Tag Archive for 'encryption'

RSA 1024-bit encryption cracked in 100 hours by manipulating voltage supply

This was published over a month ago and generated some headlines, like here, here, and here (The last link leads to the only Hebrew reference I found).

Good reading – a creative attack that shows how you can break a strong crypto-system without trying to attack it’s main strength (the math!) and going for a back door (physical attack on the CPU’s power supply!).

Bruce Schneier writes in ‘Secrets and Lies‘ that ‘Security is a system, not a product’, and continues to cover the failure of PKI on the internet.¬†Here is an excellent excerpt from this book.

From “Secrets and Lies”, by Bruce Schneier, Chapter 15, “Certificates and Credentials”, section “PKIs On The Internet” (page 238):

Most people’s only interaction with a PKI is using SSL. SSL secures web transactions, and sometimes PKI vendors point to it as enabling technology for electronic commerce. This argument is disingenuous; no one is turned away at an online merchant for not using SSL.

SSL does encrypt credit card transactions on the Internet, but it is not the source of security for the participants. That security comes from credit card company procedures, allowing a consumer to repudiate any line item charge before paying the bill. SSL protects the consumer from eavesdroppers, it does not protect against someone breaking into the Web site and stealing a file full of credit card numbers, nor does it protect against a rogue employee at the merchant harvesting credit card numbers. Credit card company procedures protect against those threats.

Has anyone ever sounded the alarm in these cases? Has anyone not bought online products because the name of the certificate didn’t match the name on the Web site? Has anyone but me even noticed?

PKIs are supposed to provide authentication, but they don’t even do that.

Example one: the company F-Secure (formerly Data Fellows) sells software from its Web site at www.datafellows.com. If you click to buy software, you are redirected to the Web site www.netsales.net, which makes an SSL connection with you. The SSL certificate was issued to “NetSales, Inc., Software Review LLC” in Kansas. F-Secure is headquartered in Helsinki and San Jose. By any PKI rules, no one should do business with this site. The certificate received is not from the same company that sells the software. This is exactly what a man-in-the-middle attack looks like, and exactly what PKI is supposed to prevent.

Example two: I visited www.palm.com to purchase something for my PalmPilot. When I went to the online checkout, I was redirected to https://palmorder.modusmedia.com/asp/store.asp. The SSL certificate was registered to Modus Media International; clearly a flagrant attempt to defraud Web customers, which I deftly uncovered because I carefully checked the SSL certificate. Not.

I doubt it. It’s true that VeriSign has certified this man-in-the-middle attack, but no one cares. I made my purchases anyway, because the security comes from credit card rules, not from the SSL. My maximum liability from a stolen card is $50, and I can repudiate a transaction if a fraudulent merchant tries to cheat me. As it is used, with the average user not bothering to verify the certificates exchanged and no revocation mechanism, SSL is just simply a (very slow) Diffie-Hellman key-exchange method. Digital certificates provide no actual security for electronic commerce; it’s a complete sham.

I doubt it. It’s true that VeriSign has certified this man-in-the-middle attack, but no one cares. I made my purchases anyway, because the security comes from credit card rules, not from the SSL. My maximum liability from a stolen card is $50, and I can repudiate a transaction if a fraudulent merchant tries to cheat me. As it is used, with the average user not bothering to verify the certificates exchanged and no revocation mechanism, SSL is just simply a (very slow) Diffie-Hellman key-exchange method. Digital certificates provide no actual security for electronic commerce; it’s a complete sham.

Copyright notes – I’m a proud owner of this book, but I didn’t copy this chapter myself, but rather found it on YURL’s website here.