PEOPLE worried about the security of e-commerce systems now have an extra hazard to keep them awake at night. Cryptographers have confirmed that a technique that until now only existed in theory could indeed allow hackers to read security keys held on Web servers.
Last year, nCipher, a British electronic security company based in Cambridge, suggested that random data representing encryption keys might be easy for a hacker to locate on a PC鈥檚 discs (快猫短视频, 13 March 1999, p 6). Now the firm has demonstrated that the attack will succeed.
nCipher came up with the technique while it was probing computers for security weak points. The firm is now working with Microsoft, Netscape and Sun Microsystems on ways of countering the threat. 鈥淩esearch like this is vital in enabling our customers to understand the full range of possible threats to their systems,鈥 says Scott Culp, security product manager at Microsoft. Culp says the firm will build defences against such attacks into its forthcoming Windows 2000 operating system.
Advertisement
The randomly generated security keys can be located because they stand out against the background of normal data which, according to nCipher cryptographer Nicko van Someren, is full of repetitions and patterns. 鈥淎 great number of Web servers are vulnerable to this sort of attack,鈥 he says.