ad info
   personal technology

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



Study: Encryption keys not safe on servers

January 10, 2000
Web posted at: 10:57 a.m. EST (1557 GMT)

by Douglas F. Gray


LONDON (IDG) -- Storing encryption keys on servers is not as safe as previously thought, according to a report issued this week by U.K. security solutions company nCipher.

In public key cryptography, two keys (public and private) are used to encrypt and decrypt information. The security of the encrypted message is related to the length of the keys used to encrypt it.

  Make your PC work harder with these tips
  Pilot projects Started in 1999 using digital certificates will become reality in 2000's personal news page's products pages
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletters
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"Because of the growth of the PKI (public key infrastructure) market, with banks and major corporations getting on, more keys are out there," said Colin Bastable, nCipher director of sales and marketing for Europe. "The more keys there are, the easier they will be to find."

Previously, it had been thought that searching for a private key on a Web server would be extremely difficult because keys can occupy a few hundred bytes of space on a server that could contain tens of gigabytes of information. However, nCipher has discovered that finding the keys is much easier than had been thought. Since most encryption schemes are based on complicated mathematical properties, they can be easily identified by searching for those properties, according to the company.

NCipher issued a white paper on its findings Wednesday entitled "Protecting Commercial Secure Web Servers from Key-finding Threats."

What this finding means is that "key attacks" are possible, although there has yet to be a documented attack of this type. However, any user with the capability to execute software on a company's electronic commerce server can locate the keys, allowing access to previously "secure" information on the server, ranging from personal consumer data to credit card numbers, the security company said.

NCipher's white paper describes not only the methods by which an attack could be completed, but also preventative measures people can take to guard against these attacks. The company offers a hardware solution to the problem, which consists of exporting the key off of the server and saving it in nCipher's hardware where it is only accessible to authorized users. "This is the difference between leaving your keys laying around and putting them away," nCipher's Bastable said.

Microsoft welcomed nCipher's findings, saying that this kind of research enables customers to make an informed choice about where to store their encryptions keys -- software, hardware or a mix of both -- according to an nCipher release.

Another potential danger for software-based keys is the ASP (application service provider) market, which gives people authorized access to a server. "The more authorized access people have, the easier key attacks on other areas of the server will become," Bastable said.

Conflict surrounds IP Security standard
January 4, 2000
Security hole found in Netscape mail system
December 16, 1999
How to keep the snoops away from your files
December 8, 1999
The digital century: Software and the Internet
November 23, 1999
Activist defends DVD hack
November 8, 1999

White House releases federal network security plan
(Federal Computer Week)
Y2K expert says security is next big challenge
Don't wait until PKI grows up to use it
(Network World Fusion)
State official asks DOD to jump-start PKI for e-commerce
Interview with John Ryan, CEO of Entrust Technologies, a leading PKI system provider
Roundtable on PKI and security
(Network World Fusion)
Worldwide PKI revenues to blitz past $1 billion by 2003
(IDC Research)
IRS to test public-key tech for electronic tax filings
(Federal Computer Week)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

nCipher's findings
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.