News

Breach in Key Security Discovered

Cryptographic researchers have discovered a potential vulnerability in the security of Web server infrastructure. Until now, it was believed that security information called "private keys" could not be found in the memory systems of a server and compromised. Recently, however, researchers have discovered that it may be possible for any user with the ability to execute software on a company's e-commerce server to access cryptographic keys and retrieve sensitive information.

A security solution has been released by nCipher (www.ncipher.com), an e-commerce security firm, to prevent key-finding security violations. It includes a user interface to automatically export a key from an existing Web server and store it in nCipher's hardware, where it is protected from attack. The key management tool is available free to existing nCipher customers.

In many commercial secure Web servers, private keys are encrypted and stored within the server, where they must be decrypted before use. Once decrypted into plain text, the key is vulnerable to the "key-finding" attack. Because the keys used in secure Web servers are unusual numbers that are easily identifiable, a hacker needs only to look for the special characteristics of a key in order to find it among the gigabytes of data stored in a commercial server.

Once a hacker has found the key, gained permission to read the surrounding memory, and copied the key, he has access to the entire Web server. The loss of a Web server's private key allows all past transactions with that server to be decoded, as well as any information processed through the server. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.