Slashdot Mirror
Encryption Key Retrieval Method Invented
try67 writes "ZDNet has this article discussing a method developed by several scientists (including Adi Shamir - the S in RSA, the guy who later found a way to crack RSA, GSM alg. cracker, and all-around very cool guy) of finding and stealing encryption keys from servers. The key's randomness seems to be what's giving them away." This is an interesting piece, but why do people continually feel that my credit card number is the most valuable piece of information I own? There's more than e-commerce at stake, people.
This algorithm was published quite a while ago: I've implemented it myself. It's best use is to look for "NSA key" type backdoors in closed source software, like Lotus Notes. The only "news" is that nCipher have worked out a way to turn it into publicity for their product. As everyone is saying, it's not very contentful.
By the way, Adi Shamir (and Ron Rivest, for that matter) have done a *lot* more crypto work than just RSA. Shamir is one of the inventors of differential cryptanalysis (along with Eli Biham).
--
Xenu loves you!
So let me see if I can get this right...the cDc releases information about a security risk in a certain company's operating system, thus causing said company to deny there is a problem, blame in on the cDc, and finally, fix it...eventually. Therefore, the cDc is a bunch of evil hackers because they provided this information.
When a group of respected scientists point out a security vulnerability, they're the good guys, for pointing out a vulnerability that 'hackers' might exploit.
Well, I guess that's fair.
Key storage and protection is an old problem. You have to assume that the operating system may be cracked, either by an external attacker or by an authorized user. The solution is to store keys in a tamper resistant hardware device, which can be an external box or a special chip. The keys can go into the device, but they can't come out. IBM has used this approach for their mainframe cryptographic facility for decades. IBM has a PCI card that solves this problem for PCs.
Mea navis aericumbens anguillis abundat
As I'm reading this article, they are saying that once into a web server, it is easy to search for a key because it is more random then any other data on the disk. Wish I could get paid for these kinds of revelations.
The solution: don't let anyone into your web server in the first place. I would consider the web server compromised and the keys invalid if someone got in and was able to snoop where the keys were located. Even if you do allow shell access to the web server (a bad idea in my opinion), put the keys in a root read-only directory! I believe the setup instructions for mod_ssl says to set your SSL key as 400, therefore only root can read it.
This article is irresponsible. They make it sound as if your credit card is already at stake, not just after someone has broken into a web server and stole keys. It is not news that encrypted data is at stake after someone has stole the private key.
I consider buying things over the web to be in the same league as ordering items over the phone. When people order things over the phone, they are dealing with a PERSON. How do they know that the operator that is taking their order is not going to rip them off, or do something stupid with their credit card number?
Plus, in both cases you don't know if the credit card information is being STORED properly. I've seen plenty of discount e-com setups that will have a fancy site certificate making it look secure. Then when the form is submited a plain text email gets sent to some email address so that someone can manually punch it in.
This article was posted at 5:38pm EST. Thats after the stock market closed. I wonder what kind of affect this would have on the "dot com" stocks... This would be a shame considering that the NASDAQ is doing so well lately.
The fact that encryption keys can be found in data by looking for strings with higher entropy then usual is not new. I have heard it several times, and I believe that this was how the "NSA_key" thing in the Win2K source code was discovered (remember that, MS let NSA authenticate their own crypto modules and people started screaming backdoor). If I'm not wrong, its even mentioned in 'Applied Cryptography'.
The article says "root around looking for the keys", which I read as getting root to the server (I mean, who is going to keep code that contains crypto keys globally readable?) and that isn't exactly easy to begin with. And if your hosting server gets rooted your sort of fucked anyways...
As far as the big deal over Credit Card numbers is concerned, I couldn't agree more. I don't know about you people, but I operate under the assumption that my credit card number is always in the hands of others. I mean, the security of a credit card number rests on the fact that "no one can remember 20 digits." Obscurity would be an infinite step up.
Credit card numbers can be stolen by anyone who you shop at, anyone who goes through those shops or your trash, anyone who (with a little memorization training) is able to read your card, etc ad infinum. The whole system is based on the fact that credit cards numbers can be stolen but that its cheaper for the companies to take the loss then implement a smarter system. If that doesn't fit you shoe, then there is always cash...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
/. should post articles of higher quality than this. This article is very clearly nothing more an ad for a company with a dumb product (I say dumb because there should be a better argument for its usage other than this):
Everyone here should know that "security through obscurity" is a foolish and invalid method of security. This article is particularly annoying with its "submarine" and "cold war" analogies as well as its mention of "increasing hacker ingenuity", as though finding a big file of encryption keys open to all users on a server is some high tech stealth technique from a Harrison Ford movie or something.
Well, duh! Once I'm in, you have big problems. So, DON'T LET ME IN
It is not as though this is a new means to attack a server and gain access, just a way, once you have access, to find what you want.
And, if you store a bunch of data in compressed format (which also looks pretty random), then the search will be confused.
"The sky is falling! The sky is falling!" Any modern journalist.
www.eFax.com are spammers
To re-iterate. There are now two (2) ways to obtain credit card numbers:
Method #1:
* Crack into a highly secure server, likely behind a firewall (details left out, this part is easy)
* Apply heuristics and a random number searching algorithm on the hard drive (heuristics + classic compression algorithms such as LZW will work here)
* Use the keys to monitor transactions with this server and obtain credit card numbers
* Use credit card numbers to purchase online pron
Method #2:
* Get job at local store for approx. 1 hour
* Obtain tools: pen, paper, or a good memory
* Use tools to store credit card numbers
* Use credit card numbers to purchase online pron
The opening of this new method, number one (1), could be a serious threat to e-commerce. It makes e-commerce almost 1% as dangerous as physical world purchases! I know I'll never type https:// again and feel safe. I'm doing my purchases with complete safety: over the phone.
If you keep your keys in hexadecimal or base64 rather than binary, then the information content is maintained but is spread across a greater amount of data. This easily defeats the method. If you *really* want to reduce the average entropy, you can use a full byte '0' or '1' for each bit. or two bytes, or three ... ad infinitum.