Hackers focus on stealing keys, not breaking encryption, says Ncipher
San Jose (CA) - A strong encryption of data is commonly considered as secure solution to withstand brute force attack. In fact, encryption has become strong enough to convince many hackers to look for a weaker target, says British security company Ncipher. That target is increasingly the location where cryptographic keys are stored - usually in memory or on hard drives.
"Why break the encryption when you can steal the keys," asks Richard Moulds, vice president of Marketing for Ncipher. He claims that instead of spending trillions of computer cycles to break encryption, hackers now try to steal a company’s private keys that is the basis for the encryption.
Encryption keys typically reside in a hard drive and are temporarily transferred to the system memory during a transaction. Moulds told us that this process exposes the key to a "core dump" or "hard drive imager". While some may think that finding the key may be as unlikely as finding a needle in a haystack, Moulds says it’s not as tough as it appears. "The very randomness of the key gives it away," he said. "The more random the number, the easier it is to find." In fact, there are toold which search for obvious random patterns in hard drives and memory.
"What would have been a billion year attack not too long ago," Moulds said, "has now turned into a twenty minute key finding attack. Some call it the lunchtime attack because you can finish it in about the same time it takes to eat lunch."
Ncipher believes that the threat of such an attack can be avoided by storing keys somewhere else than in memory or on a hard drive. The company offers a PCI board that is designed to work as a hardware lockbox, which the company claims, is tamper resistant. The system can be set up so the keys are only divulged when a smart card is placed near an nCipher smart card reader connected to a terminal.
For extremely security conscious companies, like a certificate authority or a bank, Ncipher offers another level of security. Mould calls it the "nuclear bomb option", which requires multiple people to place their smart cards in readers before keys can be accessed. "You can push these readers to the four corners of the globe and require 9 out of 17 directors to insert their smart cards and put in passphrases," said Moulds.
- Linux cheaper to manage than Windows?
- Sony readies anti-shake digicam duo
- Sony exec insists PS3 date unknown
- XM posts wider Q4 loss; director quits
- SPECapc releases benchmark for 64-bit systems
- Sprint records 1 million music downloads, iTunes nearing 1 billion
- Semiconductor industry to show gradual improvement in 2006 - Gartner
- Nikon ships first immersion lithography system for 55 nm chip production
- It's 'Office 2007,' as Microsoft reveals its upcoming suite of suites
- Lite-On IT to roll out 18x DVD burner; BenQ still on hold
- Sony to definitely launch the PS3 this year, says company official
- Sony expects strong PS3 shipments in 2006, may work with Microsoft
- SCO puts former IBM executive in charge of sales and marketing
- Namco to bring Tekken to the PSP
- Personal cell phone tower promises to boost signal reception
- Toshiba to launch HD DVD players in March, even without some features
- Intel trims Pentium D 950 mobo power envelope
- HP bets enterprise server business on Itanium
