Breach in Key Security Discovered
- By Scott Bekker
Cryptographic researchers have discovered a potential vulnerability in the security of Web server infrastructure. Until now, it was believed that security information called "private keys" could not be found in the memory systems of a server and compromised. Recently, however, researchers have discovered that it may be possible for any user with the ability to execute software on a company's e-commerce server to access cryptographic keys and retrieve sensitive information.
A security solution has been released by nCipher (www.ncipher.com), an e-commerce security firm, to prevent key-finding security violations. It includes a user interface to automatically export a key from an existing Web server and store it in nCipher's hardware, where it is protected from attack. The key management tool is available free to existing nCipher customers.
In many commercial secure Web servers, private keys are encrypted and stored within the server, where they must be decrypted before use. Once decrypted into plain text, the key is vulnerable to the "key-finding" attack. Because the keys used in secure Web servers are unusual numbers that are easily identifiable, a hacker needs only to look for the special characteristics of a key in order to find it among the gigabytes of data stored in a commercial server.
Once a hacker has found the key, gained permission to read the surrounding memory, and copied the key, he has access to the entire Web server. The loss of a Web server's private key allows all past transactions with that server to be decoded, as well as any information processed through the server. -- Isaac Slepner
Scott Bekker is editor in chief of Redmond Channel Partner magazine.