Major Flaw In Secure Web Server Technology Uncovered
A group of key IT security specialists have uncovered, what they say is,
a major security failing with modern so-called secure Web server software from Microsoft, Netscape, and Apache.
Until now, they say, it was believed that security information called
"private keys" could not be found in the memory systems of a server
and compromised.
Back In February, 1999, Dr. Nicko van Someren, chief technology officer
of nCipher, and Dr. Adi Shamir of the Weizmann Institute in Israel -
the co-inventor of the RSA encryption system - described their initial
findings at the Financial Cryptography '99 conference.
The researchers' discovery introduces the possibility that any user
with the capability to execute software on a company's e-commerce
server could quickly locate cryptographic keys that would allow access
to secure information ranging from PC data to credit card numbers.
Dr. Nikko van Someren told Newsbytes that, to date, this security flaw
means that current secure Web server software from the three industry
majors - Microsoft, Netscape and Apache - is vulnerable to attack by
someone with a degree of knowledge of how the secure keys operate.
"The solution to this isn't to hide the keys elsewhere in some other
form on the server. It's to move the keys off the server altogether
and hold them in a separate system," he said.
To this end, nCipher has developed a package that it is offering free
to organizations which are affected by the security loophole.
"We are also offering a secure system to hold the keys," van Someren
said, adding that pricing on the firm's security system to beat the
security flaw sells for between $4,000 and $17,000.
NCipher's latest findings, along with a discussion of best practices
in Web server security, are outlined in a new white paper entitled
"Protecting Commercial Secure Web Servers from Key-Finding Threats,"
which has been published on the firm's Web site at
http://www.ncipher.com/keyfinding.html.
In the paper, nCipher describes the security threat in which an
unauthorized intruder can find and use a private key in a
cryptographic security scheme to access confidential company and
customer information on a commercial e-commerce Web site.
NCipher says that, typically, in a commercial secure Web server,
private keys are encrypted and stored within the server, where they
must be decrypted before being used.
Once decrypted into plain-text, the key is vulnerable to the "key-
finding" attack. But since a key is only a few hundred bytes long and
the storage space of the server may be tens of gigabytes, conventional
reasoning argues that an intruder is unlikely to ever find the key.
However, finding a key is easier than originally thought, the firm
says, since the keys to the type of cryptographic systems used in
secure Web servers are unusual numbers with specific mathematical
properties, making it possible for an intruder to identify them.
NCipher says that, when carrying out a "key-finding" attack, the
intruder needs to look only for these special characteristics and be
able to read the memory of an existing Web server process.
Furthermore, the firm says, the loss of the private key to a secure
Web server allows all past transactions to be decoded. Any information
processed through that Web server, and previously thought secure,
cannot be considered so any longer.
nCipher's Web site is at http://www.ncipher.com.
Reported by Newsbytes.com, http://www.newsbytes.com.