[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Encryption keys aren't safe on servers, report warns

Adam Shostack wrote:
> In their talk at FC99, Nicko and Adi Shamir proposed a couple of
> methods, prime among them being to attack a hosting site that uses
> 'virtual secure hosting' or 'secure virtual hosting' by putting a CGI
> of your design on the site.  (Note the first name is more accurate.)
> They also elegantly showed that you need know nothing about the design
> of the server, just be able to access its memory.
> I am curious if theres a reason this is getting all this press now;
> the result is close to 10 months old.

Solution:  Store the keys in the server with redundancy to prevent this sort of
attack and turn them into 'keys' only before you pass them to your cyphers.

Store them as text strings spelling out words: "One, five, three, nine, four"
or whatever scheme.  These will be less random, but of course the attacker can
adapt his algorithm to specifically look for strings of that nature, etc. :)

---------------------------- Kaos Keraunos Kybernetos -------------------- 
 + ^ +  Sunder              "Only someone completely distrustful of   /|\ 
  \|/   [email protected]    all government would be opposed to what /\|/\ 
<--*--> -------------------- we are doing with surveillance cameras" \/|\/ 
  /|\   You're on the air.   -- NYC Police Commish H. Safir.          \|/ 
 + v +  Say 'Hi' to Echelon  "Privacy is an 'antisocial act'" - The FedZ.
---------------------------- http://www.sunder.net -----------------------
I love the smell of Malathion in the morning, it smells like brain cancer.