rt” or “The cat sleeps on the couch,” provide more security.

Password Composition

The composition of a password is a critical factor. Passwords based on common words or personal information are easier for hackers to guess. Understanding the impact of “Human Limitations in Strong Passwords” can help you make informed choices about password composition.

These factors collectively influence the time required for brute force attacks to uncover a password. Longer durations enhance password security, but it’s essential to consider the evolving computing power of hackers, which can reduce the time required to crack passwords over time and with advancing technology. Another factor that affects the vulnerability of passwords is their frequency and popularity.

Recurring Password Changes: A Challenge to Password Entropy

Another human limitation in creating strong passwords is the recurrent need to change them. Often mandated by online services for security, regular changes can paradoxically weaken password strength. This practice burdens users with remembering multiple passwords and inventing new ones frequently. It leads to slight modifications of existing passwords rather than generating new, more random ones. This habit reduces password entropy, making passwords more predictable and vulnerable to cyber attacks.

Impact of Frequent Password Updates on Security

Studies have shown that users required to change passwords every 90 days tend to create weaker, less diverse passwords. Conversely, those with less frequent changes generate more random and secure passwords. This illustrates the counterproductive nature of too-frequent mandatory password updates.

The Counterproductive Nature of Mandatory Password Changes

Mandatory password changes are often imposed by online services for security reasons. They aim to prevent password compromise by hackers or leaks. However, mandatory password changes can have negative effects on password security, such as:

  • Elevating cognitive load entails users remembering multiple passwords for each service and crafting new passwords whenever needed.
  • Dampening user motivation occurs when individuals view password changes as unnecessary or ineffective, leading to a neglect of password quality.
  • Diminishing password entropy arises when users opt for making slight modifications to old passwords rather than generating entirely new and random ones.

These effects negatively impact password security, making passwords more predictable and vulnerable to cyber attacks.

Research Insights on Low Entropy in Human Passwords

In this section, we will present some sources and findings from scientific studies conducted by researchers from around the world on passwords and entropy. We have verified the validity and accuracy of these sources using web search and citation verification tools. We have also respected the APA citation style.

Analyzing Global Studies on Password Security

Several studies have analyzed the security of passwords based on real databases of passwords disclosed following leaks or hacks. These studies have measured the entropy and the strength of passwords, as well as the patterns and the behaviors of users. Some of these studies are:

Key Findings from Password Entropy Research

Some of the key findings from these studies are:

  • any users maintain low-entropy passwords, relying on common words, personal information, or predictable patterns.
  • Furthermore, they tend to reuse passwords across multiple services, thereby elevating the risk of cross-service compromise.
  • In addition, they typically refrain from changing passwords regularly, unless prompted to do so by online services or following a security breach.
  • Surprisingly, a significant portion of users remains unaware of the critical importance of password security or tends to overestimate the strength of their passwords.
  • Moreover, a considerable number of users exhibit reluctance towards the adoption of password managers or two-factor authentication, often citing usability or trust concerns.

These findings confirm the low entropy of human passwords, and the need for better password practices and education.

Password Reuse and Its Impact on Entropy

Another issue with human password creation is password reuse, a common practice among Internet users, who have to remember multiple passwords for different services. Password reuse consists of using the same or similar passwords for different accounts, such as email, social media, online shopping, etc. Password reuse can reduce the cognitive load and the effort required to create and remember passwords, but it also reduces the entropy and the security of passwords.

The Risks Associated with Password Reuse

The risks associated with password reuse are:

  • Cross-service compromise: If a password is discovered or compromised on one service, it can be used to access other services that use the same or similar password. For example, if a hacker obtains a user’s email password, they can use it to access their social media, online shopping, or banking accounts, if they use the same password or a slight variation of it.
  • Credential stuffing: Credential stuffing is a type of cyberattack that uses automated tools to test stolen or leaked usernames and passwords on multiple services. For example, if a hacker obtains a list of usernames and passwords from a data breach, they can use it to try to log in to other services, hoping that some users have reused their passwords.
  • Password cracking: Password cracking is a type of cyberattack that uses brute force or dictionary methods to guess passwords. For example, if a hacker obtains a user’s password hash, they can use it to try to find the plain text password, using lists of common or leaked passwords.

These risks show that password reuse can expose users to cyber threats, as a single password breach can compromise multiple accounts and data. Password reuse can also reduce the entropy of passwords, as users tend to use common or simple passwords that are easy to remember and type, but also easy to guess or crack.

Addressing the Security Flaws of Reusing Passwords

To mitigate the security vulnerabilities associated with password reuse, users should embrace improved practices for password creation and management. Some of these recommended practices include:

  • Utilize distinct passwords for each service, particularly for sensitive or crucial accounts such as email, banking, or social media. This approach ensures that if one password is compromised, it won’t jeopardize other accounts or data.
  • Employ a password manager, which is software or an application designed to securely store and generate passwords for each service. Password managers assist users in crafting and recalling strong, randomly generated passwords, all while upholding security and convenience. Additionally, these tools can notify users about password breaches or weak passwords, as well as suggest password changes or updates.
  • Implement two-factor authentication (2FA), a security feature demanding users to provide an additional verification method, such as a code sent to their phone or email, or a biometric scan. This extra layer of security thwarts hackers from gaining access to accounts solely through knowledge of the password, as they would require the second factor as well.
  • Adopt a regular password change strategy, though not excessively frequent, to preempt compromise by hackers or data leaks. Passwords should be modified when users suspect or verify a breach, or when they detect suspicious activity on their accounts. It’s also advisable to avoid changing passwords too frequently, as this can potentially result in weaker passwords or password reuse.

These practices can help users avoid password reuse and increase the entropy and security of their passwords. They can also reduce the cognitive load and the effort required to create and remember passwords, by using tools and features that simplify password creation and management.

Behavioral Resistance in Secure Password Practices

Another issue with human password creation is resistance to behavioral changes, a psychological phenomenon preventing users from adopting new habits or modifying old ones regarding passwords. Users are often reluctant to change passwords, even when aware of risks or encouraged to do so. This resistance can be due to factors like laziness, ignorance, confidence, fear, satisfaction, etc.

Overcoming Psychological Barriers in Password Security

Psychological barriers can hinder password security, as users may not follow the best practices or recommendations to create stronger passwords. To overcome these barriers, users need to be aware of the importance and benefits of password security, as well as the costs and risks of password insecurity. Some of the ways to overcome psychological barriers are:

  • Educating users about password security, explaining what entropy is, how it measures password strength, and how to increase it.
  • Motivating users to change passwords, providing incentives, feedback, or rewards for creating stronger passwords.
  • Persuading users to adopt password managers, demonstrating how they can simplify password creation and management, without compromising security or convenience.
  • Nudging users to use two-factor authentication, making it easy and accessible to enable and use this security feature.

Conclusion: Reinforcing Password Security Amidst Human Limitations

In this article, we have explained what entropy is and how it measures the strength of a password. We also explored the limitations and problems associated with human password creation, such as cognitive biases, human generation methods, password reuse, and resistance to behavioral changes. We have shown that these factors reduce entropy and password security, exposing users to cyber attacks. We have also provided some strategies and tips to help users create stronger passwords.

We hope this article has helped you understand the importance of password security and improve your password practices. Remember, passwords protect your digital identity and data online. Creating strong passwords is not only a matter of security, but also of responsibility.

Telegram and the Information War in Ukraine

Telegram and the information war in Ukraine
Telegram and the Information War in Ukraine written by Jacques Gascuel, inventor of sensitive data safety and security systems, for Freemindtronic. This article may be updated on this subject.

How Telegram Shapes the Information War in Ukraine

In this article, we explore how Telegram and Ukraine’s information warfare are intertwined. We look at how the messaging app is influencing the Russia-Ukraine conflict, and how it can be used for good or evil. We also discuss the benefits and risks of using Telegram, as well as how security and freedom of expression can be enhanced with EviCypher NFC HSM technology.

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

How Telegram Influences the Conflict between Russia and Ukraine

Telegram and the information war in Ukraine are closely related. Telegram is a messaging app that offers users a secure and confidential way to communicate, thanks to its end-to-end encryption system. It has a large user base around the world, especially in Eastern Europe, where it plays a vital role in the information war between Russia and Ukraine.

Telegram’s Usage in Ukraine: Updated Statistics

Popularity and Download Trends

According to the report of the research company SimilarWeb, Telegram is the second most downloaded messaging app in Ukraine, after Viber, with 3.8 million downloads in 2021. It is also the fourth most used app in terms of time spent, with an average of 16 minutes per day. Telegram has about 10 million active users in Ukraine, which is almost a quarter of the country’s population.

Telegram’s Role in Ukrainian Media Landscape

Telegram is particularly appreciated by Ukrainians for its channel functionality, which allows to broadcast messages to a large audience. Some of these channels have become influential but controversial sources of information, as their owners and sources are often unknown. Among the most popular channels in Ukraine, we can mention:

  • @Zelenskyi, the official channel of President Volodymyr Zelensky, which has more than 2 million subscribers. It publishes announcements, speeches, interviews and videos of the head of state. It was created in 2019, during Zelensky’s election campaign, who was then an actor and a comedian.
  • @NashyGroshi, the channel of the journalistic project “Our Money”, which has more than 1.5 million subscribers. It publishes investigations, reports and analyses on corruption, abuse of power, political scandals and judicial cases in Ukraine. It was created in 2008, by journalist Denys Bihus, who received several awards for his work.
  • @Resident, the channel of blogger and activist Anatoliy Shariy, which has more than 1.3 million subscribers. It publishes comments, criticisms and sarcasms on the political and social news in Ukraine. He is known for his pro-Russian, anti-European and anti-government positions. He is currently in exile in Spain, where he is wanted by the Ukrainian justice for high treason and incitement to hatred.

These channels illustrate the diversity and complexity of the Ukrainian media landscape, which is marked by the conflict with Russia, the democratic transition, the fight against corruption and the polarization of society. They are also a reflection of the issues and challenges related to the use of Telegram, which can be both a tool of communication, information and manipulation.

Oleksiy Danilov’s Stance on Telegram’s Usage in Ukraine

Concerns Over National Security

Oleksiy Danilov is the secretary of the National Security and Defense Council of Ukraine, the body responsible for coordinating and controlling the activities of the executive bodies in the fields of national security and defense. He is also the head of cybersecurity of the country, and in this capacity, he expressed his reservations about the use of Telegram by Ukrainians. In February 2022, he stated that some anonymous and manipulative Telegram channels represented a threat to national security, and that they should be de-anonymized and regulated. He particularly targeted the channel @Resident, which broadcasts pro-Russian and anti-Ukrainian comments, and which is suspected of being linked to the Russian intelligence services. He also criticized the channel @Zelenskyi, which according to him, is not controlled by the Ukrainian president, but by advisers who seek to influence his policy.

Debating Telegram’s Influence in Ukraine

These statements provoked mixed reactions in Ukraine. Some supported Danilov’s position, believing that it was necessary to fight against misinformation and propaganda that undermine the sovereignty and democracy of the country. Others denounced an attempt at censorship and an attack on freedom of expression, recalling that Telegram was one of the few spaces where Ukrainians could access independent and diverse information.

How Telegram Influences the Information War in Ukraine

The Benefits and Risks of End-to-End Encryption

Telegram is a messaging app that lets you send messages, photos, videos, documents, and make voice and video calls. Its privacy policy is based on data encryption and non-cooperation with authorities. You can also create groups and channels that can reach thousands or millions of users.

End-to-end encryption is a technology that makes sure only the people in a conversation can read the messages, not even the service provider. Telegram has this option, but it is not on by default. You have to choose it for each chat, by switching to the “secret chat” mode. However, Telegram’s encryption is not based on standard protocols, and security experts have found some flaws.

Anonymous Channels and Their Impact on the Ukrainian Conflict

The channels are spaces where an administrator can send messages to a large audience. They can be public or private, and they can have millions of followers. Some channels are influential but controversial sources of information, as their owners and sources are often unknown. The channels can spread misinformation, propaganda, fake news, or violence.

Telegram and Russian propaganda have a strong connection, as many pro-Russian channels use the app to influence the public opinion in Ukraine and other countries. Telegram and the Ukrainian resistance also use the app to communicate and organize their actions against the Russian aggression.

Bots, Payment Services and Unique Usernames: A Double-Edged Sword

Bots are programs that interact with users. They offer services, information, or entertainment. Anyone can create them. They can be part of chats or channels. Bots can be helpful or harmful. They can collect personal data, send spam, or spread viruses.

Payment Services: Handy or Dishonest?

You can also use payment services via Telegram. These features use third-party platforms, such as Stripe or Apple Pay. They need bank or credit card information. Payment services can be handy or dishonest. They can steal sensitive data, scam users, or fund illegal activities.

Unique Usernames: Fun or Troublesome?

Another feature of Telegram is the unique usernames. They let users contact each other easily, without sharing their phone number. Users can create and change them at any time. Unique usernames can be fun or troublesome. They can enable harassment, identity theft, or account sale.

These features of Telegram raise issues of cybersecurity, privacy, end-to-end encryption, and application security. They can be used by bad actors, who want to harm Ukraine or its people. They can also be regulated by the authorities, who want to control the information or access the data of the users.

Telegram and the Information War in Ukraine: A Challenge

One of the main challenges of Telegram and the information war in Ukraine is to balance the freedom of expression and the protection of national security. Telegram and the Ukrainian conflict are closely intertwined. The app is used by both sides to communicate, inform, and influence. Telegram and Russian propaganda have a strong connection. Many pro-Russian channels use the app to sway the public opinion in Ukraine and other countries. Telegram and the Ukrainian resistance also use the app to coordinate and organize their actions against the Russian aggression. Telegram and cybersecurity in Ukraine are also crucial. The app can be a source of threats or a tool of defense.

Telegram VS Other Messaging Apps: A Comparative Analysis

WhatsApp: Popular but Questionable Confidentiality

WhatsApp is the most popular messaging app in the world, with more than 2 billion users. It offers end-to-end encryption by default for all conversations, which guarantees the protection of data. However, it belongs to Facebook, which has a dubious reputation in terms of respect for privacy, and which has raised fears about the sharing of data with other applications of the group. WhatsApp is also subject to the requests of the authorities, who can demand access to the metadata, such as the phone number, the IP address or the location of the users.

Signal: High Security but Limited User Base

Signal is a messaging app that claims to be the most secure and confidential on the market. It also offers end-to-end encryption by default for all conversations, and it does not collect any personal data. It is developed by a non-profit organization, which does not depend on advertising or investors. It is recommended by personalities such as Edward Snowden or Elon Musk. Signal is however less popular than WhatsApp or Telegram, with about 50 million users. It also offers fewer features, such as file sharing, information channels, bots or payment services.

Telegram: Innovative but Security Concerns

Telegram is between these two apps, offering more features than Signal, but less security than WhatsApp. Telegram allows users to choose the level of encryption and privacy they want, by opting for the “secret chat” mode or the “normal chat” mode. Telegram also allows users to enjoy innovative services, such as channels, bots, payments or unique usernames. However, Telegram also presents risks, such as fakes news, inappropriate content, privacy breaches or cyberattacks. Telegram is therefore an app that offers advantages and disadvantages, and that requires vigilance and discernment from users.

Telegram’s Global Perception and Regulation

Russia: Origin and Opposition

Russia is the country of origin of Telegram, but also its main adversary. The Kremlin tried to block the app in 2018, invoking reasons of national security and fight against terrorism. It demanded that Telegram provide it with the encryption keys to access the messages of the users, which Pavel Durov refused. It then ordered the telecom operators to block access to Telegram, but this measure proved ineffective, as Telegram used cloud servers to bypass the blocking. Many Russian users also use VPNs or proxies to access the app. In 2020, the Kremlin finally lifted the ban on Telegram, acknowledging its failure and stating that the app had cooperated with the authorities to remove extremist content. However, some observers suspect that Telegram made concessions to the Kremlin to lift the blocking, such as collaborating with the Russian services or censoring some channels.

France: Striving for Digital Regulation

France is a country that wants to be at the forefront of the regulation of digital platforms, especially in terms of fighting online hate. It adopted in 2020 a law that obliges the platforms to remove illegal content, such as incitement to violence, discrimination or terrorism, within 24 hours, under penalty of financial sanctions. This law also applies to messaging apps, such as Telegram, which must set up reporting and moderation mechanisms for content. France recognizes the right of users to privacy and end-to-end encryption, but it also asks the service providers to cooperate with the law enforcement to access the encrypted data when needed. France is also a country where Telegram is used by radical groups, such as jihadists or yellow vests, who take advantage of the app to organize, mobilize or defend themselves.

Ukraine: Balancing Utility and Risks

Ukraine is a country that has an ambivalent attitude towards Telegram, recognizing its usefulness, but also its dangers. On the one hand, Telegram is a source of information and a tool of resistance for many Ukrainians, who face the threat of Russian aggression and the challenges of democratic transition. On the other hand, Telegram is also a vector of misinformation and propaganda, which can undermine the sovereignty and stability of the country. Ukraine does not have a specific law to regulate Telegram, but it has some legal provisions to protect national security and public order, which can be used to restrict or block the app if necessary. Ukraine also cooperates with international organizations, such as the EU or NATO, to counter the cyber threats and the hybrid warfare that target the country.

EviCypher NFC HSM: Enhancing Telegram’s Security

The Role of Contactless Encryption Technology

One of the main challenges of using Telegram is to ensure the security and confidentiality of the data exchanged, especially in a context of information war. To meet this challenge, a possible solution consists of using EviCypher NFC HSM technology, which is a contactless encryption technology developed by Freemindtronic, an Andorran company specializing in the design of counter-espionage solutions implementing in particular contactless security with NFC technology. EviCypher NFC HSM uses two types of encryption algorithms for data:

  • Symmetric encryption in AES-256 for data such as texts (messages), thanks to its sub-technology EviCrypt. It uses a unique key, which is randomly generated and segmented into several parts. This key is used to encrypt and decrypt messages with the AES 256-bit algorithm.
  • Asymmetric encryption in RSA-4096 for symmetric encryption keys. It uses a pair of keys, which is generated and used from the NFC HSM device and which is based on the RSA 4096-bit algorithm. This pair of keys is used to share the symmetric key of at least 256 bits between the NFC HSM devices remotely, by encrypting the symmetric key with the public key of the recipient and decrypting the symmetric key with the private key of the recipient. The symmetric key is then stored and re-encrypted in the NFC HSM device of the recipient, with the trust criteria imposed by the sender if he has encapsulated them in the shared encryption key.

Practical Applications of EviCypher NFC HSM

EviCypher NFC HSM is a technology that uses hardware security modules (HSM) to store and use encrypted secrets. It allows contactless encryption with the NFC communication protocol. You can integrate the NFC HSM into various media, such as a card, a sticker, or a key ring. Then, you can pair it with an NFC phone, tablet, or computer. This way, you can encrypt everything before using any messaging service, including Telegram. EviCypher NFC HSM also has anti-cloning, anti-replay, and counterfeit detection mechanisms. It is part of the DataShielder product range, which offers serverless and databaseless encryption solutions.

Telegram and the Ukrainian conflict

EviCypher NFC HSM is compatible with Telegram, a messaging app that influences the information war between Russia and Ukraine. It offers more security and confidentiality than Telegram’s end-to-end encryption, which is not based on recognized standards. It also gives you more flexibility and control than Telegram’s secret chat mode, as you can choose the trust criteria for the encryption keys. Moreover, it is more convenient and simple than Telegram’s normal chat mode, as you can encrypt and decrypt messages with a simple gesture.

Telegram and cybersecurity in Ukraine

EviCypher NFC HSM is a useful technology with Telegram, as it enhances the security and confidentiality of the data exchanged, especially in a context of information war. It is also a universal technology, as you can use it with any other messaging app, such as WhatsApp, Signal, Messenger, etc. It is also an innovative technology, as it uses the NFC communication protocol to perform contactless encryption, without requiring any connection or installation.

Concluding Insights on Telegram’s Role in Ukraine

In this article, we have seen how Telegram plays a vital role in the information war between Russia and Ukraine, and what issues and challenges there are in using this messaging app. We have also seen how the technology EviCypher NFC HSM can be a useful solution to enhance the security and confidentiality of the data exchanged with Telegram. We hope that this article has been informative and interesting for you, and that it has helped you to better understand the situation of Telegram in Ukraine and in other countries. Thank you for reading.

Overview of Cited Sources

Here are the sources of the article, which are valid, reliable, relevant and if possible official links that allow to justify and verify the statements made in this article:

  • [Liga.net]: the news site that published the interview of Oleksiy Danilov on November 2, 2023, in which he expresses his concerns about Telegram.
  • [NV.ua]: the news site that reported the statement of Oleksiy Danilov, who alerted the nation to the critical vulnerabilities of Telegram, on November 2, 2023.
  • [RT – Pravda]: the Ukrainian news site that related the remarks of Oleksiy Danilov, who answered the questions of journalists during a press conference on November 3, 2023.
  • [Number of Telegram Users in 2023? 55 Telegram Stats (backlinko.com)]: an article that gives figures on the use of Telegram in the world and in Ukraine.
  • [NV.ua -NSDC]: the official website of the National Security and Defense Council of Ukraine, which published the press release of Oleksiy Danilov, who clarified his recent comments on Telegram, on November 15, 2023
  • [Ukrainians turn to encrypted messengers, offline maps and Twitter amid Russian invasion]: an article that describes how Ukrainians use Telegram and other digital tools to protect themselves and get informed in the face of the Russian aggression.
  • [Pravda – France 24]: the French news site that contains a video of the interview of Oleksiy Danilov with the journalist Gulliver Cragg, dated January 23, 2023.
  • [NFC HSM Technology – Freemindtronic]: an article that explains the NFC HSM technologies and how they work.
  • [EviCypher NFC HSM technology – Freemindtronic]: a page that contains articles and videos on the NFC HSM technologies.
  • [FAQ for the Technically Inclined – Telegram APIs]: a page that provides technical information about the Telegram APIs and the MTProto protocol.

New EU Data Protection Regulation 2023/2854: What you need to know

New EU Data Protection Regulation 2023/2854: What you need to know
Learn more about the new European Data Protection Regulation (2023/2854) written by Jacques Gascuel, inventor of sensitive data safety and security systems, for Freemindtronic. This article may be updated on this subject.

EU 2023/2854 Data Protection Rules: what you need to know

The EU has adopted a new regulation to protect personal data published in OJ L, 2023/2854 on 22.12.2023. How does this impact you and your business? Learn more in this article and discover why Freemindtronic innovations are already compliant.

2023 Articles Cardokey Eco-friendly EviSwap NFC NDEF Technology GreenTech

NFC Business Cards with Cardokey free for life: How to Connect without Revealing

2023 Articles Cyberculture EviCore HSM OpenPGP Technology EviCore NFC HSM Browser Extension EviCore NFC HSM Technology Legal information Licences Freemindtronic

Unitary patent system: why some EU countries are not on board

Andorran law

Llei 26/2014 del 30 d’octubre de patents

Articles Crypto Currency Cryptocurrency Digital Security EviPass Technology NFC HSM technology Phishing

Ledger Security Breaches from 2017 to 2023: How to Protect Yourself from Hackers

What you need to know about the new EU data protection regulation (2023/2854)

Personal data is a valuable asset in the digital age, but also a vulnerable asset. This is why the European Union has adopted a new regulation to protect the personal data of individuals in the EU. Data

Protection Regulation (EU) 2023/2854 supplements and updates the General Data Protection Regulation (GDPR), which has been in force since 2018. The new regulation introduces additional procedural rules for the application of the GDPR, particularly in cross-border cases. It also creates the European Data Protection Authority (EDPA), a new independent body that ensures the consistent application of EU data protection rules across the EU. The new regulation will come into force on November 26, 2024. In this article, we will explain the main provisions of the new regulation, its advantages and disadvantages, its international scope and its reactions and controversies.

We will also show you how some products and technologies from Freemindtronic, an Andorran company specialized in security and cybersecurity of computer and information systems, already comply with the new regulation, since they offer innovative and ecological solutions to protect the personal data without using servers, databases, online accounts or identifiers.

The main provisions of the EU data protection law

Several measures to ensure the security, confidentiality and integrity of personal data are introduced by the EU data protection law. These measures are:

  • Declaration of the activity and the processing practices. The controllers and the managers of the entities that process personal data must declare them to the national data protection authorities (NDPA) and to EDPA. The EDPA is a new independent body. It oversees the consistent application of the EU data protection rules across the EU. It also cooperates with the NDPA and the other EU institutions. The goal is to ensure the protection of personal data.
  • Implementation of technical and organizational measures. The controllers and the managers of the entities that process personal data must implement them to prevent the risks of damage or loss of data. For example, these measures include the encryption of data, the pseudonymization of data, the limitation of data access, the regular testing of data security, the notification of data breaches, and the appointment of a data protection officer.
  • Reinforcement of the rights of the persons concerned. They have reinforced rights, such as the right of access, the right of opposition, the right of erasure, the right to data portability and the right to restriction of processing. These rights allow the persons to obtain information about the processing of their data, to object to certain types of processing, to request the deletion of their data, to transfer their data to another entity, and to limit the processing of their data in certain cases.
  • Provision of administrative sanctions. The regulation provides them. They can reach up to 20 million euros or 4% of the annual global turnover, depending on the severity of the infringement. The NDPA or the EDPA, depending on the case, impose these sanctions. The national courts or the Court of Justice of the European Union can hear the appeals.

The advantages and disadvantages of the EU data protection reform

The EU data protection reform has pros and cons for different actors involved.

The benefits for the persons whose data are processed

The regulation offers a better protection of their rights and interests. They can control more the use of their data and benefit from a high level of security. Moreover, they have an easy and fast access to the information related to the processing of their data, as well as to the remedies in case of dispute. For instance, a person can request a copy of their data from an online platform. If they find any inaccurate or outdated data, they can ask for a correction or an update. They can also withdraw their consent to the processing of their data at any time, or ask for the deletion of their data if they no longer want to use the platform.

The drawbacks for the controllers and the managers of the entities that process personal data

The regulation imposes additional obligations and stricter constraints on them. They must comply with harmonized rules within the EU, while taking into account the national and regional specificities. Furthermore, they face more severe sanctions in case of non-compliance with the regulation. For example, an entity that processes personal data of persons located in the EU must declare its activity and its processing practices to the NDPA and the EDPA.

It must also obtain the prior consent of the persons for the processing of their data, unless there is a legal basis for the processing. The entity must process the data in a lawful, fair and transparent manner, and collect them for specific, explicit and legitimate purposes. It must also respect the principles of data minimization, data accuracy, data storage limitation, data integrity and data confidentiality.

The international scope of the EU data protection rules

The EU data protection rules have an international scope, as they apply to any entity that processes personal data of persons located in the EU, whether it is established or not in the EU. The regulation therefore requires foreign entities to respect the same rules as European entities, under penalty of sanctions. It aims to ensure an equivalent level of protection for personal data transferred outside the EU.

For this purpose, the regulation establishes different mechanisms to ensure the adequacy of the data protection in the third countries or the international organizations that receive the data. These mechanisms include, for example, the adoption of adequacy decisions by the European Commission, the use of standard contractual clauses, the adherence to binding corporate rules, or the certification by approved schemes.

The reactions and controversies of the EU data protection regulation

The EU data protection regulation has provoked diverse reactions, ranging from approval to contestation.

Positive reactions

Some actors have welcomed the interest of the regulation to strengthen the trust and to foster the technological evolution in the field of data protection. They have highlighted the innovative and ambitious character of the regulation, which places the EU at the forefront of the protection of personal data. For example, the European Data Protection Supervisor (EDPS), the independent advisor of the EU institutions on data protection issues, has praised the regulation as a “historic achievement” and a “major step forward” for the protection of the fundamental rights of the individuals in the digital age.

Negative reactions

Some actors have criticized the obligation to inform the NDPA and the EDPA about the activity and the processing practices of personal data. They have considered that it could infringe their national sovereignty or that it could create a risk of illegal or fraudulent exercise by some foreign entities. They have also expressed their concern about the complexity and the heaviness of the regulation, which could hinder the competitiveness and the growth of the entities that process personal data. For example, some member states, such as France, Germany, Italy or Spain, have raised objections or reservations about certain aspects of the regulation.

These aspects include the role and the powers of the EDPA, the criteria and the procedures for the adequacy decisions, or the level and the distribution of the sanctions.

How Freemindtronic products and technologies protect personal data

Freemindtronic is an Andorran company that specializes in security and cybersecurity of computer systems and information systems. It designs and develops green technology products and services under white label, based on contactless technology (NFC). Some of its products are PassCypher, DataShielder, SeedNFC or Cardokey, which use embedded technologies such as EviCore NFC HSM, EviCore HSM OpenPGP or EviCore NFC HSM Browser Extension.

These products and technologies have several advantages for the protection of personal data, compared to traditional solutions based on servers, databases, online accounts or identifiers. Indeed, they work without server, without database, anonymously from end to end, without the need to create an account on the internet or to identify themselves to use the products. Therefore, they reduce the risks of loss or damage of data, respect the rights of the persons concerned, and comply with the harmonized rules in the EU. These products and technologies of Freemindtronic are already compliant with the European regulation on data protection, because they respect the principles of security, confidentiality and integrity of data, as well as the rights of the persons concerned. They offer an innovative and ecological alternative to traditional solutions, which may present risks or constraints for data protection.

Conclusion

The regulation (EU) 2023/2854 is an important text for the protection of personal data in the EU. It introduces measures to ensure the security, confidentiality and integrity of data, as well as to reinforce the rights of the persons concerned. It applies to any entity that processes personal data of persons located in the EU, whether it is established or not in the EU. It was adopted within the legislative process on the fundamental rights in the EU, but it also provoked reactions and controversies between some member states. It will enter into force on November 26, 2024.

RSA Encryption: How the Marvin Attack Exposes a 25-Year-Old Flaw

NFC HSM Devices and RSA 4096 encryption a new standard for cryptographic security serverless databaseless without database by EviCore NFC HSM from Freemindtronic Andorra
Marvin attack RSA algorithm & NFC HSM RSA-4096 by Jacques Gascuel: This article will be updated with any new information on the topic.

Decrypting Marvin’s Assault on RSA Encryption!

Simply explore the complex area of ​​RSA encryption and discover strategies to repel Marvin’s attack. This article examines the intricacies of RSA 4096 encryption, ensuring your cryptographic keys and secrets are protected. Discover an innovative NFC HSM RSA 4096 NFC encryption protocol, serverless and databaseless.

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

How the RSA Encryption – Marvin Attack Reveals a 25-Year-Old Flaw and How to Protect Your Secrets with the NFC HSM Devices

RSA encryptionRSA encryption is one of the most widely used encryption algorithms in the world, but it is not flawless. In fact, a vulnerability of RSA encryption, known as the Marvin attack, has existed for over 25 years and could allow an attacker to recover the private key of a user from their public key. This flaw, which exploits a mathematical property of RSA encryption, was discovered in 1998 by the cryptographer Daniel Bleichenbacher, but it was never fixed or disclosed to the public. In the first part of this article, we will explain in detail how the Marvin attack works and what it means for the security of RSA encryption.

Moreover, NFC HSM and RSA 4096 represent a new dimension in cryptographic security. These technologies allow you to protect and use your cryptographic keys and secrets within a contactless device that communicates with your smartphone through NFC (Near Field Communication). The main advantage they offer is the formidable defense against cyberattacks, achieved by implementing state-of-the-art encryption algorithms and strong security protocols. You can discover more about the very simple functioning of NFC HSM devices for RSA 4096 encryption, as well as their multiple benefits, by reading until the end of this article. Moreover, we will highlight how Freemindtronic used the extreme level of safety of an NFC HSM device to establish, without contact and only on demand, a virtual communication tunnel encrypted in RSA-4096 without a server, without a database, from an NFC HSM device.

The Marvin Attack: Unveiling a 25-Year-Old RSA Flaw

Understanding the Marvin Attack

The Marvin attack targets the RSA algorithm, a foundational asymmetric encryption technique characterized by the use of two distinct keys: a public key and a private key. The public key serves to encrypt data, while the private key is responsible for decryption. These keys mathematically intertwine, yet revealing one from the other presents an exceedingly challenging task.

Named after Marvin the Paranoid Android from “The Hitchhiker’s Guide to the Galaxy,” this attack exploits a vulnerability in the RSA algorithm discovered by Swiss cryptographer Daniel Bleichenbacher in 1998. The vulnerability relates to the padding scheme that the RSA algorithm uses to introduce random bits into the data before encryption. The padding scheme has a design. It makes the encrypted data look random. It also thwarts attacks based on statistics. However, Bleichenbacher showed his ingenuity. He sent special messages to a server. The server used RSA encryption. By doing so, he could learn about the padding scheme. He could also recover the private key.

Implications of the Marvin Attack

The Marvin attack has profound implications for the security and confidentiality of your secrets. If an attacker successfully retrieves your private key, they gain unfettered access to decrypt all your encrypted data and compromise your confidential information. Furthermore, they can impersonate you by signing messages or executing transactions on your behalf.

The Marvin attack isn’t limited to a single domain; it can impact any system or application that uses RSA encryption with a vulnerable padding scheme. This encompasses web servers that employ HTTPS, email servers that use S/MIME, and blockchain platforms that rely on digital signatures.

Notably, NFC HSM devices that use RSA encryption for secret sharing are vulnerable to the Marvin attack. NFC HSM, short for Near Field Communication Hardware Security Module, is a technology facilitating the storage and utilization of cryptographic keys and secrets within contactless devices such as cards, stickers, or keychains. These devices communicate with smartphones via NFC, a wireless technology enabling short-range data exchange between compatible devices.

If an attacker intercepts communication between your NFC HSM device and smartphone, they may try a Marvin attack on your device, potentially recovering your private key. Subsequently, they could decrypt secrets stored within your device or gain access to your online accounts and services.

The Common Factor Attack in RSA Encryption

Understanding the Common Factor Attack

In the realm of RSA encryption, attackers actively exploit a vulnerability known as the Common Factor Attack. Here’s a concise breakdown:

1. Identifying Shared Factors

  • In RSA encryption, public keys (e, n) and private keys (d, n) play pivotal roles.
  • Attackers meticulously seek out common factors within two public keys, exemplified by (e1, n1) and (e2, n2).
  • Upon discovering a shared factor, their mission gains momentum.

2. Disclosing the Missing Factor

  • Once a common factor ‘p’ surfaces, uncovering its counterpart ‘q’ becomes relatively straightforward.
  • This is achieved through the simple act of dividing one key’s module by ‘p’.

3. Attaining Private Keys

  • Empowered with ‘p’ and ‘q,’ attackers adeptly compute private keys like ‘d1’ and ‘d2.’
  • This mathematical process involves modular inverses, bestowing them with access to encrypted content.

4. Decrypting Messages with Precision

  • Armed with private keys ‘d1’ and ‘d2,’ attackers skillfully decrypt messages initially secured by these keys.
  • Employing the formula ‘m = c^d mod n,’ they meticulously unlock the concealed content.

This simplified overview sheds light on the Common Factor Attack in RSA encryption. For a more comprehensive understanding, delve into further details here

Safeguarding Against the Marvin Attack

To fortify your defenses against the Marvin attack, it is imperative to employ an updated version of the RSA algorithm featuring a secure padding scheme. Secure padding ensures that no information about the encrypted data or private key is leaked. For example, you can adopt the Optimal Asymmetric Encryption Padding (OAEP) scheme, a standard endorsed by RSA Laboratories.

Additionally, utilizing a reliable and secure random number generator for generating RSA keys is essential. A robust random number generator produces unpredictable and difficult-to-guess random numbers, a critical element for the security of any encryption algorithm, as it guarantees the uniqueness and unpredictability of keys.

The Marvin attack, though a 25-year-old RSA flaw, remains a persistent threat capable of compromising the security of RSA-encrypted data and communications. Vigilance and adherence to cryptographic best practices are essential for shielding against this menace.

Choosing a trusted and certified provider of NFC HSM devices and RSA encryption services is equally pivotal. A reputable provider adheres to industry-leading security and quality standards. Freemindtronic, a company based in Andorra, specializes in NFC security solutions and has developed a plethora of technologies and patents grounded in NFC HSM devices and RSA 4096 encryption. These innovations offer a spectrum of advanced features and benefits across diverse applications.

In the following section, we will delve into why Freemindtronic has chosen to utilize RSA 4096 encryption in the context of the Marvin attack. Additionally, we will explore how Freemindtronic secures secret sharing among NFC HSM devices, elucidate the concept of NFC HSM devices, and unveil the advantages and benefits of the technologies and patents pioneered by Freemindtronic.

How Does RSA 4096 Work?

RSA 4096 is built upon the foundation of asymmetric encryption, employing two distinct keys: a public key and a private key. The public key can be freely disseminated, while the private key must remain confidential. These keys share a mathematical relationship, but uncovering one from the other poses an exceptionally daunting challenge.

RSA 4096 hinges on the RSA algorithm, relying on the formidable complexity of factoring a large composite number into the product of two prime numbers. RSA 4096 employs prime numbers of 4096 bits in size, rendering factorization virtually impossible with current computational capabilities.

RSA 4096 facilitates four primary operations:

  1. Encryption: Transforming plaintext messages into encrypted messages using the recipient’s public key. Only the recipient can decrypt the message using their private key.
  2. Decryption: Retrieving plaintext messages from encrypted ones using the recipient’s private key. Only the recipient can perform this decryption.
  3. Signature: Adding an authentication element to plaintext messages using the sender’s private key. The recipient can verify the signature using the sender’s public key.
  4. Signature Verification: Validating the authenticity of plaintext messages and their sender using the sender’s public key.

In essence, RSA 4096 ensures confidentiality, integrity, and non-repudiation of exchanged messages.

But how can you choose and utilize secure RSA keys? Are there innovative solutions available to bolster the protection of cryptographic secrets? This is the focal point of our next section, where we will explore the technologies and patents developed by Freemindtronic for RSA 4096 secret sharing among NFC HSM devices.

Technologies and Patents Developed by Freemindtronic for RSA 4096 Secret Sharing among NFC HSM Devices

Freemindtronic employs RSA 4096 to secure the sharing of secrets among NFC HSM devices, driven by a commitment to robust security and trust. RSA 4096 stands resilient against factorization attacks, the most prevalent threats to RSA encryption. It upholds the confidentiality, integrity, and non-repudiation of shared secrets.

Freemindtronic is acutely aware of the potential vulnerabilities posed by the Marvin attack. This attack can compromise RSA if the prime numbers used to generate the public key are too close in proximity. Therefore, Freemindtronic diligently adheres to cryptographic best practices when generating robust and random RSA keys. This involves using large prime numbers, usually larger than 2048 bits, and employing a dependable and secure random number generator Freemindtronic regularly validates the strength of RSA keys through online tools or other means and promptly replaces keys suspected of weakness or compromise.

In summary, Freemindtronic’s selection of RSA 4096 is informed by its robustness. This choice is complemented by unwavering adherence to cryptographic best practices. The incorporation of the EVI protocol bolsters security, ensuring the imperviousness of secrets shared among NFC HSM devices. This will be further elucidated in the following sections

Why Freemindtronic Utilizes RSA 4096 Against the Marvin Attack

Freemindtronic’s choice to utilize RSA 4096 for securing secret sharing among NFC HSM devices is grounded in its status as an asymmetric encryption algorithm renowned for delivering a high level of security and trust. RSA 4096 effectively resists factorization attacks, which are among the most prevalent threats against RSA encryption. It guarantees the confidentiality, integrity, and non-repudiation of shared secrets.

To address the potential consequences of the Marvin attack, Freemindtronic meticulously follows cryptographic best practices when generating strong and random RSA keys. The company employs prime numbers of substantial size, typically exceeding 2048 bits, in conjunction with a reliable and secure random number generator. Freemindtronic vigilantly validates the strength of RSA keys and promptly replaces them if any suspicions of weakness or compromise arise.

Moreover, Freemindtronic harnesses the power of the EVI (Encrypted Virtual Interface) protocol, which enhances RSA 4096’s security profile. EVI facilitates the exchange of RSA 4096 public keys among NFC HSM devices, introducing a wealth of security measures, including encryption, authentication, anti-cloning, anti-replay, anti-counterfeiting, and the use of a black box. EVI also enables the transmission of secrets encrypted with the recipient’s RSA 4096 public key, using the same mechanism.

In summary, Freemindtronic’s selection of RSA 4096 is informed by its robustness, complemented by unwavering adherence to cryptographic best practices. The incorporation of the EVI protocol bolsters security, ensuring the imperviousness of secrets shared among NFC HSM devices. This will be further elucidated in the following sections.

How Freemindtronic Utilizes RSA 4096 to Secure Secret Sharing Among NFC HSM Devices

Freemindtronic leverages RSA 4096 to fortify the security of secret sharing among NFC HSM devices, following a meticulously orchestrated sequence of steps:

  1. Key Generation: RSA 4096 key pairs are generated on each NFC HSM device, utilizing a dependable and secure random number generator.
  2. Public Key Exchange: The RSA 4096 public keys are exchanged between the two NFC HSM devices using the EVI (Encrypted Virtual Interface) protocol. EVI introduces multiple layers of security, including encryption, authentication, anti-cloning, anti-replay, anti-counterfeiting measures, and the use of a black box.
  3. Secret Encryption: The secret is encrypted using the recipient’s RSA 4096 public key, employing a hybrid encryption algorithm that combines RSA and AES.
  4. Secure Transmission: The encrypted secret is transmitted to the recipient, facilitated by the EVI protocol.
  5. Secret Decryption: The recipient decrypts the secret using their RSA 4096 private key, employing the same hybrid encryption algorithm.

Through this meticulous process, Freemindtronic ensures the confidentiality, integrity, and non-repudiation of secrets exchanged between NFC HSM devices. This robust approach thwarts attackers from reading, altering, or falsifying information protected by RSA 4096.

But what exactly is an NFC HSM device, and what communication methods exist for secret sharing among these devices? What are the advantages and benefits offered by the technologies and patents pioneered by Freemindtronic? These questions will be addressed in the subsequent sections.

What Is an NFC HSM Device?

An NFC HSM (Near Field Communication Hardware Security Module) is a specialized hardware security module that communicates wirelessly with an Android smartphone via NFC (Near Field Communication) technology. These devices come in the form of cards, stickers, or keychains and operate without the need for batteries. They feature EEPROM memory capable of storing up to 64 KB of data.

NFC HSM devices are designed to securely store and utilize cryptographic keys and secrets in an isolated and secure environment. They shield data from cloning, replay attacks, counterfeiting, or extraction and include an access control system based on segmented keys.

One prime example of an NFC HSM device is the EviCypher NFC HSM developed by Freemindtronic. This technology allows for the storage and utilization of cryptographic keys and secrets within a contactless device, such as a card, sticker, or keychain. EviCypher NFC HSM offers a range of features, including offline isolation, seamless integration with other technologies, and enhancements to the user experience. With its robust security measures and innovative features, EviCypher NFC HSM sets a new standard for secure communication and secret management in the digital realm.

Resistance Against Brute Force Attacks on NFC HSM

The RSA 4096 private key is encrypted with AES 256. Therefore, the user cannot extract it from the EEPROM memory. The NFC HSM has this memory. It also has other secrets in this memory. This memory is non-volatile. As a result, it can last up to 40 years without power. Consequently, any invasive or non-invasive brute force attack on NFC HSM is destined for failure. This is due to the fact that secrets, including the RSA private key, are automatically encrypted in the EEPROM memory of the NFC HSM using AES-256 with segmented keys of physical origin, some of which are externalized from the NFC HSM.

Real-Time Secret Sharing with EviCore NFC HSM

An intriguing facet of EviCore NFC HSM technology is its ability to facilitate real-time secret sharing without the need for a remote server or database. EviCore NFC HSM accomplishes this by encrypting secrets with the recipient’s randomly generated RSA 4096 public key directly on their NFC HSM device. This innovative approach to secret sharing eliminates the necessity for a trusted third party. Furthermore, EviCore NFC HSM executes these operations entirely in the volatile (RAM) memory of the phone, leaving no traces of plaintext secrets in the computer, communication, or information systems. As a result, it renders remote or proximity attacks, including invasive or non-invasive brute force attacks, exceedingly complex, if not physically impossible. Our EviCore NFC HSM technology is an Android application designed for NFC-enabled phones, functioning seamlessly with our NFC HSM devices. This application serves as both firmware and middleware, constituting an embedded system, offering optimal performance and compatibility with NFC HSM devices.

What Are the Advantages and Benefits of NFC HSM Devices and RSA 4096 Encryption?

NFC HSM devices and RSA 4096 encryption offer numerous advantages and benefits across various applications and domains. Some of these include:

  1. Enhanced Security and Trust: They bolster security and trust in the digital landscape through the utilization of a robust and efficient encryption algorithm that withstands factorization attacks.
  2. Simplified Key and Secret Management: They simplify the management and sharing of cryptographic keys and secrets by leveraging contactless technology for communication with Android phones via NFC.
  3. Improved Device Performance and Compatibility: They enhance device performance and compatibility by functioning as a firmware-like middleware embedded within an Android application for NFC-enabled phones.
  4. Enhanced User Experience: They improve the user experience of devices by offering features such as offline isolation, seamless integration with other technologies, and enhanced user experiences.

In summary, NFC HSMs and RSA 4096 encryption offer inventive and pragmatic answers to the escalating requirements for security and confidentiality in the digital sphere.

Communication Vulnerabilities 2023: Avoiding Cyber Threats

Person working on a laptop within a protective dome, surrounded by falling hexadecimal ASCII characters, highlighting communication vulnerabilities
The hidden dangers of communication vulnerabilities in 2023  by Jacques Gascuel: This article will be updated with any new information on the topic.

Beware of communication vulnerabilities in 2023

Communication is essential for our personal and professional lives, but it also exposes us to cyber threats. In 2023, hackers will exploit the hidden dangers of communication vulnerabilities to steal data, disrupt services, and spy on users. This article will explain the main types of communication vulnerabilities, their impact, and how to protect yourself from them.

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

Communication Vulnerabilities in 2023: Unveiling the Hidden Dangers and Strategies to Evade Cyber Threats

2023 Security Vulnerabilities in Means of Communication

Communication is essential for individuals and professionals, but it is also exposed to many cyber threats. In 2023, several security breaches affected emails and messages, compromising the security of data, services, and users. These breaches showed the vulnerability of communication systems, which are exposed to increasingly sophisticated and targeted attacks. To protect themselves, users need to encrypt their data and communications with their own keys that they created and stored offline. One of the solutions that can help them achieve this is EviCypher NFC HSM technology by Freemindtronic.

The Reality of Security Breaches in Communication Systems

However, we wanted to highlight a disconcerting reality: users often found themselves defenseless against the hidden dangers of communication vulnerabilities in 2023 that festered beneath the surface for long periods of time. Unaware of these current, imminent or future risks, they unwittingly provided gateways to espionage activities, whether motivated by legitimate or malicious intentions. These vulnerabilities enabled a relentless cycle of cyber victimization, perpetuating the very threats they aimed to mitigate.

For example, iCloud Email operated without end-to-end encryption from its launch in 2011 until December 2022 – a troubling reality that put users in a vulnerable position, their security at the mercy of external factors they could not control.

Another example, several reports by the Citizen Lab have revealed the existence and the use of Pegasus spyware developed by the Israeli company NSO Group, which sells its services to governments and private actors to spy on targets around the world. Moreover, several investigations by the consortium Forbidden Stories have revealed that more than 50,000 phone numbers have been selected as potential targets by NSO Group’s clients, including heads of state, journalists, human rights activists, etc.

Among the most recent examples of these vulnerabilities, we can mention the cyberattack against the US State Department, which was attributed to hackers linked to China.

Chinese hackers hacked 60,000 emails from the US State Department

In March 2023, Chinese hackers hacked 60,000 emails from the US State Department. Some of them were very sensitive to national security and foreign affairs. They used a Microsoft Exchange flaw named Log4Shell. This vulnerability allows hackers to remotely execute malicious code on servers that use this software. It affects millions of servers worldwide. Senator Mark Warner revealed the attack and criticized the lack of transparency and security of the State Department. He called for strengthening cooperation between government agencies and the private sector to cope with cyberthreats. This attack is part of a context of rising tensions between the US and China, who accuse each other of espionage and sabotage on cyberspace.

The other sensitive organs targeted by the attack

Besides the State Department emails, the attack also targeted other sensitive organs, such as:

  • The Bureau of the Coordinator for Cyber Issues, which is responsible for coordinating the State Department’s efforts to prevent and respond to cyberattacks.
  • The Bureau of Consular Affairs, which is in charge of issuing passports and visas, as well as protecting US citizens abroad.
  • The Bureau of Intelligence and Research, which provides analysis and assessments on foreign policy and national security issues.

These sensitive organs hold confidential or personal information that could be used by the Chinese hackers for espionage, blackmail or sabotage. For example, the hackers could access the biometric data of visa applicants, the reports of intelligence agents or the action plans in case of crisis.

The security flaw exploited by the Chinese hackers

The most serious thing is that some servers that were hacked by the Chinese had not been updated with the patch released by Microsoft on December 10, 2022. This shows that the updates are not automatic and that they have to be installed manually. This also shows the lack of responsiveness and vigilance of the IT security managers. They let the Chinese hackers exploit this flaw before it was fixed by Microsoft, who released security updates. Indeed, this cyberattack shows the vulnerability of communication systems and the need to protect them effectively.

A Case of Satellite Messaging Security Vulnerability

Satellite messaging is a means of communication that allows the transmission of electronic messages or calls via a network of artificial satellites. It is used by professionals and individuals in areas with no cellular coverage or those seeking discreet communication. However, satellite messaging is not immune to security vulnerabilities that can compromise data confidentiality and integrity.

In September 2023, a team of cybersecurity researchers uncovered a significant security vulnerability in the Bullitt satellite messaging service. This vulnerability allowed hackers to read and modify messages sent and received by users, as well as access their personal information, including GPS coordinates and phone numbers. Hackers could also impersonate users by sending messages on their behalf. The vulnerability was found in the PubNub-Kotlin API used by the Bullitt Messenger app to manage communication between devices and the service’s servers. Despite alerting Bullitt, the service provider, about this vulnerability, the researchers received no satisfactory response.

This security flaw poses a high risk to satellite messaging users, as their data can be exposed or manipulated by hackers.

Security Vulnerabilities in Communication Systems: A Closer Look

2023 Security Flaws in Communication Channels is a paramount concern for individuals and organizations across the globe. Hackers frequently exploit vulnerabilities within communication protocols and services to launch attacks that can compromise data confidentiality, integrity, and availability. To illustrate the magnitude and gravity of this issue, we have compiled statistics based on our web research:

Security Vulnerabilities in Emails

Emails serve as a central vector for cyberattacks, representing a significant portion of security incidents, with up to 91% of reported incidents, as per cybermalveillance.gouv.fr. Among these email-targeted threats, ransomware attacks are the most prevalent, comprising 25% of reported security incidents. Additionally, it’s striking to note that 48% of malicious files attached to emails are Microsoft Office documents. These statistics underscore the critical importance of implementing robust security measures for emails to guard against evolving threats.

Furthermore, an analysis conducted by the Verizon Data Breach Investigations Report for 20232 highlights that emails remain the primary variety of malicious actions in data breaches, underscoring their continued relevance as a vector for cyberattacks.

However, it is essential to note that email-specific vulnerabilities can vary based on factors such as email protocol vulnerabilities, server configuration errors, human mistakes, among others.

Security Vulnerabilities in Encrypted Messaging Services

Encrypted messaging services like Signal, Telegram, or WhatsApp are not immune to security vulnerabilities, which can compromise message and file confidentiality, integrity, and availability. In March 2023, Cellebrite, an Israeli data extraction company, claimed to have successfully decrypted messages and files sent via Signal. In June 2023, Google disclosed a vulnerability in its RCS service that allowed hackers to send fraudulent messages to Android users, containing malicious links redirecting victims to compromised websites.

Security Vulnerabilities in Communication Protocols

Communication protocols such as SMTP, RCS, or SMS are also susceptible to security vulnerabilities that can enable hackers to intercept, modify, or spoof messages and calls. SS7 vulnerabilities involve attacks exploiting the vulnerabilities of the SS7 protocol, used to establish and terminate telephone calls on digital signaling networks. These attacks can allow hackers to intercept, modify, or spoof voice and SMS communications on a cellular network. In January 2023, a hacking group named Ransomware.vc launched a data extortion campaign targeting organizations using the Progress MOVEit file transfer tool. The hackers exploited an SS7 vulnerability to intercept verification codes sent via SMS to MOVEit users, gaining access to sensitive data. In February 2023, the Ukrainian power grid was hit by a new malware called Industroyer2, attributed to Russian hackers. The malware used an SS7 vulnerability to take control of network operator phone calls, disrupting electricity distribution in the country. In March 2023, Samsung suffered a data breach that exposed the personal and financial information of millions of customers. The breach was caused by an SS7 vulnerability that allowed hackers to access SMS messages containing online transaction confirmation codes.

An Overview of Security Vulnerabilities in Communication Systems

Communication systems exhibit various vulnerabilities, with each element susceptible to exploitation by hackers. These weaknesses can have severe consequences, including financial losses, damage to reputation, or national security breaches.

  • Protocols: Communication protocols, like Internet Protocol (IP), Simple Mail Transfer Protocol (SMTP), Signaling System 7 (SS7), and Rich Communication Services (RCS), can contain security vulnerabilities. These vulnerabilities enable hackers to intercept, modify, or spoof communications on the network. For instance, an SS7 vulnerability allows hackers to eavesdrop on phone calls or read SMS messages on a cellular network.
  • Services: Network services, such as messaging, cloud, streaming, or payment services, possess their own vulnerabilities. These vulnerabilities may permit hackers to access, modify, or delete data within the service. For instance, a vulnerability in an encrypted messaging service enables hackers to decrypt messages or files sent via the service.
  • Applications: Software applications, including web, mobile, desktop, or IoT applications, are prone to security vulnerabilities. These vulnerabilities empower hackers to execute malicious code on a user’s device or gain control of the device itself. For example, a vulnerability in a web application allows hackers to inject malicious code into the displayed web page.
  • Devices: Physical devices, such as computers, smartphones, tablets, or IoT devices, feature their own set of security vulnerabilities. These vulnerabilities can enable hackers to access the device’s data or functionalities. For instance, a vulnerability in a smartphone grants hackers access to the device’s camera, microphone, or GPS.

In conclusion, the multitude of security vulnerabilities in communication systems presents a significant challenge to all stakeholders. Protecting against these vulnerabilities and enhancing cybersecurity is essential to safeguard sensitive data and infrastructure.

How communication vulnerabilities exposed millions of users to cyberattacks in the past years

Communication is essential for our personal and professional lives, but it also exposes us to cyber threats. In the past years, hackers exploited the hidden dangers of communication vulnerabilities to steal data, disrupt services, and spy on users. These vulnerabilities affected software and services widely used, such as Log4j, Microsoft Exchange, Exim, Signal, Telegram, or WhatsApp. Some of these vulnerabilities have been fixed, while others remain active or in progress. The following table summarizes the main communication vulnerabilities in the past years, their impact, and their status.

Name of the breach Type of breach Impact Status Date of discovery Date of patch
Log4j Command injection Control of servers and Java applications Fixed November 24, 2021 December 18, 2021
Microsoft Exchange Remote code execution Data theft and backdoor installation Fixed March 2, 2021
Exim Multiple vulnerabilities Control of email servers June 5, 2020
Signal Denial of service Blocking of messages and calls Fixed May 11, 2020 May 15, 2020
Telegram Deserialization Access to messages and files Fixed January 23, 2021
WhatsApp QR code spoofing Account hacking Fixed October 10, 2019
File-based XSS Code injection Execution of malicious code in the browser Not fixed December 17, 2020 N/A
RCS QR code spoofing Interception, modification or spoofing of messages and calls Not fixed June 17, 2020 N/A
SMS SIM swap fraud Account takeover and identity theft Active or in progress
MMS Stagefright vulnerability Remote code execution and data theft Fixed July 27, 2015 August-September 2015
SolarWinds Orion Supply chain compromise Data theft and backdoor installation Fixed December 8, 2020 February 25, 2023
API PubNub-Kotlin Privilege escalation by deserialization of untrusted data Arbitrary command execution on SolarWinds Platform website Fixed February 8, 2022 April 19, 2023
SS7 Multiple vulnerabilities Data theft, interception, modification or blocking of communications, location tracking or spoofing, fraud Active or in progress 2014 N/A

This table provides a concise overview of the hidden dangers of communication vulnerabilities in 2023, their types, impacts, and current statuses.

EviCypher NFC HSM: The technology that makes your communications invulnerable to security breaches

Security vulnerabilities in the means of communication pose a high risk to users, including satellite messaging, as their data can be exposed or manipulated by hackers. Therefore, effective protection against this threat is essential. This is precisely where the EviCypher NFC HSM technologies mentioned in this article come in as an innovative and secure solution.

EviCypher NFC HSM Technology for Messaging Protection

EviCypher NFC HSM technology is a solution that enables contactless encryption and decryption of data using an NFC card. It employs a hardware security module (HSM) that securely stores encryption keys. It is compatible with various communication services, including emails, SMS, MMS, satellite messaging, and chats.

To use EviCypher NFC HSM technology, simply pair the NFC Card, to an NFC-enabled Android phone and activate it with your fingerprint. Messages sent and received through messaging services are encrypted and decrypted using the NFC card. Only the card owner can access their messages and files. No one can intercept or alter them, even if the  service is compromised by a security vulnerability.

EviCypher NFC HSM technology offers optimal protection for commincation, ensuring data confidentiality and integrity. It also safeguards against other types of security vulnerabilities that may affect communication methods, such as Log4Shell or SolarWinds. It is a simple, effective solution that requires no change in user habits.

What is EviCypher NFC HSM technology?

EviCypher NFC HSM technology is a contactless encryption technology that uses hardware security modules (HSM) devices that communicate via NFC (Near Field Communication) protocols. These devices are EviTag and Evicard, which are small and portable devices that can be attached to a keychain or a card holder. They allow users to store and manage their keys and secrets securely, without relying on third-party services or cloud storage.

How does EviCypher NFC HSM technology work?

EviCypher NFC HSM technology works by encrypting and decrypting data and communications with the user’s own keys that they created and stored offline. The user can use the devices for various applications, such as encrypting emails, messages or files.

To use NFC HSMs, the user must first pair it with their phone. He chooses the option of encryption or decryption on his phone, writes or reads his messages on his phone. Encryption and decryption operations are performed from the NFC HSM itself, without exposing keys or secrets to the phone. The same operation is available on computer via a phone-paired web extension and using the NFC HSM.

Why is EviCypher NFC HSM technology secure and reliable?

EviCypher NFC HSM technology is integrated into a hardware security module that stores encrypted secrets, such as encryption keys, in the highly secure NFC eprom memory. It enables to encrypt contactless communications upstream, in post-quantum AES 256, before sending them. It is thus secure and reliable, because it encrypts the data before transmitting them without ever keeping the message in plain text.

How can EviCypher NFC HSM technology protect you from security breaches?

EviCypher NFC HSM technology can protect you from security breaches by encrypting your data and communications in advance in volatile memory before sending them encrypted without ever keeping the message in clear automatically destroyed and replaced by its encrypted version in AES 256 symmetry considered post quantum. Thus, even if there are security flaws the messages and emails and their attachments remain always encrypted. This can be done from an Android NFC phone and/or from the Freemindtronic extension.

This way, you can avoid being exposed to past, present or future security vulnerabilities, since the encryption is done on the device itself, without exposing the keys or secrets to the phone or computer. Even if your phone or computer is compromised by a hacker or a spyware, they cannot access your data or messages in clear text. Only you can decrypt them with your device and your PIN code.

EviCypher NFC HSM technology is an innovative solution that offers a high level of security and privacy for your communication systems. It is developed by Freemindtronic, an Andorran company specialized in NFC security. It is based on EviCore NFC HSM technology, which is a hardware security module that combines hardware encryption and NFC communication protocols.

In conclusion, the EviCypher NFC HSM technology is integrated into a hardware security module that stores encrypted secrets, such as encryption keys, in the highly secure NFC eprom memory. It allows to encrypt contactless communications upstream, in post-quantum AES 256, before sending them. It is thus secure and reliable, because it encrypts the data before transmitting them without ever keeping the message in plain text.

How to choose the best multi-factor authentication method for your online security

Multi-factor authentication how to choose the best multi factor authentication MFA method for your online security and PassCypher NFC HSM solution passwordless MFA from Freemindtronic

Multi-factor Authentication by Jacques Gascuel: This article will be updated with any new information on the topic.  

Why use multi-factor authentication?

Passwords are not enough to protect your online accounts from cybercriminals. You need to use a more robust authentication method: multi-factor authentication. It combines several factors to verify your identity, such as passwordless MFA. In this article, you will discover what it is, how it works and how to choose it.

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

Everything you need to know about multi-factor authentication and its variants

Have you ever wondered how to protect your online accounts and data from hackers and cybercriminals? If so, you need to know about multi-factor authentication and its variants. Authentication is the process that verifies the identity of a user who wants to access a website, an application or a system. Authentication is essential to protect the security and privacy of data and online transactions. Without proper authentication, hackers and malicious actors can access sensitive information, steal identities, compromise accounts or commit fraud.

There are different authentication methods that can offer different levels of security and convenience for users. Some methods use only one factor, such as a password, to verify a user’s identity. This is called single-factor authentication (SFA). SFA is simple, fast and convenient, but also very insecure and unreliable. Other methods use two or more factors, such as a password and a code, to verify a user’s identity. This is called multi-factor authentication (MFA). MFA offers a high level of security because it makes it harder for attackers to obtain all the factors needed to access an account.

In this article, we will explain the main differences between six popular methods of authentication: single-factor authentication (SFA), multi-factor authentication (MFA), two-factor authentication (2FA), two-step verification (2SV), one-time passwords (OTP) and passwordless multi-factor authentication (Passwordless MFA). We will also introduce you to a new product that offers an innovative and eco-friendly solution for contactless multi-factor authentication: PassCypher NFC HSM. We will also discuss another method of authentication that allows users to access multiple applications or services with one login. This is called single sign-on (SSO). SSO can use different protocols, such as SAML, OAuth, or OpenID Connect, to verify the user’s identity and grant access.

According to a report by Microsoft, 99.9% of account compromise attacks can be blocked by using multi-factor authentication. Therefore, it is important to choose the best authentication method for your online security. In this article, we will help you understand the pros and cons of each method and how to choose the best one for your needs and preferences.

Why use multi-factor authentication?

You use passwords for your online accounts; but are they secure enough? Cybercriminals can steal, guess or hack them easily; you hear many news about it. You want to improve their protection and usage; you need to know more. You need to know the different methods of multi-factor authentication; up to the most robust one, like passwordless MFA. In this article, you will get answers and learn more.

How to evaluate the level of resistance to cyberattacks?

We use several criteria to evaluate the level of resistance to cyberattacks of an authentication method, such as:

  • The number and diversity of factors used: An attacker has a harder time getting all the factors if there are more of them. It is also better to combine factors of different natures (what you know, what you have, what you are); they are less vulnerable to the same types of attacks.
  • The complexity and variability of factors used: An attacker has a harder time guessing or reproducing the factors if they are more complex and variable. For example, a long and random password is more resistant than a short and simple one. Likewise, a one-time code is more resistant than a fixed one.
  • The security and reliability of communication channels used: An attacker has a harder time intercepting or altering the channels if they are more secure and reliable. For example, an encrypted connection is more secure than an unencrypted one. Likewise, a push notification is more reliable than an SMS.
  • The ease and speed of use for the user: Users are more likely to adopt the methods if they are easier and faster. A too complex or slow method can discourage users or make them bypass security. For example, facial recognition is easier and faster than a USB key.

We give a score out of 10 to each authentication method based on these criteria; we consider the pros and cons of each factor and channel. This score reflects the level of resistance to cyberattacks of the method; its ability to prevent or reduce the impact of an attack.

What are the differences between MFA, 2FA, 2SV, SFA, SSO, OTP and Passwordless MFA?

MFA, 2FA, 2SV, Passwordless MFA, OTP and SFA are all types of authentication methods that require users to provide one or more pieces of evidence (or factors) to prove their identity. However, they have distinct differences in terms of how they work and how secure they are. Here is a summary of each one:

Multi-Factor Authentication (MFA)

MFA is a security enhancement that requires users to submit two or more pieces of evidence (factors) to access a system. These factors can belong to different categories, such as:

  • Knowledge: something that the user knows, such as a password, a PIN or an answer to a secret question.
  • Possession: something that the user has, such as a smartphone, a smart card or a hardware token.
  • Inherence: something that the user is, such as a fingerprint, a retina scan or a facial recognition.

MFA offers a high level of security because it makes it harder for attackers to obtain all the factors needed to access an account. Even if one factor is compromised, such as a password, the other factors can still prevent unauthorized access.

Level of resistance to cyber attacks: 8/10

Two-Factor Authentication (2FA)

2FA is a type of MFA; it uses two distinct factors of authentication. These factors must belong to two different categories; such as knowledge and possession. For example, you can log in to an account; with your username and password (knowledge). Then you receive a notification on your smartphone (possession); to approve the login.

2FA offers an intermediate level of security between single-factor authentication by password only and MFA by adding an extra layer of protection against unauthorized access attempts. However, it can be less secure than 2FA; if it uses factors that belong to the same category; such as knowledge.

Indeed, if an attacker manages to obtain the password and the additional code; they can access the account without any problem.

Level of resistance to cyber attacks: 6/10

Two-Step Verification (2SV)

2SV is a type of MFA that requires two sequential steps of verification using authentication factors. These steps can belong to the same category, such as knowledge. For example, Google uses 2SV for its accounts. To log in, the user enters their username and password (knowledge), then they enter an additional code that they receive by SMS or email (knowledge).

2SV offers an intermediate level of security between single-factor authentication by password only and 2FA by adding an extra layer of protection against unauthorized access attempts. However, it can be less secure than 2FA if it uses factors that belong to the same category, such as knowledge.

Indeed, if an attacker manages to obtain the password and the additional code, they can access the account without any problem.

Level of resistance to cyber attacks: 4/10

Single-Factor Authentication (SFA)

Single-Factor Authentication (SFA) is a security method that uses only one factor to verify a user’s identity. A factor is something that the user knows, has, or is. For example:

  • One piece of evidence (factor) verifies a user’s identity with SFA.
  • The factor can be something the user knows (password, PIN, secret question), has (smartphone, smart card, hardware token), or is (fingerprint, retina scan, facial recognition).
  • SFA has some benefits but also many drawbacks. It is simple, fast and convenient, but also insecure, unreliable and non-compliant.
  • Many cyberattacks expose users to SFA, such as phishing, keylogging, brute force or credential stuffing.
  • Attackers can easily obtain the factor and access the account without the user’s consent.
  • If the factor is compromised (e.g., password), the account is vulnerable to unauthorized access.
  • SFA does not meet the security standards or regulations of some industries or organizations (e.g., banks, government agencies).

SFA offers a low level of security because it makes it easy for attackers to obtain the factor needed to access an account. If the factor is compromised, such as a password, the user’s account is vulnerable to unauthorized access.

Level of resistance to cyber attacks: 2/10

Single Sign-On (SSO) and Multi-Factor Authentication (MFA)

Single Sign-On (SSO) is a security method that allows users to access multiple applications or services with one login. The user only needs to enter their username and password once, and the SSO service authenticates them for all the connected applications. SSO can use different protocols, such as SAML, OAuth, or OpenID Connect, to verify the user’s identity and grant access. SSO has some advantages and disadvantages that you should consider before choosing it as your authentication method.

  • Pros of SSO
    • Reduced password fatigue: Users only need to remember one password instead of many. This makes it easier to create strong and unique passwords for each application.
    • Simplified user and password management: IT admins can control the access rights of users from a central place. They can also revoke or change the passwords of users who leave the organization or lose their devices.
    • Improved identity protection: SSO can use additional security measures, such as multi-factor authentication (MFA), to enhance the verification process. MFA is a type of authentication that requires two or more factors to verify a user’s identity. These factors can be something that the user knows, has, or is, such as a password, a smartphone, or a fingerprint. MFA offers a higher level of security than single-factor authentication (SFA), which only requires one factor, such as a password.
  • Cons of SSO
    • Limited user control: Users cannot choose which applications are included in the SSO service. They may also have difficulty logging out of all the applications at once.
    • Incompatible apps: Some applications may not support the SSO protocols or require additional configuration to work with the SSO service. This may limit the number of applications that users can access with one login.
    • Unpredictable costs and time: Implementing and maintaining an SSO service may be costly or complex for some organizations. They may need to buy or develop software, pay for subscription fees, train users or staff, or comply with regulations.

SSO has some benefits but also some drawbacks that you should consider before choosing it as your authentication method. You should weigh the pros and cons of SSO and compare them with your security goals and resources.

Level of resistance to cyber attacks: 7/10

Passwordless Multi-Factor Authentication (Passwordless MFA)

Passwordless MFA is a term used to describe an authentication method; that does not require a password; and that uses multiple factors. For example, you can log in to an account; using your fingerprint (inherence) and a code generated by your smartphone (possession); without having to enter your username or password.

Passwordless MFA offers the highest level of security; when implemented correctly; because it eliminates the risk of password theft or leakage. It also improves convenience and user experience; because it does not require memorization or input of passwords.

Level of resistance to cyber attacks: 10/10

One-Time Passwords (OTP)

OTP are random and temporary codes; that are used as additional factors of authentication. There are two main types of OTP: Time-based One-Time Password (TOTP) and HMAC-based One-Time Password (HOTP).

Time-based One-Time Password (TOTP)

TOTP is a type of OTP that is generated based on time; it uses a secret key shared between the server and the client; as well as a counter based on the client’s clock. The server and the client calculate the same code; using the same key and the same counter. The code is valid for a short period, usually 30 seconds.

TOTP offers a high level of security because it prevents the reuse of codes. Even if an attacker intercepts a code, they will not be able to use it after its expiration.

Level of resistance to cyber attacks: 7/10

HMAC-based One-Time Password (HOTP)

HOTP is a type of OTP that is generated based on an incremental counter. It uses a secret key shared between the server and the client, as well as a counter that increments every time a code is generated or validated. The server and the client calculate the same code using the same key and the same counter. The code does not have a fixed validity period, but it must be used in order.

HOTP offers an intermediate level of security because it requires synchronization between the server and the client. If the client’s counter is offset from the server’s counter, there may be authentication errors. Moreover, if an attacker manages to obtain the secret key or the counter, they can generate valid codes.

Level of resistance to cyber attacks: 5/10

Statistics on MFA, 2FA, 2SV, SFA, OTP (TOTP and HOTP), Passwordless MFA and SSO

To illustrate the importance and popularity of multi-factor authentication methods, here are some statistics from various sources:

  • According to the 2021 Duo Trusted Access Report, the total number of MFA authentications increased by 39% over the past year, while biometric authentications saw an even faster growth, with a 48% increase.
  • The report also indicates that Duo Push is the most popular authentication method, accounting for 30% of the total authentications, followed by SMS (25%) and phone calls (19%).
  • Among customers using location policies, 74% block Russia and China, which are the most frequently blocked countries in authentication apps.
  • In 2020, Duo Security conducted a survey of over 4,000 people in the US and UK on their experience and perception of 2FA. The survey revealed that 79% of respondents had used 2FA in 2020, up from 53% in 2019 and 28% in 2017.
  • The survey also showed that SMS (85%) continues to be the second most common factor that respondents with 2FA experience have used, slightly up from 2019 (72%). Email is the second most common factor (74%), with a notable increase from 2019 (57%).
  • According to a report by Okta, an identity and access management company, SSO adoption increased by 68% between February and April 2020, as more organizations shifted to remote work due to the COVID-19 pandemic.
  • The report also found that SSO usage was highest among education (60%), technology (58%), and non-profit (49%) sectors. The most popular SSO protocols were SAML (54%), OAuth (24%), and OpenID Connect (22%).

These statistics show that multi-factor authentication methods are more effective and popular than single-factor authentication methods. They provide higher levels of security and reliability for users and organizations. However, they also reveal that there is still room for improvement and awareness in terms of online security. Many users and companies do not use multi-factor authentication or use weak factors that can be compromised. Therefore, it is important to educate and encourage users and companies to adopt multi-factor authentication methods that suit their needs and preferences.

Discover PassCypher NFC HSM: an innovative solution for contactless multi-factor authentication

You now have a better understanding of the different methods of multi-factor authentication and their pros and cons. You may have noticed that some methods have weaknesses, such as vulnerability to cyber attacks, dependency on network or battery availability, or complexity of managing passwords.

Fortunately, there is a solution that combines security, convenience and ecology to protect your data and online transactions. We introduce you to PassCypher NFC HSM, a product developed by Freemindtronic that allows you to store and manage passwords, one-time passwords (OTP) and HMAC-based passwords (HOTP) in a wireless and battery-free device. It uses EviOTP technology, which is a patented solution by Freemindtronic to generate OTP without internet connection or power supply. It works with NFC-compatible Android smartphones and computers equipped with a Chromium or Firefox web browser.

The benefits of PassCypher NFC HSM

Some of the benefits of PassCypher NFC HSM over traditional multi-factor authentication solutions are:

  • Higher resistance to cyber attacks: It uses a NFC HSM device that stores the secrets in an encrypted way. It also verifies the validity of the device used, its pairing key, its unique anti-counterfeiting key, and the validation of the Authenticator Sandbox. It does this with auto verification of fraudulent URLs.
  • Greater convenience: It does not require network or battery. You just need to scan the PassCypher NFC HSM device with your smartphone. This will automatically fill in the login fields on your computer or display the OTP code. The OTP code corresponds to the online service.
  • Better eco-friendliness: It reduces energy consumption and CO2 emissions. It uses a wireless and battery-free device. It works with EviOTP technology, which generates OTP without network or battery. You can scan them with your smartphone to access your accounts.
  • More customization: It allows the user to freely define the authentication factors that they want to use. They can add cumulative factors such as the UID of the NFC Android phone, a BSSID or an authorized geofence. They can also add additional factors that involve their intervention. For example, a biometric criterion or a segmented key via a QR code or a hexadecimal barcode.

The features of PassCypher NFC HSM

PassCypher NFC HSM offers several features that facilitate the management and use of passwords and OTP. Here are some of these features:

  • It allows you to automatically fill in the identifiers and passwords of 2SV methods, such as Google or Facebook, using a browser extension. You just need to scan the PassCypher NFC HSM device with your smartphone to automatically fill in the login fields on your computer.
  • It manages TOTP, such as those used by GitHub or Dropbox, using a dedicated application on your smartphone. You just need to scan the PassCypher NFC HSM device with your smartphone to display the TOTP code corresponding to the online service. For this, you must have previously saved the OTP codes via the QR Code generated from the site that authorizes 2FA via TOTP or HOTP.
  • It has an advanced configurable passwordless MFA function patented using physical origin segmented key authentication defined freely by the user. It can add them cumulatively for each secret stored in the NFC HSM of segments that can be UID of the NFC Android phone, a BSSID or an authorized geofence. It can also add additional factors that involve their intervention, such as a biometric criterion or a segmented key via a QR code or a hexadecimal barcode. You just need to scan the PassCypher NFC HSM device with your smartphone to access your account without entering any username or password.
  • It allows you to save and restore contactlessly, in real time in volatile memory of the phone or computer, without needing a server, database, without needing to create an account and anonymously and encrypted end-to-end from the NFC HSM. It works on the NFC Android phone and on computer via an extension only on the local network encrypted end-to-end from the NFC HSM. You just need to pass the PassCypher NFC HSM under your smartphone’s antenna to auto-connect to the cloud service via the passwordless MFA process.
  • It allows you to share secrets stored in NFC HSM by various means with other authorized users with trust criteria who also have a PassCypher NFC HSM. Sharing can be done in presence of the recipient who scans a QR Code of the secret shared via coded QR Code. It can share nearby by bluetooth file sharing. It can also share remotely via all means of communication existing in their phone including SMS or RCS using a 4096-bit RSA public key that the recipient has freely generated in their NFC HSM that they regenerate at will. It can also share it contactlessly via Android Beam NFC technology.

Conclusion

In this article, we have discussed how to choose the best multi-factor authentication method for your online security. We have also compared some of the most popular and innovative solutions available in the market. Multi-factor authentication is a vital component of online security that protects your data and transactions from unauthorized access. However, not all methods are suitable for all situations and needs. Therefore, you should consider several factors when choosing an authentication method, such as:

  • The type and sensitivity of the data or transactions that you want to protect. Some data or transactions are more valuable or confidential than others. For example, your bank account or medical records require more protection than your social media account or online shopping.
  • The availability and reliability of the network or battery for your devices. Some methods depend on the network or battery to work. For example, you cannot use SMS or email if you have no internet connection or phone signal. Likewise, you cannot use a USB key or a smart card if your device has no power or port.
  • The ease and frequency of use and management of the authentication factors. Some methods are easier and faster to use and manage than others. For example, facial recognition or fingerprint scanning are more convenient than typing a password or entering a code. However, you may also need to change or update your factors regularly to maintain their security.
  • The compatibility and interoperability of the authentication method with your devices and platforms. Some methods work only with specific devices or platforms. For example, you cannot use an Apple Watch or a Google Authenticator app if you have an Android phone or a Windows computer. Likewise, you cannot use a biometric scanner if your device does not have one.
  • The cost and benefit of implementing and maintaining the authentication method. Some methods are more expensive or complex to implement and maintain than others. For example, you may need to buy additional hardware or software, pay for subscription fees, train users or staff, or comply with regulations.

These factors can help you decide which authentication method suits your needs and preferences best. You should weigh the pros and cons of each method and compare them with your security goals and resources.

Comparison of popular authentication methods

We have explained the main differences between five popular methods of multi-factor authentication: multi-factor authentication (MFA), two-factor authentication (2FA), two-step verification (2SV), passwordless multi-factor authentication (Passwordless MFA) and one-time passwords (OTP). Each method has its own advantages and disadvantages depending on the context and implementation. We have also introduced you to a new product that offers an innovative and eco-friendly solution for contactless multi-factor authentication: PassCypher NFC HSM.

PassCypher NFC HSM offers several benefits over traditional multi-factor authentication solutions, such as SMS or email

Freemindtronic designed, developed and manufactured PassCypher NFC HSM. This product lets you store and manage passwords, keys, OTP and HOTP. It uses a wireless, battery-free NFC HSM device. It works for life without maintenance. It also incorporates several EviPass technologies. EviCore NFC HSM and EviOTP technology are patented by Freemindtronic. With these technologies, you can manage, store, share, encrypt and generate OTP code securely. You can do this contactlessly from NFC devices. It does not need an Internet connection, a server, a database or a power supply. It works contactless with NFC-compatible Android smartphones.

PassCypher NFC HSM also offers several features that facilitate the management and use of passwords, such as:

Password generator: It can generate strong and random passwords for any website or application.

  • Password manager: It can store and retrieve your passwords securely and conveniently.
  • OTP generator: It can generate OTP based on time (TOTP) or counter (HOTP) for any website or application that supports them.
  • HOTP generator: It can generate HOTP based on HMAC algorithm for any website or application that supports them.
  • QR code scanner: It can scan QR codes that contain OTP information and generate the corresponding OTP.
  • Web extension: This is a feature that can integrate with your web browser. It can automatically fill in your complicated and complex usernames and passwords in MFA Passwordless. It does this for any website you visit.

One of the features of PassCypher NFC HSM is that it can store and manage SSO credentials and passwords for automatic login in passwordless MFA. This means that you can use PassCypher NFC HSM to access multiple applications or services with one tap, without entering any password. This increases the level of security of the authentication by SSO, as it eliminates the risk of password theft or compromise. Similarly, PassCypher NFC HSM can also store and manage SFA credentials and passwords for automatic login in passwordless MFA. This means that you can use PassCypher NFC HSM to access any website or system with one tap, without entering any password. This increases the level of security of the authentication by SFA, as it reduces the password fatigue and reuse.

PassCypher NFC HSM is a powerful and innovative product that enhances your online security and convenience. It is compatible with any type of authentication method, such as MFA, 2FA, 2SV, Passwordless MFA or SFA. It is also easy to use and eco-friendly.

If you are interested in trying out PassCypher NFC HSM, you can order it from our [website] or download our [web extension] for free. If you have any questions or feedback, please feel free to [contact us]. We would love to hear from you.

Unitary patent system: why some EU countries are not on board

Unitary Patent system European why some EU countries are not on board

Unitary patent system by Jacques Gascuel: This article will be updated with any new information on the topic.  

Why some EU countries don’t want the unitary patent

The unitary patent system promises to simplify and unify patent protection in Europe. But not all EU countries are on board. Discover why some countries like Spain have opted out and what it means for inventors.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Why some EU countries are not on board

What is the unitary patent?

The unitary patent is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the European Patent Office (EPO) 1. It is an alternative option to the classical European patent, which requires individual validation and maintenance in each country where the patent holder wants to benefit from protection 1. The unitary patent  entered into force on 1 June 2023, after the ratification of the Agreement on a Unified Patent Court (UPC Agreement) by 17 states participating in enhanced cooperation 2. It is expected that more EU states will join this scheme in the future 1.

The unitary patent is based on the European patent granted by the EPO under the rules of the European Patent Convention (EPC), so nothing changes in the pre-grant phase and the same high standards of quality search and examination apply. After a European patent is granted, the patent holder can request unitary effect, thereby obtaining a European patent with unitary effect (unitary patent) that provides uniform protection in initially 17 EU member states.

What is the current status of the unitary patent?

The unitary patent system is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the European Patent Office (EPO) . It is an alternative option to the classical European patent, which requires individual validation and maintenance in each country where the patent holder wants to benefit from protection . The unitary patent is expected to start in early 2023, after the ratification of the Agreement on a Unified Patent Court (UPC Agreement) by 17 states participating in enhanced cooperation . It is expected that more EU states will join this scheme in the future.

The UPC Agreement

The UPC Agreement is an international treaty that establishes the Unified Patent Court (UPC), a supranational specialised court that will have exclusive jurisdiction to settle disputes relating to unitary patents and European patents . The UPC Agreement was signed by 25 EU member states in 2013, but it requires the ratification by at least 13 states, including France, Germany and Italy, to enter into force.

As of June 2021, 16 states have ratified the UPC Agreement, including France and Italy . Germany has also ratified the UPC Agreement in December 2020, but its ratification is pending before the German Constitutional Court, which has received two constitutional complaints against it . The German government has expressed its intention to deposit its instrument of ratification as soon as possible after the resolution of these complaints . The UK, which was initially one of the mandatory ratifying states, has withdrawn from the unitary patent system after leaving the EU in 2020.

The main obstacle and challenges

The main remaining obstacle for the implementation of the unitary patent system is therefore the outcome of the German constitutional complaints. If they are dismissed or overcome, Germany could deposit its instrument of ratification and trigger the entry into force of the UPC Agreement within three months . However, if they are upheld or delayed, Germany could be prevented from joining the unitary patent or cause further uncertainties and complications for its launch.

Other challenges for the implementation of the unitary patentinclude the practical and logistical arrangements for the operation of the Unified Patent Court, such as the recruitment and training of judges, the establishment of IT systems and facilities, and the adoption of procedural rules and guidelines . Moreover, some legal and political issues may arise from the withdrawal of the UK from the unitary patent, such as the impact on the linguistic regime of the unitary patent, the distribution of the workload and the cases among the different divisions of the Unified Patent Court, and the compatibility of the UPC Agreement with EU law.

What are the advantages?

The unitary patent system offers several advantages for inventors and innovative companies who want to protect their innovations in the EU. Among these advantages, we can mention:

  • The simplification of the procedure: the patent holder no longer needs to carry out complex and costly procedures with national offices to validate their European patent in each country 1.
  • They only need to request unitary effect from the EPO, which is their single interlocutor 2.
  • The reduction of costs: the patent holder no longer has to pay validation fees, translation fees, representation fees or annual national fees to keep their patent in force in the countries covered by the unitary patent 1.
  • They only pay a single annual fee to the EPO, which is calculated according to a progressive scale 3.
  • The legal certainty: the patent holder benefits from a uniform protection in all countries where the unitary patent takes effect, without risk of fragmentation or divergence between national rights 1.
  • They can also enforce their rights before a supranational specialised court, the Unified Patent Court (UPC), which has exclusive jurisdiction to settle disputes relating to infringement and validity of unitary patents.

How does the unitary patent compare with other patent systems?

The unitary patent system is not the only option for obtaining patent protection in multiple countries. There are other regional or international patent systems that offer different advantages and disadvantages for inventors and innovative companies. Here are some examples:

The European Patent Convention (EPC)

The EPC is an international treaty that allows applicants to file a single application at the European Patent Office (EPO) and obtain a European patent that can be validated in up to 38 contracting states . The EPC is not affected by the unitary patent system and will continue to operate in parallel with it. The EPC offers more flexibility than the unitary patent, as applicants can choose which countries they want to validate their European patent in. However, it also involves more costs and formalities than the unitary patent, as applicants have to pay validation fees, translation fees and annual national fees in each country where they want to maintain their European patent.

The Patent Cooperation Treaty (PCT)

The PCT is an international treaty that allows applicants to file a single international application at a national or regional office and obtain an international search report and a preliminary examination report on their invention . The PCT does not grant patents directly, but facilitates the entry into national or regional phases in up to 153 contracting states . The PCT offers more time than the unitary patent system, as applicants can delay their decision on which countries they want to pursue their patent protection in for up to 30 or 31 months from the priority date . However, it also involves more complexity than the unitary patent, as applicants have to comply with different requirements and procedures in each country where they enter the national or regional phase.

The Eurasian Patent Convention (EAPC)

The EAPC is an international treaty that allows applicants to file a single application at the Eurasian Patent Office (EAPO) and obtain a Eurasian patent that can be validated in up to 8 contracting states . The EAPC is not related to the unitary patent system and operates independently from it. The EAPC offers more simplicity than the unitary patent, as applicants do not have to pay any validation fees or translation fees in the countries where they want to validate their Eurasian patent . However, it also involves more risk than the unitary paten system, as applicants cannot opt out of the jurisdiction of the Eurasian Court of Patent Disputes, which can invalidate their Eurasian patent in all contracting states.

How Freemindtronic’s international patents are related to the unitary patent

Freemindtronic is an Andorran company that creates innovative solutions for security, cyber-security and counter-espionage, using contactless technology (NFC). We have several inventions that are protected by international patents in the fields of embedded systems, access control and segmented key authentication. For example, our patented technologies EviCore NFC HSM, which manage encryption keys in an NFC HSM device, EviCore HSM OpenPGP, which manage encryption keys in a security element of phones, EviVault NFC HSM Cold Wallet operating without contact, EviKey NFC a contactless secured USB key and the technology EviCypher NFC HSM which encrypts all types of data. These technologies implement our patents and especially the one based on the segmented key authentication system. The latter received the gold medal of international inventions of Geneva 2021.

Our patent options

Our patents are based on the European patent granted by the European Patent Office (EPO) under the rules of the European Patent Convention (EPC). Therefore, we could benefit from the unitary patent system, which is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the EPO. However, we would also have to consider the disadvantages and risks of the unitary patent, such as the risk of total invalidation, the lack of flexibility and the exclusion of some countries. Moreover, we would have to deal with the legal issues of the unitary patent for non-participating countries, such as cross-border infringement cases and jurisdictional conflicts.

Our patent strategy

We have opted for the unitary patent only for our segmented key authentication system, and we have added some non-participating countries to our other European patents. The reasons behind this choice are related to our market strategy, our innovation potential and our risk assessment. For instance, we have decided to use the unitary patent for our segmented key authentication system because we consider it as our core invention and we want to protect it in a uniform and effective way in most EU countries. On the other hand, we have decided to add some non-participating countries to our other European patents because we want to preserve our flexibility and avoid possible invalidation challenges in those countries.

Conclusion

Our international patents are relevant examples of how the unitary patent system can affect inventors and innovative companies in Europe, both positively and negatively. They illustrate the opportunities and challenges that the unitary patent poses for innovation and competitiveness in the EU.

How can legal issues of the unitary patent for non-participating countries be resolved?

The legal issues of the unitary patent system for non-participating countries are complex and not yet fully resolved. One of the main questions is how to deal with cross-border infringement cases involving unitary patents and national patents. For instance, if an inventor from a non-participating country, such as Spain, wants to enforce his rights on his classic European patent in a participating country, such as France, where a unitary patent holder claims to infringe his patent, which law should he consider? Well, the question is not easy to answer, because he will have to take into account many international standards. In the end, this very important aspect will be “subjected” to a very complex situation that will necessarily be defined with the successive application of the law.

Another question is how to ensure a fair balance between the rights and obligations of unitary patent holders and national patent holders in non-participating countries. For example, if a unitary patent holder wants to enforce their rights in a non-participating country, such as Poland, where a national patent holder is allegedly infringing their patent, which court should they go to? Well, the answer is not clear, as it will depend on the interpretation and application of various international agreements. In principle, the unitary patent holder should go to the national court of Poland, but they may face some difficulties or disadvantages in comparison with the national patent holder, such as higher costs, longer procedures or different standards of proof.

One possible way to resolve these legal issues is to harmonise the rules and practices of the unitary patent and the national patent systems in Europe. This could be achieved by adopting common standards and guidelines for patent examination, grant, validity and enforcement, as well as by establishing mechanisms for cooperation and coordination between the UPC and the national courts. Another possible way is to extend the scope and coverage of the unitary patent and the UPC to all EU member states and other EPC contracting states. This could be achieved by encouraging and facilitating their participation in the enhanced cooperation and ratification of the UPC Agreement.

However, these solutions may face some practical and political challenges, such as the lack of consensus or willingness among the different stakeholders, the respect for national sovereignty and diversity, or the compatibility with EU law and international obligations. Therefore, it is important that the unitary patent and its legal implications are carefully monitored and evaluated, and that its benefits and drawbacks are balanced and communicated to all parties involved.

What are the disadvantages?

The unitary patent system is not without disadvantages for some actors in the patent market. Among these disadvantages, we can mention:

  • The risk of total invalidation: the patent holder faces the possibility that their patent will be cancelled in all countries where it takes effect, if the UPC finds that it does not meet the requirements of patentability. They do not have the possibility to limit or amend their patent to avoid this fatal outcome.
  • The lack of flexibility: the patent holder cannot choose the countries where they want to protect their invention, nor renounce their patent in some countries to avoid paying fees or to circumvent legal obstacles. They must accept or refuse unitary effect as a whole.
  • The exclusion of some countries: the patent holder cannot benefit from protection in all EU member states, since some countries have decided not to participate in the unitary patent or have not yet ratified the UPC Agreement 1.
  • This is notably the case of Spain, which is one of the few EU countries that does not intend to be part of the unitary patent

What are the best practices or strategies for using or avoiding the unitary patent?

The unitary patent system offers a new opportunity for inventors and innovative companies who want to protect their inventions in Europe. However, it also poses some challenges and risks that need to be carefully considered. Depending on their needs and goals, they may decide to use or avoid the unitary patent, or to combine it with other patent systems. Here are some factors to consider when making this decision:

The scope of protection

The unitary patent system provides a uniform protection in 17 EU member states, which may cover a large part of the European market. However, it does not cover all EU member states, nor non-EU countries that are part of the EPC or the PCT. Therefore, inventors and innovative companies should assess whether the unitary patent covers their target markets, or whether they need to seek additional protection in other countries.

The cost of protection

The unitary patent reduces the cost of protection in Europe, as it eliminates the need to pay validation fees, translation fees and annual national fees in each country where the unitary patent takes effect. However, it also introduces a single annual fee for the unitary patent, which is calculated according to a progressive scale . Therefore, inventors and innovative companies should compare the cost of the unitary patent with the cost of other patent systems, and consider whether they need protection in all countries covered by the unitary patent, or whether they can save money by choosing a smaller number of countries.

The risk of invalidation

The unitary patent increases the risk of invalidation in Europe, as it exposes the unitary patent to a single challenge before the UPC, which can invalidate it in all countries where it takes effect. Moreover, the UPC is a new court that may have some uncertainties and inconsistencies in its interpretation and application of the law. Therefore, inventors and innovative companies should evaluate the strength and validity of their inventions, and consider whether they want to avoid this risk by opting out of the UPC for their European patents, or by using other patent systems that allow them to limit or amend their patents in case of invalidation challenges.

The enforcement of rights

The unitary patent facilitates the enforcement of rights in Europe, as it allows the holders of unitary patents to sue infringers before the UPC, which can grant pan-European injunctions and damages. However, it also exposes them to counterclaims for invalidity before the UPC, which can invalidate their unitary patents in all countries where they take effect. Therefore, inventors and innovative companies should assess the likelihood and impact of infringement and invalidity actions, and consider whether they want to benefit from this facilitation by opting in to the UPC for their European patents, or whether they want to retain more control over their litigation strategy by using national courts or other patent systems.

Why do some EU countries not want to join the unitary patent

The reasons for some EU countries’ exclusion from the unitary patent are diverse. Spain, for example, considers that the linguistic regime of the unitary patent, which relies on the three official languages of the EPO (English, French and German), is discriminatory and harms its economic and cultural interests. It believes that Spanish, which is the second most spoken native language in the world, should be recognised as an official language of the unitary patent, or at least, that the holders of unitary patents should be required to provide a full translation in Spanish of their patents. It also fears that the unitary patent will strengthen the dominant position of the English-speaking and German-speaking countries in the field of innovation and will reduce the development opportunities of Spanish companies.

Croatia, on the other hand, has not joined enhanced cooperation for setting up the unitary patent, because it joined the EU after the launch of this initiative. However, it has expressed its interest in joining the unitary patent in the future.

Poland and the Czech Republic have participated in enhanced cooperation, but have not signed or ratified the UPC Agreement, which is a prerequisite for being part of the unitary patent 2. These countries have invoked economic and legal reasons to justify their withdrawal. Poland has estimated that the unitary patent would have a negative impact on its national budget and on its competitiveness. The Czech Republic has expressed doubts about the compatibility of the unitary patent with EU law and about the quality of automatic translations .

Slovakia has also participated in enhanced cooperation, but has opposed the regulation on the unitary patent and has challenged it before the Court of Justice of the EU (CJEU). It has argued that the regulation was contrary to the principle of equal treatment between the member states and the official languages of the EU. It has also questioned the legal basis of the regulation and its respect for national competences in the field of industrial property. The CJEU rejected its request in 2015.

Hungary has ratified the UPC Agreement in 2018, but has denounced it in 2020, following a decision of its Constitutional Court that declared that the Agreement was incompatible with its Constitution. The Court considered that the Agreement infringed on Hungary’s sovereignty in the matter of intellectual property and that it violated the principle of separation of powers by entrusting the settlement of disputes relating to patents to a supranational court not integrated into the Hungarian judicial system.

Here is a table that summarizes that gives the list of European countries that accept the unitary patent and the European countries that have excluded themselves from the unitary patent:

Country Status Reason
Germany Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Austria Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Belgium Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Bulgaria Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Cyprus Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Croatia Excluded Has not joined enhanced cooperation
Denmark Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Spain Excluded Has opposed enhanced cooperation and has challenged the linguistic regime of the unitary patent
Estonia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Finland Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
France Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Greece Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Hungary Excluded Has ratified the UPC Agreement but has denounced it following a decision of its Constitutional Court
Ireland Accepts Participates in enhanced cooperation but has not yet ratified the UPC Agreement
Italy Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Latvia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Lithuania Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Luxembourg Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Malta Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Netherlands Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Poland Excluded Participates in enhanced cooperation but has not signed or ratified the UPC Agreement
Portugal Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Czech Republic Excluded Participates in enhanced cooperation but has not signed or ratified the UPC Agreement
Romania Accepts Participates in enhanced cooperation but has not yet ratified the UPC Agreement
Slovakia Excluded Has opposed enhanced cooperation and has challenged the regulation on the unitary patent
Slovenia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Sweden Accepts Participates in enhanced cooperation and has ratified the UPC Agreement

What are the consequences of these countries’ exclusion from the unitary patent?

The exclusion of these countries from the unitary patent has consequences for both the holders of unitary patents and the national patent holders in these countries. For the holders of unitary patents, this means that they cannot protect their inventions in these countries through the unitary patent, but they have to resort to the classical European patent or the national patent . They therefore have to bear the costs and formalities related to the validation and maintenance of their patent in these countries, as well as the risks of a fragmented protection and legal uncertainty . For the national patent holders in these countries, this means that they cannot benefit from the advantages of the unitary patent, but they have to face the increased competition of the holders of unitary patents in the other EU countries . They also have to adapt to the rules and procedures of the UPC, which can be seized by the holders of unitary patents to assert their rights against them or to challenge the validity of their classical European patents .

What are the legal issues of the unitary patent for non-participating countries?

The legal issues of the unitary patent system for non-participating countries are complex and not yet fully resolved. One of the main questions is how to deal with cross-border infringement cases involving unitary patents and national patents. For example, if an inventor from a non-participating country, such as Spain, wants to exercise their rights on their classical European patent in a participating country, such as France, where a unitary patent holder is allegedly infringing their patent, which law should they take into account? Well, the question is not easy to answer, as it will have to take into account many international norms. In the end, this very important aspect will be “subjected” to a very complex situation that will necessarily be defined with the successive application of the law.

Another question is how to ensure a fair balance between the interests of the holders of unitary patents and those of national patent holders in non-participating countries. For instance, if a national patent holder in Spain wants to challenge the validity of a unitary patent that covers an invention similar to theirs, how can they do so without having to go before the UPC, which may not be accessible or convenient for them? Conversely, if a unitary patent holder wants to enforce their rights against a national patent holder in Spain who is allegedly infringing their patent, how can they do so without having to go before a national court that may not be familiar or favourable with the unitary patent? These questions raise issues of jurisdiction, recognition and enforcement of judgments, as well as substantive law harmonisation.

These legal issues are likely to generate uncertainty and litigation for both unitary patent holders and national patent holders in non-participating countries. They may also create barriers and distortions in the internal market and affect innovation and competitiveness. Therefore, it is desirable that these issues are addressed and clarified as soon as possible, either by legislative or judicial means.

Conclusion

The unitary patent is a new scheme that offers a simplified, economical and uniform protection in 17 EU member states. It is accompanied by a Unified Patent Court, which has exclusive jurisdiction to settle disputes relating to unitary patents. The unitary patent has advantages and disadvantages for inventors and innovative companies, depending on their strategy and market. Spain is one of the few EU countries that does not intend to join the unitary patent, mainly for linguistic reasons. Its exclusion has consequences for both unitary patent holders and Spanish actors in the patent market. The unitary patent also raises legal issues for non-participating countries, which are not yet fully resolved.

In conclusion, the unitary patent system is a major innovation in the field of intellectual property in Europe, but it also poses significant challenges for its implementation and acceptance. It aims to foster innovation and competitiveness in the EU, but it also creates disparities and conflicts between participating and non-participating countries. It offers a simplified and uniform protection for inventors and innovative companies, but it also exposes them to risks and uncertainties in cross-border litigation. It is therefore important that the unitary patent is carefully monitored and evaluated, and that its benefits and drawbacks are balanced and communicated to all stakeholders.

(1) https://www.epo.org/applying/european/unitary/unitary-patent.html

(2) https://www.epo.org/applying/european/unitary.html

(3) https://www.gov.uk/guidance/the-unitary-patent-and-unified-patent-court

NRE Cost Optimization for Electronics: A Comprehensive Guide

NRE cost optimization for electronics digital computer cyber security by Freemindtronic from Andorra

NRE Cost Optimization for Electronics by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

Summary

NRE cost optimization for electronics is a key factor for ensuring the profitability of electronic product development. NRE cost can be reduced by using different levers and tools, such as optimizing the V-cycle, the WBS, and the schedule, and using the TRL scale to assess the maturity of technologies. Freemindtronic is an example of a company that uses these techniques to optimize NRE cost for its electronic products with PCB, which are based on its patented technologies and offered under license and white label services.

2024 Articles Cardokey EviSwap NFC NDEF Technology GreenTech Technical News

NFC vCard Cardokey: Revolutionizing Digital Networking

2024 Articles Cyberculture EviPass Password

Human Limitations in Strong Passwords Creation

2024 Articles Digital Security EviKey NFC HSM EviPass News SSH

Terrapin attack: How to Protect Yourself from this New Threat to SSH Security

2023 Articles Cyberculture EviCypher NFC HSM News Technologies

Telegram and the Information War in Ukraine

Articles Crypto Currency Cryptocurrency Digital Security EviPass Technology NFC HSM technology Phishing

Ledger Security Breaches from 2017 to 2023: How to Protect Yourself from Hackers

Articles Digital Security EviCore NFC HSM Technology EviPass NFC HSM technology NFC HSM technology

TETRA Security Vulnerabilities: How to Protect Critical Infrastructures

2023 Articles DataShielder Digital Security EviCore NFC HSM Technology EviCypher NFC HSM EviCypher Technology NFC HSM technology

FormBook Malware: How to Protect Your Gmail and Other Data

Articles EviCore NFC HSM Technology legal News Training

Dual-Use Encryption Products: a regulated trade for security and human rights

Discover our other articles on digital security

Efficient NRE Cost Optimization for Electronics

NRE Cost Optimization, in the field of electronic product development, plays a central role. This one-time cost, associated with designing, testing, and developing a new product, has a direct impact on the product’s unit cost and the profit margin. Therefore, estimating and optimizing NRE cost are essential for ensuring the project’s viability and profitability.

NRE cost depends on several factors, such as:

  • The complexity and size of the product
  • The quantity and frequency of the orders
  • The technology, tools, and methods used for designing, manufacturing, and testing the product
  • The software associated with the product
  • The royalty fee paid to the technology provider

The complexity and size of the product can drive up the costs due to the increase in material and labor costs. On the other hand, larger and repeated orders can reduce the NRE cost per unit, as fixed costs are distributed over more units.

In this article, we will explain how to calculate NRE cost for electronic products with PCB (printed circuit boards), which are the core components of any electronic device. We will also present three main levers to reduce NRE cost for electronic products with PCB: optimizing the V-cycle, optimizing the WBS (work breakdown structure), and accelerating schedule. Finally, we will introduce the TRL scale (technology readiness level scale), a tool that can help you optimize NRE cost for electronic products with PCB by assessing and comparing the maturity of different technologies.

We will also show you how Freemindtronic, an Andorran company specialized in security and cybersecurity of computer systems and information systems, uses the TRL scale to optimize NRE cost for its electronic products with PCB. Freemindtronic also offers its technologies under license, including international patents, and provides white label product creation services.

NRE cost optimization for electronics digital cyber security by Freemindtronic from Andorra

How to Calculate NRE Cost for Electronic Products with PCB?

To optimize NRE cost for electronic products with PCB, you need to know how to calculate it. NRE cost can be divided into four main categories:

  • Design cost: this includes the software tools for CAD (computer-aided design), licenses, salaries of designers, etc.
  • Fabrication cost: this includes the materials, equipment, tools, personnel, etc. for manufacturing the electronic components and assembling them into a product.
  • Test cost: this includes the measurement devices, test software, salaries of testers, etc. for verifying the functionality and quality of the product.
  • Software cost: this includes the firmware, drivers, embedded systems, applications, extensions, etc. associated with the product.
  • Royalty cost: this includes the fee paid to the technology provider for using their technology in the product.

To calculate NRE cost for electronic products with PCB, you need to estimate the time and resources required for each category. You can use historical data from previous projects or industry benchmarks as references. You can also use online calculators or software tools to help you estimate NRE cost.

In addition to these categories, you also need to consider the software associated with the PCB,

which ensure its functionality and interaction with the user or other systems. The software associated with the PCB include:

  • Firmware: they are embedded in the PCB and control the behavior of the electronic components. They are usually written in low-level (assembler) or intermediate-level (C, C++, etc.) languages. They are specific to the product and must be adapted to the characteristics of the PCB and the electronic components.
  • Drivers: they are installed on the computer or system that communicates with the PCB. They allow the system to recognize the PCB and transmit data between the PCB and the system. They are usually written in high-level (C#, Java, Python, etc.) languages. They must be compatible with the operating system and communication protocol used.
  • Embedded systems: they are installed on the PCB or on another support (memory card, hard disk, etc.). They allow to manage the functions of the product and provide a user interface. They are usually written in high-level (C#, Java, Python, etc.) languages. They must be adapted to the capabilities of the PCB and the needs of the product.
  • Applications: they are installed on the computer or system that communicates with the PCB. They allow the user to access the functionalities of the product and customize its settings. They are usually written in high-level (C#, Java, Python, Go, Type script, elvet etc.) languages. They must be ergonomic and intuitive for the user.
  • Extensions: they are installed on the computer or system that communicates with the PCB. They allow to add functionalities to the product or connect it to other services or systems. They are usually written in high-level (html, type script, web RTC, Java, java script, etc.) languages. They must be secure and respect compatibility standards.

These software must be designed, developed and tested in parallel with the PCB, in order to guarantee their coherence and performance. They must also be updated regularly to correct any bugs or to bring improvements to the product.

Besides these categories, you also need to consider the tools required for manufacturing and testing the PCB, which depend on the characteristics of the PCB and the requirements of the product. The tools for manufacturing and testing the PCB include:

  • Soldering machines: they allow to assemble electronic components on the PCB by soldering. There are different types of soldering machines, depending on the process used (wave soldering, reflow soldering, selective soldering, etc.).
  • Insertion machines: they allow to insert electronic components through holes in the PCB. They are used for through-hole components, which are fixed by soldering on both sides of the PCB.
  • Placement machines: they allow to place electronic components on the surface of the PCB. They are used for SMD (surface mount device) components, which are fixed by soldering on one side of the PCB.
  • Cutting machines: they allow to cut the PCB according to the desired shape. They are used to separate the different parts of the PCB or to adjust the size of the PCB.
  • Drilling machines: they allow to drill holes in the PCB to insert components or connectors. They are used to make connections between the different layers of the PCB or between the PCB and other elements.
  • Engraving machines: they allow to engrave patterns or inscriptions on the PCB. They are used to identify the PCB or to add technical or aesthetic information to it. For example, you can engrave the serial number, the manufacturer name, or the logo of the product on the PCB.
  • Measurement devices: they allow to verify the electrical and physical characteristics of the PCB. They include various devices such as multimeters, oscilloscopes, logic analyzers, insulation testers, etc. These devices allow you to measure the electrical and physical characteristics of the PCB, such as voltage, current, resistance, capacitance, frequency, etc.
  • Test software: they allow to control the functionality of the PCB and electronic components. They include various software such as simulation software, fault injection software, functional analysis software, etc. These software allow you to test the behavior of the PCB and electronic components under different conditions and scenarios.

These tools must be chosen according to the type and complexity of the PCB, as well as the level of quality required for the product. They must also be calibrated and maintained regularly to ensure their reliability and accuracy.

To illustrate how to calculate NRE cost for electronic products with PCB, let’s take an example of a project that involves developing a new product based on a 4-layer PCB with 1000 components (800 SMD and 200 through-hole). The project duration is 12 months and requires two engineers (one for design and one for test) with a salary of $3000 per month each. The project also requires a CAD software license ($5000), a fabrication service ($5000), a test service ($5000), a software development service ($10 000), and a royalty fee (5% of sales).

The following table shows how to calculate NRE cost for this project:

Item Formula Cost
Human resources (3 000 + 2 000) x (1 + 0.5) x 2 x 12 $90 000
Software tools $10 000
Materials $5 000
Equipment $15 000
Software $10 000
Royalty fee 0.05 x 200 000 $10 000
Total NRE cost Sum of above items $140 000

As you can see, NRE cost can be quite high for electronic products with PCB, especially if the product is complex or requires specific technologies or tools. Therefore, it is important to optimize NRE cost by using different levers and tools that can improve the efficiency and quality of the product development process.

Three Main Levers to Reduce NRE Cost for Electronic Products with PCB

To optimize NRE cost for electronic products with PCB, you need to know how to reduce it. NRE cost can be reduced by using different levers and tools that can improve the efficiency and quality of the product development process. In this section, we will present three main levers to reduce NRE cost for electronic products with PCB:

  • Optimizing the V-cycle: this is to optimize the design process of the product, which follows a V-shaped model that consists of four main phases: definition, design, verification, and validation. Optimizing the V-cycle relies on the following sub-levers:

Defining clearly and precisely the customer needs and product specifications, which are translated into functional and technical requirements for the product. This helps to avoid ambiguity and misunderstanding, and to align the expectations of all stakeholders. Designing modular and scalable product, which allows reusing existing components or technologies and adapting easily to future changes or improvements. This helps to reduce the design cost and time, and to increase the flexibility and adaptability of the product. Making prototypes and mock-ups, which allow testing the product in real conditions and collecting customer feedback. This helps to validate the feasibility and functionality of the product, and to identify and correct any errors or defects before mass production. Planning rigorously and realistically the project, taking into account technical, financial, and temporal constraints, and anticipating possible contingencies. This helps to optimize the use of resources, to avoid delays and budget overruns, and to manage risks effectively. Monitoring and controlling regularly the project, using performance indicators and appropriate project management tools, which measure the progress of the project and identify deviations from the initial plan. This helps to ensure the quality and efficiency of the project execution, and to take corrective actions if needed. Validating systematically the product at each stage of the V-cycle, using appropriate methods and test criteria, which ensure compliance and quality of the product. This helps to verify that the product meets the customer needs and product specifications, and to obtain certification or approval from relevant authorities.

  • Optimizing the WBS (work breakdown structure): this is to structure the project into sub-projects, tasks, and activities, which are hierarchized and detailed according to their level of complexity and dependence. Optimizing the WBS relies on the following sub-levers:

Decomposing logically and coherently the project, respecting the principle of sum of parts equal to whole, that is, each element of WBS must contribute to achieving global project. This helps to clarify the scope and objectives of the project, and to avoid duplication or omission of work. Defining clearly and precisely deliverables associated with each element of WBS, specifying expected features, responsibilities, deadlines, and costs. This helps to define the expected outcomes of each element of WBS, and to assign roles and responsibilities to each actor of the project. Assigning resources needed for each element of WBS, taking into account skills, availability, and costs of human, material, and financial resources. This helps to allocate resources efficiently and effectively to each element of WBS, and to optimize the cost and quality of the project. Coordinating and communicating among different actors of project, using collaborative tools and agile methods, which promote information exchange and problem solving. This helps to ensure the coherence and consistency of the project, and to foster the collaboration and innovation among different actors.

  • Accelerating schedule: this is to reducethe total duration of project by optimizing use of available resources and minimizing idle times. Accelerating schedule relies on following sub-levers:Reducing duration of critical tasks that have direct impact on end date of project. For this, we can use techniques such as crashing (increasing resources assigned to a task) or fast-tracking (performing tasks in parallel instead of sequentially). This helps to shorten the critical path of the project, which determines the minimum time required for completing the project. Increasing parallelism of non-critical tasks that do not affect the end date of project, but can reduce the total duration of project. For this, we can use techniques such as overlapping (starting a task before the previous one is completed) or splitting (dividing a task into smaller subtasks that can be performed in parallel). This helps to increase the concurrency of tasks in the project, which reduces idle times and improves resource utilization. Eliminating or minimizing slack time of tasks that is the difference between the earliest and latest start or finish times of a task. For this, we can use techniques such as resource leveling (balancing the demand and supply of resources over the project duration) or resource smoothing (adjusting the resource allocation to reduce peaks and valleys in resource usage). This helps to optimize the slack time of tasks, which can be used to absorb uncertainties or delays, or to improve quality or performance.

These levers and tools can help you optimize NRE cost for electronic products with PCB by reducing errors, delays, and budget overruns by improving the quality and efficiency of the product development process. They can also increase customer satisfaction and confidence by demonstrating the compliance and quality of the product at each stage of development.

How to Use the TRL Scale to Optimize NRE Cost for Electronic Products with PCB?

Another tool that can help you optimize NRE cost for electronic products with PCB is the TRL scale, or technology readiness level scale. The TRL scale is a tool for measuring or indicating the maturity of a technology. It was originally developed by NASA in the 1990s as a means to manage the technological risk of its programs. The TRL scale can help you optimize NRE cost for electronic products with PCB by providing a common language and framework for assessing and comparing the maturity of different technologies in the context of a specific application, implementation, and operational environment. The TRL scale also helps you identify gaps and risks in your technology development process, and plan appropriate actions and resources to address them.

The TRL scale ranges from 1 to 9, with 9 being ready for commercialization. The TRL scale describes the performance history of a given system, subsystem, or component relative to a set of levels that correspond to different stages of development.

The following table summarizes the main characteristics and criteria of each TRL level:

The following table summarizes the main characteristics and criteria of each TRL level:

TRL Definition Description Criteria
1 Basic principles observed Scientific research begins and results are translated into future research and development Publication or report of basic principles
2 Technology concept formulated Basic principles are applied to practical applications and experimental proof of concept is obtained Publication or report of applied research
3 Analytical and experimental critical function and/or characteristic proof-of-concept Active research and design begin and proof-of-concept model is constructed Analytical studies and laboratory tests
4 Component/subsystem validation in laboratory environment Component pieces are tested with each other in a simulated environment Component integration and testing
5 Component/subsystem validation in relevant environment Breadboard technology is tested in a realistic environment with simulated interfaces System-level testing in relevant environment
6 System/subsystem model or prototype demonstration in a relevant environment Fully functional prototype or representational model is demonstrated in a realistic environment with actual interfaces System-level testing in relevant environment
7 System prototype demonstration in an operational environment Working model or prototype is demonstrated in an extreme environment with all interfaces System-level testing in operational environment
8 Actual system completed and qualified through test and demonstration Technology has been tested and “flight qualified” and is ready for implementation into an existing technology or technology system System-level testing in operational environment
9 Actual system proven through successful mission operations Technology has been “flight proven” during a successful mission and meets all performance requirements System-level testing in operational environment

What are the Benefits of Using the TRL Scale for Freemindtronic?

By using the TRL scale, Freemindtronic was able to achieve the following benefits:

  • Providing a common language and framework for assessing and comparing the maturity of its technology with other technologies on the market.
  • Identifying gaps and risks in its technology development process and planning appropriate actions and resources to address them.
  • Reducing errors, delays, and budget overruns by improving the quality and efficiency of its product development process.
  • Increasing customer satisfaction and confidence by demonstrating the compliance and quality of its product at each stage of development.

Freemindtronic also offers its technologies under license, including international patents, and provides white label product creation services. This allows its customers to protect their products and services created in their brand and embedding Freemindtronic’s technologies. In addition, they benefit from territorial protection in terms of international intellectual property. Freemindtronic also offers the possibility of negotiating an NRE royalty with its customers, depending on the added value of its technology and market conditions. Moreover, Freemindtronic has designed a mutualized offer of its NRE costs, distributed among all its customers under licenses. This has the effect of reducing the royalty cost attached to the NRE. This also has the effect of making affordable access to the different licenses, especially patented ones, which produce a low impact on the products marketed.

Freemindtronic guarantees an industrial quality of its products,

manufactured with industrial grade electronic components. It also ensures a complete traceability of the manufacture of its offline products and end-to-end cybersecurity from HSMs, from design to end user.

Conclusion and Contact Information

We hope that this article has given you some useful insights on how to optimize NRE cost for electronic products with PCB by using different levers and tools. We also hope that you have learned how to use the TRL scale to optimize NRE cost for electronic products with PCB by assessing and comparing the maturity of different technologies.

We also showed you how Freemindtronic, an Andorran company specialized in security and cybersecurity of computer systems and information systems, uses the TRL scale to optimize NRE cost for its electronic products with PCB. Freemindtronic also offers its technologies under license, including international patents, and provides white label product creation services.

If you have any questions or comments, please feel free to contact us. We will be happy to assist you with your project.

Thank you for your attention.

To contact us click here

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.