Study: Encryption Keys Not Safe on Servers

Storing encryption keys on servers is not as safe as previously thought, according to a report issued this week by U.K. security solutions company nCipher.

In public key cryptography, two keys (public and private) are used to encrypt and decrypt information. The security of the encrypted message is related to the length of the keys used to encrypt it.

"Because of the growth of the PKI (public key infrastructure) market, with banks and major corporations getting on, more keys are out there," said Colin Bastable, nCipher director of sales and marketing for Europe. "The more keys there are, the easier they will be to find."

Previously, it had been thought that searching for a private key on a Web server would be extremely difficult because keys can occupy a few hundred bytes of space on a server that could contain tens of gigabytes of information.

However, nCipher has discovered that finding the keys is much easier than had been thought. Since most encryption schemes are based on complicated mathematical properties, they can be easily identified by searching for those properties, according to the company.

NCipher issued a white paper on its findings Wednesday entitled "Protecting Commercial Secure Web Servers from Key-finding Threats."

What this finding means is that "key attacks" are possible, although there has yet to be a documented attack of this type. However, any user with the capability to execute software on a company's electronic commerce server can locate the keys, allowing access to previously "secure" information on the server, ranging from personal consumer data to credit card numbers, the security company said.

NCipher's white paper describes not only the methods by which an attack could be completed, but also preventative measures people can take to guard against these attacks. The company offers a hardware solution to the problem, which consists of exporting the key off of the server and saving it in nCipher's hardware where it is only accessible to authorized users. "This is the difference between leaving your keys laying around and putting them away," nCipher's Bastable said.

Microsoft Corp. welcomed nCipher's findings, saying that this kind of research enables customers to make an informed choice about where to store their encryptions keys -- software, hardware or a mix of both -- according to an nCipher release.

Another potential danger for software-based keys is the ASP (application service provider) market, which gives people authorized access to a server.

"The more authorized access people have, the easier key attacks on other areas of the server will become," Bastable said.

More information about the findings, including the white paper, can be found at http://www.ncipher.com/keyfinding.html.nCipher Corp. Ltd., in Cambridge, U.K., can be reached at +44-1223-723-600, or on the Web at http://www.ncipher.com/.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftnCipher

Show Comments