[ISN] Adding Math to List of Security Threats

From: InfoSec News (alerts@private)
Date: Sun Nov 18 2007 - 23:21:14 PST

Previous message: InfoSec News: "[ISN] Laptop with workers' personal information stolen from auditors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.nytimes.com/2007/11/17/technology/17code.html

By John Markoff
The New York Time
November 17, 2007

SAN FRANCISCO, Nov. 16 — One of the world’s most prominent 
cryptographers issued a warning on Friday about a hypothetical incident 
in which a math error in a widely used computing chip places the 
security of the global electronic commerce system at risk.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel, 
circulated a research note about the problem to a small group of 
colleagues. He wrote that the increasing complexity of modern 
microprocessor chips is almost certain to lead to undetected errors.

Historically, the risk has been demonstrated in incidents like the 
discovery of an obscure division bug in Intel’s Pentium microprocessor 
in 1994 and, more recently, in a multiplication bug in Microsoft’s Excel 
spreadsheet program, he wrote.

A subtle math error would make it possible for an attacker to break the 
protection afforded to some electronic messages by a popular technique 
known as public key cryptography.

Using this approach, a message can be scrambled using a publicly known 
number and then unscrambled with a secret, privately held number.

The technology makes it possible for two people who have never met to 
exchange information securely, and it is the basis for all kinds of 
electronic transactions.

Mr. Shamir wrote that if an intelligence organization discovered a math 
error in a widely used chip, then security software on a PC with that 
chip could be “trivially broken with a single chosen message.”

Executing the attack would require only knowledge of the math flaw and 
the ability to send a “poisoned” encrypted message to a protected 
computer, he wrote. It would then be possible to compute the value of 
the secret key used by the targeted system.

With this approach, “millions of PC’s can be attacked simultaneously, 
without having to manipulate the operating environment of each one of 
them individually,” Mr. Shamir wrote.

[...]



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/

Previous message: InfoSec News: "[ISN] Laptop with workers' personal information stolen from auditors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sun Nov 18 2007 - 23:40:42 PST