Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Could Make You More Vulnerable

Posted by CmdrTaco on from the also-condoms-give-you-aids dept.

narramissic writes "It sounds like a headline straight out of The Onion, but security researchers from IBM Internet Security Systems, Juniper, nCipher and elsewhere are warning that the use of data encryption could make organizations vulnerable to new risks and threats. There is potential for 'A new class of DoS attack,' says Richard Moulds, nCipher's product strategy EVP. 'If you can go in and revoke a key and then demand a ransom, it's a fantastic way of attacking a business.'"

4 of 126 comments (clear)

  1. To sum up: by Actually,+I+do+RTFA · · Score: 4, Informative

    The threats discussed are:

    1. Losing keys/passwords
    2. Missing business opportunities because of the difficulty of sharing data internally (or presumably with third-parties
    3. Hackers stealing your keys, deleting them, and ransoming them back to you
    4. Hackers performing DOS on your authentication key-serving server./li
    --
    Your ad here. Ask me how!
  2. revoke isn't that big by X0563511 · · Score: 4, Informative

    Revoking a key isn't going to harm a company. They can just issue a new key.

    A revoked key can usually still be used without limitations, however a revoked key should not be trusted and should be considered exposed.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    1. Re:revoke isn't that big by Zeinfeld · · Score: 4, Informative
      Its storage encryption keys they are talking about and nCipher makes a key management product.

      This is hardly a new issue, its been a significant concern for at least a decade. One of the problems with dealling with it was that for many years the mere mention of Key Escrow had people screaming about black helicopters.

      Key escrow is neither necessary nor desirable for communications security. You use session keys, preferably with a round of Diffie Hellman to provide perfect forward secrecy and protect against kelptographic attacks. But for storage encryption it is all a matter of how you keep the keys safe.

      It isn't that difficult to do, you simply make sure that keys are backed up in multiple places and are governed by separation of duties and multi-party control. The VeriSign Certification Practices Statement provides a complete primer in how to do this properly.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  3. Re:Encrypting Data, not communications by rampant+poodle · · Score: 3, Informative

    TrueCrypt can protect you in both of these scenarios. After setting up the encrypted volume:

    1. Set an administrative passphrase/key.
    2. Make volume header backup. (Must be stored/protected as you would a safe combination.)
    3. Have end user set personal passphrase. (Creates a new volume header)

    If the user passphrase is lost or stolen the volume can be recovered by restoring the "admin" volume header. No ransom payment to bad guys required. (Applying clue stick to user is optional.)

    This does add the potential risk of someone stealing the "admin" header backups. Storing the headers in a locked container in the company safe or an off-site bank vault will bring this risk down to reasonable levels. (Storing them on a CD on someone's desk will not!)