[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nCipher breaks what??




--- begin forwarded text


Date: Sat, 8 Jan 2000 09:20:11 +1000 (GMT+1000)
From: Eric Young <[email protected]>
To: Matt Crawford <[email protected]>
Cc: [email protected]
Subject: Re: nCipher breaks what??
Sender: [email protected]


>From my understanding, the nCipher attack does have some merit becuase
under some very popular OS's, it is possible for a user installed CGI
program to access memory of other processes and there is an 'elegant'
algorithm to search for a private key in memory.  I had explained what was
being done to me by the author, and it is legitimate and a bit of a worry.
The main culprite I would say is the OS's that allow the memory
access by non-parent processes.  The algorithm to find parts of the
private key and then rebuild the full private key was also quite cute.
It should be possible to implement the attack in perl, which makes
web severs which host multiple unrelated secure sites an easy target.

The only problem with the attack is that I could see no way for the
popular media to explain it without making a worse than usual mess of it
:-).

BTW, this attack is a very good selling point for nCipher :-), which
colours the message, but I still the message is very relevent.  This
attack works reguardless of using non-volotile memory for storing your
keys in memory, it is taking advantage of the way that web-servers run
application code, and the OSs often don't partition different processes
correctly.

eric ([email protected])

On Fri, 7 Jan 2000, Matt Crawford wrote:
> It looks as if the NYT and the FBI NIPC swallowed some marketing
> babble hype, slime and clinker.
>
> > (U) (New York Times, 5 January) The NY Times reports that competition
> > among members of the computer security industry often consists of trying
> > to break the other guy's code-scrambling technology in order to sell a
> > fix or alternative product, and the industry is girding for an
> > especially nasty fight when the annual RSA conference is held early this
> > month.  In recent months, several widely used encryption technologies,
> > including one used to scramble cell-phone conversations, have been
> > cracked or at least seriously threatened - all by security experts in
> > the name of protecting data.  Those systems are under constant assault
> > by security experts, competitors and hackers alike.  Among the more
> > interesting recent attacks is one created by nCipher, a small British
> > company that makes special hardware it says can encrypt information
> > faster and more securely than a typical computer can.  It extracts the
> > secret keys locked in a Web server used to process credit card
> > transactions.  It is one of the first practical demonstrations of a
> > theoretical approach to code breaking.  The attack is cause for concern
> > because someone with a company's secret keys -- the digital codes that
> > unscramble data -- can use the information to masquerade as that company
> > and to steal credit card numbers and other financial data.
>
> Reading the news flash at
> http://www.ncipher.com/news/files/press/2000/vunerable.html
> shows a decidedly unamazing discovery: if an intruder can run code on
> your server and root around through all of memory, he can find its
> private key.
> 				Matt Crawford
>
>
>

--
Eric Young | [email protected]

--- end forwarded text


-----------------
R. A. Hettinga <mailto: [email protected]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'