[Moderator: Someone more into crypto correct me if I am wrong.. but isn't one of the first signs of snake-oil the use of the word "unbreakable"?] Forwarded From: phreak moi <hackereliteat_private> http://www.news.com/News/Item/0,4,25598,00.html?st.ne.1.head Key Net security hitch resolved By Reuters Special to CNET NEWS.COM August 24, 1998, 7:50 a.m. PT NEW YORK--Mathematicians at IBM and a Swiss university say they have developed a new system of securing information against the most aggressive type of attack by computer hackers--a step seen as resolving concerns about privacy and the integrity of electronic transactions on the Internet. But rather than take what IBM considers to be a fundamental breakthrough and exploit it commercially, the researchers plan to give away their findings for free--in the hopes of bolstering public confidence in the security of the Internet. The two Zurich-based mathematicians--Victor Shoup, of IBM Research, and Ronald Cramer, of the Swiss Federal Institute of Technology (ETH)--plan to unveil today their new security scheme at Crypto '98, the main annual U.S. academic conference devoted to computer security issues, in Santa Barbara, California. The team has designed a practical and mathematically proven method for effectively closing off back-door attempts to thwart computer security systems using so-called "active" attacks, according to IBM and other top computer security researchers. All current commercially available cryptography, or secret coding, systems are potentially vulnerable to active attacks, which are considered to be the most aggressive and dangerous hacking attempts any encryption system might face, they said. "Businesses and consumers can have greater confidence in Internet transactions, because we've effectively closed down the only way around a cryptosystem's main line of defense," Jeff Jaffe, general manager for IBM's security products and services, said in a statement announcing the development. Strong modern cryptography systems are based upon really difficult mathematical problems that are thought to be unsolvable. If the underlying problem of such a security can be solved, then the cryptosystem's security could be violated. One means for cracking computer security systems is through "brute force" attacks that throw massive computer resources into attempts to calculate every possible answer to complex math problems. Another method hackers use is what security experts call "social engineering," when, simply put, a hacker manages to trick someone inside an organization into revealing secret codes that allow outsiders to break into a computer system. But "active" attacks are considered to be the most difficult to prevent because they bypass the difficulty of solving the underlying mathematical problem by sending a series of cleverly constructed messages to Web site computers. By analyzing the electronic responses to the messages from the Web sites, an attacker could get information that could be used to decode an intercepted session. The Cramer-Shoup method thwarts active attacks by offering the first cryptosystem that prevents eavesdropping while also being efficient enough for commercial use, IBM said. The new system would eliminate a security flaw that allowed a Bell Labs researcher earlier this year to demonstrate how a well-equipped computer hacker could break the encryption software code used for electronic commerce. That discovery had set off a flurry of activity by Netscape Communications, Microsoft, and Security Dynamics Technologies' RSA Data unit that led to a software patch that fixed the immediate problem. But the Bell Labs development left lingering doubts among security experts about the fundamental integrity of computer networks and suggested future attacks were possible. However, in a phone interview on Friday, Bell Labs researcher Daniel Bleichenbacher said the Cramer-Shoup system had demonstrated a method that was impervious to the sort of attack he had developed and graciously accepted defeat. These theorists are part of a chummy world elite of computer scientists engaged in a collegial competition to discover cracks in networks before criminal hackers do, thus keeping Internet security several steps ahead of the bad guys. Bleichenbacher said his research was complementary to that of the IBM-Swiss university team. "My paper suggested the problem," the Bell Labs researcher said. "I have an attack and they present a solution." For its own part, IBM said it plans to incorporate the new system into a future version of its Vault Registry software, designed to allow electronic commerce transactions to travel across organizational boundaries in a private, secure manner. "The game is over as far as cryptography systems being subject to these nasty kinds of attacks," Charles Campbell Palmer, the manager of network security and cryptography at IBM Research, said in a phone interview. Palmer leads a team of "ethical hackers" who practice breaking into computer systems, with permission, to detect potential security holes. He said IBM plans to freely disseminate its findings to other researchers with the goal of ensuring the success of electronic commerce by making it easier to use and more secure. "This is not the sort of stuff you hold tight and patent," Palmer said. "This is the sort of stuff you publish...and hope everyone adopts it quickly." The improvement comes at a time when consumers are still concerned about security and the safety of sending personal information, or their credit card numbers, over the Internet. Having secure transactions is crucial for persuading more consumers to buy products on the Internet and keep the burgeoning industry growing. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:10 PDT