[109147] in Cypherpunks
Are your secrets safe?
daemon@ATHENA.MIT.EDU (Jukka E Isosaari)
Thu Mar 11 20:49:44 1999
Date: Fri, 12 Mar 1999 03:21:48 +0200 (EET)
From: Jukka E Isosaari <jei@zor.hut.fi>
To: cypherpunks@toad.com
Reply-To: Jukka E Isosaari <jei@zor.hut.fi>
http://www.newscientist.com/cgi-bin/pageserver.cgi?/ns/19990313/newsstory3.html
Are your secrets safe?
Duncan Graham-Rowe
THEY MAY LOOK HARMLESS but screensavers
could betray you while you're out at lunch. Two
cryptographers have discovered that the randomness
of the "keys" that are used to encode encrypted
documents could be their downfall.
The discovery was made by Adi Shamir at the
Weizmann Institute of Science in Rehovot, Israel,
joint inventor of the widely used RSA public key
cryptography system, and Nicko van Someren of
nCipher, a British electronic security company based
in Cambridge. The more random a private signature
key is, the harder it is to crack encrypted files. But by
scanning hard drives for chunks of data that are
particularly random, the pair found that it is possible
to weed out keys stored on a disc.
Most programs organise data into some sort of level
of structure, so blocks of randomness stand out and
can be spotted with the same ease that a human eye
can tell the difference between a good TV picture
from one with lots of interference. According to van
Someren, this means that even though the keys take
up a mere kilobyte of memory, it could take as little
as 40 minutes to find a signature key on a modern
10-gigabyte hard drive.
"It would be possible to write a program that
searches the hard disc automatically and sends the
key to the villain," says van Someren. This, he says,
could be carried out by a virus that runs only when
the screensaver is on, making it extremely difficult
for the user to detect. A running screensaver could
contain viral code that would tell a hacker when the
user is away from their desk--and thus wouldn't
notice the computer slowing down as the virus hunts
for keys.
The possibility highlights the need to keep signature
keys safe, says Phil Zimmermann, who wrote Pretty
Good Privacy (PGP), a popular encryption program
that is reckoned to be hard to crack. "Users must
never leave their private key exposed in a
non-secure environment," he says. "This is as
obvious as not leaving your wallet unattended on a
bus bench."
Any worthwhile encryption program encrypts the
key before storing it, making it useless if found.
However, a "swap" file--a temporary file stored on
the hard disc--may still hold the key in its
unencrypted form, allowing it to be detected by
hackers. There are ways to combat this sort of
attack, such as overwriting swap files as the PGP
program does. But some encryption systems are
vulnerable, particularly those on Web servers where
the keys are constantly in use.
From New Scientist, 13 March 1999
