-Caveat Lector- Click Here: <A HREF="http://www.zdnet.com/intweek/stories/news/0,4164,2417628,00.html">ZDNet: Inter@ctive Week: Encryption Keys Vulner…</A> ----- Encryption Keys Vulnerable, Researchers Warn By Doug Brown, Inter@ctive Week January 5, 2000 5:38 PM ET Researchers at an English company announced Wednesday that they found a way to pluck from Web servers "keys" that provide access to private data stored on servers, such as credit-card numbers. The revelation that hackers can break into servers and steal encryption keys could have repercussions throughout the electronic commerce landscape. Companies have long struggled with ensuring customers' privacy in the face of increasing hacker ingenuity, but encryption keys were generally believed to dwell in a safe haven. "It's a pretty big deal," said Tom Hopcroft, president of the Massachusetts Electronic Commerce Association. "Currently, people feel that their keys for credit-card numbers are pretty safe, because they are on a server with a lot of other data, where they might be hard to find." In light of the discovery that encryption keys are readily open to attack, companies must find ways to prevent their discovery, Hopcroft added. "The loss of consumer confidence could cripple the phenomenal growth of electronic commerce," he said. "A lot of that [growth] is because we don't have a fear of giving out our credit-card numbers over the Internet." Alex Van Someren, president of nCipher in Cambridge, England, said the discovery of a method for retrieving encryption keys revolves around research conducted by his brother Nicko, chief technology officer and co-founder of nCipher, and Adi Shamir of the Weizmann Institute in Israel, co-inventor of the RSA encryption system, the base for much current encryption technology. The researchers published their initial findings at the Financial Cryptography '99 conference in February 1999. The research, Alex Van Someren said, laid a theoretical framework for an encryption key retrieval method. Now, he said, the researchers have demonstrated a concrete method for finding and stealing encryption keys from servers. The technology centers on this: There is a general assumption that encryption keys will be impossible to find because they are buried in servers crowded with similar strings of code. What the researchers discovered, however, is that encryption keys are more random than other data stored in servers. To find the encryption key, one need only search for abnormally random data. Hopcroft compared the method to classic Cold War tactics. "The United States developed quieter and quieter submarines, but they made them so quiet it was quieter than the ambient noise around them," he said. "So the Soviets could search for quiet spots." The problem could be particularly nettlesome for smaller companies, because many of them run their Web businesses on servers shared by other companies. All a hacker would have to do, Hopcroft said, is set up an account with an Internet service provider hosting a company's Web site, "go into that server and root around looking for the keys of other companies. With [the key] there is no way for me to be distinguished from a legitimate business owner." Van Someren said nCipher decided to go after encryption keys because "we make products that redress these problems." The company offers a hardware solution to the problem of encryption-key security. Van Someren noted that it's possible that others - hackers, in particular - already have discovered the path to the once-hidden encryption keys. "We haven't seen any evidence of real attacks occurring, but if it were to occur, there would not necessarily be any trace left behind that it had occurred," he said. Peter Neumann, a computer security researcher at SRI International in Menlo Park, Calif., said the discovery stands as just one more demonstration of "how flaky our infrastructure is." "Every operating system can be broken into one way or another, and the servers aren't an exception," he added. "We need a great deal more security than we have at the moment as we enter into electronic commerce. And the bottom line is we should be a little bit more cautious about depending upon cryptography as the answer to all of our problems, because it isn't. It's very difficult to embed it properly into a system." Bruce Schneier, a world-renowned cryptography expert and chief technology officer at Counterpane Internet Security in San Jose, echoed Neumann. "Security vulnerabilities are inevitable, because of the complexity of the product, the rush to market, all of these things," he said. "So the vulnerabilities, we see them every week. The only solution is to build security processes that take into account the fallibility of the products." Of the nCipher discovery, he said: "Let's say we fix this one. We're not magically better. We've fixed one little thing." ----- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, All My Relations. Omnia Bona Bonis, Adieu, Adios, Aloha. Amen. Roads End DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om