News

Breach in Key Security Discovered

Cryptographic researchers have discovered a potential vulnerability in the security of Web server infrastructure. Until now, it was believed that security information called "private keys" could not be found in the memory systems of a server and compromised. Recently, however, researchers have discovered that it may be possible for any user with the ability to execute software on a company's e-commerce server to access cryptographic keys and retrieve sensitive information.

A security solution has been released by nCipher (www.ncipher.com), an e-commerce security firm, to prevent key-finding security violations. It includes a user interface to automatically export a key from an existing Web server and store it in nCipher's hardware, where it is protected from attack. The key management tool is available free to existing nCipher customers.

In many commercial secure Web servers, private keys are encrypted and stored within the server, where they must be decrypted before use. Once decrypted into plain text, the key is vulnerable to the "key-finding" attack. Because the keys used in secure Web servers are unusual numbers that are easily identifiable, a hacker needs only to look for the special characteristics of a key in order to find it among the gigabytes of data stored in a commercial server.

Once a hacker has found the key, gained permission to read the surrounding memory, and copied the key, he has access to the entire Web server. The loss of a Web server's private key allows all past transactions with that server to be decoded, as well as any information processed through the server. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Feds Takes Action Against Russian Firms for Spying

    The U.S. Department of the Treasury has issued sanctions against Russia and a handful of Russian organizations for spying and other cyberactivities.

  • Microsoft Previews 64-Bit OneDrive Client for Windows 10

    A preview of a 64-bit OneDrive client for x64 Windows 10 systems is now available for work, school or home users.

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Adds Data Loss Prevention Alerts to Compliance Toolbox

    The latest part of Microsoft's overall compliance tooling is its Data Loss Prevention Alerts Dashboard, now generally available.