[ISN] Are your secrets safe? (crypto)

From: mea culpa (jerichoat_private)
Date: Thu Mar 11 1999 - 14:02:01 PST

  • Next message: mea culpa: "Re: [ISN] FAILURE OF PENTIUM III UTILITY Exposed by Zero-Knowledge Systems"

    Are your secrets safe? 
    Duncan Graham-Rowe
    THEY MAY LOOK HARMLESS but screensavers could betray you while you're out
    at lunch. Two cryptographers have discovered that the randomness of the
    "keys" that are used to encode encrypted documents could be their
    The discovery was made by Adi Shamir at the Weizmann Institute of Science
    in Rehovot, Israel, joint inventor of the widely used RSA public key
    cryptography system, and Nicko van Someren of nCipher, a British
    electronic security company based in Cambridge. The more random a private
    signature key is, the harder it is to crack encrypted files. But by
    scanning hard drives for chunks of data that are particularly random, the
    pair found that it is possible to weed out keys stored on a disc.
    Most programs organise data into some sort of level of structure, so
    blocks of randomness stand out and can be spotted with the same ease that
    a human eye can tell the difference between a good TV picture from one
    with lots of interference. According to van Someren, this means that even
    though the keys take up a mere kilobyte of memory, it could take as little
    as 40 minutes to find a signature key on a modern 10-gigabyte hard drive.
    "It would be possible to write a program that searches the hard disc
    automatically and sends the key to the villain," says van Someren. This,
    he says, could be carried out by a virus that runs only when the
    screensaver is on, making it extremely difficult for the user to detect. A
    running screensaver could contain viral code that would tell a hacker when
    the user is away from their desk--and thus wouldn't notice the computer
    slowing down as the virus hunts for keys.
    The possibility highlights the need to keep signature keys safe, says Phil
    Zimmermann, who wrote Pretty Good Privacy (PGP), a popular encryption
    program that is reckoned to be hard to crack. "Users must never leave
    their private key exposed in a non-secure environment," he says. "This is
    as obvious as not leaving your wallet unattended on a bus bench."
    Any worthwhile encryption program encrypts the key before storing it,
    making it useless if found. However, a "swap" file--a temporary file
    stored on the hard disc--may still hold the key in its unencrypted form,
    allowing it to be detected by hackers. There are ways to combat this sort
    of attack, such as overwriting swap files as the PGP program does. But
    some encryption systems are vulnerable, particularly those on Web servers
    where the keys are constantly in use. 
    >From New Scientist, 13 March 1999
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:47 PDT