On Wed, 19 Jan 2000, Noel L Yap wrote: > IMHO, there should be some effort to try to prevent this sort of attack. The > gist of the attack is that private keys can be recovered by reading a process's > memory. I haven't really researched the preventive measures. Nonsense. Please read Bruce's article about this kind of announcements in his latest cryptogram: ========== [...] A couple of weeks ago the New York Times reported a new "key finding" attack. This was a follow-up to some research discussed here some months ago, showing how to search for, and find, public and private cryptographic keys in software because of their random bit patterns. The company nCipher demonstrated that someone who has access to a Web server that uses SSL can find the SSL private key using these techniques, and potentially steal it. nCipher's press release talked of "a significant vulnerability to today's Internet economy." Huh? Why is this news? It's not the fact that the SSL private keys are on the Web server. That's obvious; they have to be there. It's not the fact that someone who has access to the Web server can potentially steal the private keys. That's obvious, too. It's not the news that a CGI attack can compromise data on a Web server. We've seen dozens of those attacks in 1999. Even the press release admits that "no information is known to have been compromised using a 'key-finding' attack. Neither nCipher nor the New York Times found anyone who was vulnerable. But wait . . . nCipher sells a solution to this "problem." Okay, now I understand. [...] ============= You find the full text at http://www.counterpane.com I don't think that lsh needs this kind of "marketing" -- Werner Koch at guug.de www.gnupg.org keyid 621CC013 Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html
