Re: Encryption keys aren't safe on servers, report warns

[Adam Shostack <adam@homeport.org>]

| As pointed out on the cryptography list, this is bullshit.  It's amazing
| how much mileage these guys are getting out of the obvious fact that you
| can recognize keys in memory dumps by their randomness.  Somehow they've
| turned this into a server attack.  Well, fine, but that glosses over the
| small detail of getting your code to run on the server in the first place.
| Once you've done that finding the keys is a no brainer.
| 
| It's like the old recipe for a crocodile sandwich.  "First, catch a
| crocodile...".

In their talk at FC99, Nicko and Adi Shamir proposed a couple of
methods, prime among them being to attack a hosting site that uses
'virtual secure hosting' or 'secure virtual hosting' by putting a CGI
of your design on the site.  (Note the first name is more accurate.)

They also elegantly showed that you need know nothing about the design 
of the server, just be able to access its memory.

I am curious if theres a reason this is getting all this press now;
the result is close to 10 months old.

Adam


-- 
      Tired of co-workers slowing you down?  Leave them behind.
		    http://jobs.zeroknowledge.com