News

Breach in Key Security Discovered

Cryptographic researchers have discovered a potential vulnerability in the security of Web server infrastructure. Until now, it was believed that security information called "private keys" could not be found in the memory systems of a server and compromised. Recently, however, researchers have discovered that it may be possible for any user with the ability to execute software on a company's e-commerce server to access cryptographic keys and retrieve sensitive information.

A security solution has been released by nCipher (www.ncipher.com), an e-commerce security firm, to prevent key-finding security violations. It includes a user interface to automatically export a key from an existing Web server and store it in nCipher's hardware, where it is protected from attack. The key management tool is available free to existing nCipher customers.

In many commercial secure Web servers, private keys are encrypted and stored within the server, where they must be decrypted before use. Once decrypted into plain text, the key is vulnerable to the "key-finding" attack. Because the keys used in secure Web servers are unusual numbers that are easily identifiable, a hacker needs only to look for the special characteristics of a key in order to find it among the gigabytes of data stored in a commercial server.

Once a hacker has found the key, gained permission to read the surrounding memory, and copied the key, he has access to the entire Web server. The loss of a Web server's private key allows all past transactions with that server to be decoded, as well as any information processed through the server. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft, Oracle Announce Updates to Joint Database IaaS Service

    The Oracle Database@Azure infrastructure-as-a-service offering from Oracle and Microsoft is getting new capabilities, including integrations with key Microsoft data and security services.

  • 2025 Support Cliffs Approaching for Exchange 2016, Dynamics 365 PSA

    Microsoft recently sounded the warning bell for two of its products, Exchange Server 2016 and Dynamics 365 Project Service Automation (PSA), both of which are set to reach end-of-support milestones next year.

  • Windows Recall To Finally See Daylight in October Preview

    After postponing the public debut of its controversial Windows Recall AI feature, Microsoft is has finally settled on releasing it as a broad preview in October.