Welcome to the web site of

CONNOTECH Experts-conseils Inc.

Un peu de français!

The PUDEC logo should appear here.

PUDEC (Practical Use of Dice for Entropy Collection) has a home page, see http://pudec.connotech.com. In our search for a highly secure server hardware/software architecture using cost-effective components, we needed a solution for secret random number generation. This led to the design of a novel RNG seeding approach using dice. The introduction to the concept is found in this lay person tutorial document. More focused, this technical document about the conversion algorithms from dice outcome to random bits.

This site contains a wealth of unique information originating from various projects led by CONNOTECH Experts-conseils inc.

*** NEW *** The contents of this document should be found in the first few chapters of a textbook on applied cryptography, as it simply documents the good technique for setting up secure communications between two distant computer systems: "The Classical Authenticated Diffie-Hellman Exchange Revisited (with the Bladderwort Protocol Feature Addition)". Maybe we wrote it merely because we take nothing for granted, even TLS!

The PKC-only security scheme, about which some work-in-progress documents are made available

For global deployment of cryptographic digital signatures, key management ceremonies may an important ingredient for global trust in the system. Traditionally, hardware security modules (HSM) offered a well accepted solution, but not a flexible one and hence incomplete. We thus introduce the following document: "The Evanescent Security Module, Concepts and Linux Usage Strategies".

Not exactly a denial-of-service mitigation scheme, but the following technical note has a few original ideas for anonymous service abuse mitigation: "Internet Public Service Abuse Mitigation with a Time Ticket Sub-Protocol".

Any cryptography-based system or application needs a reliable and trustworthy source of secret random numbers. Here is a relevant document: "Secret Random Source Design Notes".

A work-in-progress document, recording the design decisions: "A Project Medley Design Notebook".

The launch document for the PKC-only application security scheme, showing how it may be fielded with the mainstream TLS protocol support in web-enabled secure applications: Explicit Meaningless X.509 Security Certificates as a Specifications-Based Interoperability Mechanism. See also a document prepared with the IETF editorial conventions (http://www.connotech.com/public-domain-aixcm-00.txt).

TAKREM, SAKEM and Other Information Security Topics

A document focused on DNS root signature, Towards a Process Flow for DNS Root Zone File Signature with KSK Rollover Provisions. This is part of a contribution to a public consultation by the US government. The preceding document is still available, A (Pro?-)Position Paper re DNS Root Zone File Signature Using DNSSEC Protocols.

The high level document Six Roles for Early Introduction of DNSSEC is a must-read for experts and would-be experts on DNSSEC deployment.

The above proposal is based on two specific contributions towards DNSSEC deloyment:

°

an IETF contribution in the form of an Internet draft for facilitation of "DNSSEC root priming," including a root trust anchor key rollover scheme and an implicit facilitation of "DNS root nameservice substitution for DNSSEC purposes," and

°

an opt-in strategy, especially useful to circumvent the lack of DNSSEC support in large TLDs.

This material is in rather crude form. An attempt to present an executive summary has been posted to a specialized blog.

The SISATA proposition document, disclosing a unique approach to DNSSEC deployment challenges. (SISATA: Stable Island of Security Agency for Trust Announcements.)

TAKREM, Trust Anchor Key REnewal Method, with application to DNS security. An FAQ document is also available.

Software tools are available (GPL'ed free software). This includes a complete solution for DNS zone management procedures (i.e. trust anchor key management and DNS authoritative nameserver operations), and an API for TAKREM support in DNSSEC-aware resolver software. The software development planning aspects are covered in two documents, respectively for the server side and the client side.

Three Internet drafts: draft-moreau-dnsext-tak-req, draft-moreau-dnsext-sdda-rr, and draft-moreau-dnsext-takrem-dns.

A document about DNSSEC performance impact: "A Short Note about DNSSEC Impact on Root Server Answer Sizes".

SAKEM, Secret Authentication Key Establishment Method

Surprisingly, when we needed a simple specification for a well-known public key cryptography digital signature scheme, we had to write one: Scirpo, a Basic Rabin-Williams Digital Signature Specification.

Other Cryptography and Information Security Documents

The Intaglio NIC project, a white paper contribution towards an alternate source for signed official DNS root data

The white paper document is here: "Intaglio NIC, an Independent DNS Root Signature Project".

Since the Intaglio NIC project is intended to be independent from CONNOTECH, a separate domain name has been reserved and its web site is: http://www.intaglionic.org/.

Embedded Systems Development, Microprocessor Systems

Microprocessor Development Toolkit, Powerful 32 Bits Processor

Major components from this kit:

°

PPCMB/850, a Motorola MPC850 Single-Board Computer

°

The ABCDProto-Kernel™

°

GNU GCC Cross-compiler for the PowerPC, Motorola MPC8xx Processor Family

Documents about Free Software Licensing

[ CONNOTECH home page: http://www.connotech.com | e-mail to: info@connotech.com ]