ad info




CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN

 Headline News brief
 news quiz
 daily almanac

  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services

  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account

 DISCUSSION:
 message boards
 chat
 feedback

  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian

 FASTER ACCESS:
 europe
 japan

 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs

 WEB SERVICES:

COMPUTING

Study: Encryption keys not safe on servers

January 10, 2000
Web posted at: 10:57 a.m. EST (1557 GMT)

by Douglas F. Gray

From...
IDG.net

LONDON (IDG) -- Storing encryption keys on servers is not as safe as previously thought, according to a report issued this week by U.K. security solutions company nCipher.

In public key cryptography, two keys (public and private) are used to encrypt and decrypt information. The security of the encrypted message is related to the length of the keys used to encrypt it.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Make your PC work harder with these tips
  Pilot projects Started in 1999 using digital certificates will become reality in 2000
  IDG.net's personal news page
  IDG.net's products pages
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletters
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"Because of the growth of the PKI (public key infrastructure) market, with banks and major corporations getting on, more keys are out there," said Colin Bastable, nCipher director of sales and marketing for Europe. "The more keys there are, the easier they will be to find."

Previously, it had been thought that searching for a private key on a Web server would be extremely difficult because keys can occupy a few hundred bytes of space on a server that could contain tens of gigabytes of information. However, nCipher has discovered that finding the keys is much easier than had been thought. Since most encryption schemes are based on complicated mathematical properties, they can be easily identified by searching for those properties, according to the company.

NCipher issued a white paper on its findings Wednesday entitled "Protecting Commercial Secure Web Servers from Key-finding Threats."

What this finding means is that "key attacks" are possible, although there has yet to be a documented attack of this type. However, any user with the capability to execute software on a company's electronic commerce server can locate the keys, allowing access to previously "secure" information on the server, ranging from personal consumer data to credit card numbers, the security company said.

NCipher's white paper describes not only the methods by which an attack could be completed, but also preventative measures people can take to guard against these attacks. The company offers a hardware solution to the problem, which consists of exporting the key off of the server and saving it in nCipher's hardware where it is only accessible to authorized users. "This is the difference between leaving your keys laying around and putting them away," nCipher's Bastable said.

Microsoft welcomed nCipher's findings, saying that this kind of research enables customers to make an informed choice about where to store their encryptions keys -- software, hardware or a mix of both -- according to an nCipher release.

Another potential danger for software-based keys is the ASP (application service provider) market, which gives people authorized access to a server. "The more authorized access people have, the easier key attacks on other areas of the server will become," Bastable said.


RELATED STORIES:
Conflict surrounds IP Security standard
January 4, 2000
Security hole found in Netscape mail system
December 16, 1999
How to keep the snoops away from your files
December 8, 1999
The digital century: Software and the Internet
November 23, 1999
Activist defends DVD hack
November 8, 1999

RELATED IDG.net STORIES:
White House releases federal network security plan
(Federal Computer Week)
Y2K expert says security is next big challenge
(Computerworld)
Don't wait until PKI grows up to use it
(Network World Fusion)
State official asks DOD to jump-start PKI for e-commerce
(Civic.com)
Interview with John Ryan, CEO of Entrust Technologies, a leading PKI system provider
(InfoWorld.com)
Roundtable on PKI and security
(Network World Fusion)
Worldwide PKI revenues to blitz past $1 billion by 2003
(IDC Research)
IRS to test public-key tech for electronic tax filings
(Federal Computer Week)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
nCipher's findings
nCipher
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.