[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encryption keys aren't safe on servers, report warns



> http://uk.news.yahoo.com/000107/22/d75c.html
>
> Encryption keys aren't safe on servers, report warns
>
> Encryption keys are no longer safe on servers according to research
> published by UK security company, nCipher. Private encryption keys can
> be held on a user's network and used to code and decode confidential
> data sent over the Web. Previously it was thought to be impossible to
> hack into a network and find the keys, because they were small pieces
> of code hidden in mountains of information.

As pointed out on the cryptography list, this is bullshit.  It's amazing
how much mileage these guys are getting out of the obvious fact that you
can recognize keys in memory dumps by their randomness.  Somehow they've
turned this into a server attack.  Well, fine, but that glosses over the
small detail of getting your code to run on the server in the first place.
Once you've done that finding the keys is a no brainer.

It's like the old recipe for a crocodile sandwich.  "First, catch a
crocodile...".