[ISN] Key Net security hitch resolved

From: mea culpa (jerichoat_private)
Date: Mon Aug 24 1998 - 16:21:37 PDT

  • Next message: mea culpa: "Re: [ISN] Key Net security hitch resolved"

    [Moderator: Someone more into crypto correct me if I am wrong..
     but isn't one of the first signs of snake-oil the use of the
     word "unbreakable"?]
    Forwarded From: phreak moi <hackereliteat_private>
    Key Net security hitch resolved
    By Reuters
    Special to CNET NEWS.COM
    August 24, 1998, 7:50 a.m. PT
    NEW YORK--Mathematicians at IBM and a Swiss university say they have
    developed a new system of securing information against the most aggressive
    type of attack by computer hackers--a step seen as resolving concerns
    about privacy and the integrity of electronic transactions on the
    But rather than take what IBM considers to be a fundamental breakthrough
    and exploit it commercially, the researchers plan to give away their
    findings for free--in the hopes of bolstering public confidence in the
    security of the Internet. 
    The two Zurich-based mathematicians--Victor Shoup, of IBM Research, and
    Ronald Cramer, of the Swiss Federal Institute of Technology (ETH)--plan to
    unveil today their new security scheme at Crypto '98, the main annual U.S. 
    academic conference devoted to computer security issues, in Santa Barbara,
    The team has designed a practical and mathematically proven method for
    effectively closing off back-door attempts to thwart computer security
    systems using so-called "active" attacks, according to IBM and other top
    computer security researchers. 
    All current commercially available cryptography, or secret coding, systems
    are potentially vulnerable to active attacks, which are considered to be
    the most aggressive and dangerous hacking attempts any encryption system
    might face, they said. 
    "Businesses and consumers can have greater confidence in Internet
    transactions, because we've effectively closed down the only way around a
    cryptosystem's main line of defense," Jeff Jaffe, general manager for
    IBM's security products and services, said in a statement announcing the
    Strong modern cryptography systems are based upon really difficult
    mathematical problems that are thought to be unsolvable. If the underlying
    problem of such a security can be solved, then the cryptosystem's security
    could be violated. 
    One means for cracking computer security systems is through "brute force"
    attacks that throw massive computer resources into attempts to calculate
    every possible answer to complex math problems. 
    Another method hackers use is what security experts call "social
    engineering," when, simply put, a hacker manages to trick someone inside
    an organization into revealing secret codes that allow outsiders to break
    into a computer system. 
    But "active" attacks are considered to be the most difficult to prevent
    because they bypass the difficulty of solving the underlying mathematical
    problem by sending a series of cleverly constructed messages to Web site
    By analyzing the electronic responses to the messages from the Web sites,
    an attacker could get information that could be used to decode an
    intercepted session. 
    The Cramer-Shoup method thwarts active attacks by offering the first
    cryptosystem that prevents eavesdropping while also being efficient enough
    for commercial use, IBM said. 
    The new system would eliminate a security flaw that allowed a Bell Labs
    researcher earlier this year to demonstrate how a well-equipped computer
    hacker could break the encryption software code used for electronic
    That discovery had set off a flurry of activity by Netscape
    Communications, Microsoft, and Security Dynamics Technologies' RSA Data
    unit that led to a software patch that fixed the immediate problem. But
    the Bell Labs development left lingering doubts among security experts
    about the fundamental integrity of computer networks and suggested future
    attacks were possible. 
    However, in a phone interview on Friday, Bell Labs researcher Daniel
    Bleichenbacher said the Cramer-Shoup system had demonstrated a method that
    was impervious to the sort of attack he had developed and graciously
    accepted defeat. 
    These theorists are part of a chummy world elite of computer scientists
    engaged in a collegial competition to discover cracks in networks before
    criminal hackers do, thus keeping Internet security several steps ahead of
    the bad guys. 
    Bleichenbacher said his research was complementary to that of the
    IBM-Swiss university team. "My paper suggested the problem," the Bell Labs
    researcher said. "I have an attack and they present a solution." 
    For its own part, IBM said it plans to incorporate the new system into a
    future version of its Vault Registry software, designed to allow
    electronic commerce transactions to travel across organizational
    boundaries in a private, secure manner. 
    "The game is over as far as cryptography systems being subject to these
    nasty kinds of attacks,"  Charles Campbell Palmer, the manager of network
    security and cryptography at IBM Research, said in a phone interview. 
    Palmer leads a team of "ethical hackers" who practice breaking into
    computer systems, with permission, to detect potential security holes. 
    He said IBM plans to freely disseminate its findings to other researchers
    with the goal of ensuring the success of electronic commerce by making it
    easier to use and more secure. 
    "This is not the sort of stuff you hold tight and patent," Palmer said.
    "This is the sort of stuff you publish...and hope everyone adopts it
    The improvement comes at a time when consumers are still concerned about
    security and the safety of sending personal information, or their credit
    card numbers, over the Internet. 
    Having secure transactions is crucial for persuading more consumers to buy
    products on the Internet and keep the burgeoning industry growing. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:10 PDT