Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Key Retrieval Method Invented

Posted by emmett on from the break-in-the-hard-way dept.

try67 writes "ZDNet has this article discussing a method developed by several scientists (including Adi Shamir - the S in RSA, the guy who later found a way to crack RSA, GSM alg. cracker, and all-around very cool guy) of finding and stealing encryption keys from servers. The key's randomness seems to be what's giving them away." This is an interesting piece, but why do people continually feel that my credit card number is the most valuable piece of information I own? There's more than e-commerce at stake, people.

5 of 218 comments (clear)

  1. An Old Problem by Detritus · · Score: 5

    Key storage and protection is an old problem. You have to assume that the operating system may be cracked, either by an external attacker or by an authorized user. The solution is to store keys in a tamper resistant hardware device, which can be an external box or a special chip. The keys can go into the device, but they can't come out. IBM has used this approach for their mainframe cryptographic facility for decades. IBM has a PCI card that solves this problem for PCs.

    --
    Mea navis aericumbens anguillis abundat
  2. Is this news? by Hobbex · · Score: 5


    The fact that encryption keys can be found in data by looking for strings with higher entropy then usual is not new. I have heard it several times, and I believe that this was how the "NSA_key" thing in the Win2K source code was discovered (remember that, MS let NSA authenticate their own crypto modules and people started screaming backdoor). If I'm not wrong, its even mentioned in 'Applied Cryptography'.

    The article says "root around looking for the keys", which I read as getting root to the server (I mean, who is going to keep code that contains crypto keys globally readable?) and that isn't exactly easy to begin with. And if your hosting server gets rooted your sort of fucked anyways...

    As far as the big deal over Credit Card numbers is concerned, I couldn't agree more. I don't know about you people, but I operate under the assumption that my credit card number is always in the hands of others. I mean, the security of a credit card number rests on the fact that "no one can remember 20 digits." Obscurity would be an infinite step up.

    Credit card numbers can be stolen by anyone who you shop at, anyone who goes through those shops or your trash, anyone who (with a little memorization training) is able to read your card, etc ad infinum. The whole system is based on the fact that credit cards numbers can be stolen but that its cheaper for the companies to take the loss then implement a smarter system. If that doesn't fit you shoe, then there is always cash...

    -
    We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

  3. bogus article by zzzeek · · Score: 5

    /. should post articles of higher quality than this. This article is very clearly nothing more an ad for a company with a dumb product (I say dumb because there should be a better argument for its usage other than this):

    Van Someren said nCipher decided to go after encryption keys because "we make products that redress these problems." The company offers a hardware solution to the problem of encryption-key security.

    Everyone here should know that "security through obscurity" is a foolish and invalid method of security. This article is particularly annoying with its "submarine" and "cold war" analogies as well as its mention of "increasing hacker ingenuity", as though finding a big file of encryption keys open to all users on a server is some high tech stealth technique from a Harrison Ford movie or something.

  4. If I read the article correctly... by wowbagger · · Score: 5
    If I read the article correctly, all this new "method" does is allow you to find the keys once you have cracked the server.


    Well, duh! Once I'm in, you have big problems. So, DON'T LET ME IN


    It is not as though this is a new means to attack a server and gain access, just a way, once you have access, to find what you want.


    And, if you store a bunch of data in compressed format (which also looks pretty random), then the search will be confused.


    "The sky is falling! The sky is falling!" Any modern journalist.

    --
    www.eFax.com are spammers
  5. Another psuedo-hack by MobyDisk · · Score: 5

    To re-iterate. There are now two (2) ways to obtain credit card numbers:

    Method #1:
    * Crack into a highly secure server, likely behind a firewall (details left out, this part is easy)
    * Apply heuristics and a random number searching algorithm on the hard drive (heuristics + classic compression algorithms such as LZW will work here)
    * Use the keys to monitor transactions with this server and obtain credit card numbers
    * Use credit card numbers to purchase online pron

    Method #2:
    * Get job at local store for approx. 1 hour
    * Obtain tools: pen, paper, or a good memory
    * Use tools to store credit card numbers
    * Use credit card numbers to purchase online pron

    The opening of this new method, number one (1), could be a serious threat to e-commerce. It makes e-commerce almost 1% as dangerous as physical world purchases! I know I'll never type https:// again and feel safe. I'm doing my purchases with complete safety: over the phone.