uncompiled.com

The most common digital security technique used to protect both media copyright and Internet communications has a major weakness, University of Michigan computer scientists have discovered.

RSA authentication is a popular encryption method used in media players, laptop computers, smartphones, servers and other devices. Retailers and banks also depend on it to ensure the safety of their customers’ information online.

The scientists found they could foil the security system by varying the voltage supply to the holder of the “private key,” which would be the consumer’s device in the case of copy protection and the retailer or bank in the case of Internet communication. It is highly unlikely that a hacker could use this approach on a large institution, the researchers say. These findings would be more likely to concern media companies and mobile device manufacturers, as well as those who use them.

Andrea Pellegrini, a doctoral student in the Department of Electrical Engineering and Computer Science, will present a paper on the research at the upcoming Design, Automation and Test in Europe (DATE) conference in Dresden on March 10.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

These private keys contain more than 1,000 digits of binary code. To guess a number that large would take longer than the age of the universe, Pellegrini said. Using their voltage tweaking scheme, the U-M researchers were able to extract the private key in approximately 100 hours.

They carefully manipulated the voltage with an inexpensive device built for this purpose. Varying the electric current essentially stresses out the computer and causes it to make small mistakes in its communications with other clients. These faults reveal small pieces of the private key. Once the researchers caused enough faults, they were able to reconstruct the key offline.

This type of attack doesn’t damage the device, so no tamper evidence is left.

“RSA authentication is so popular because it was thought to be so secure,” said Todd Austin, a professor in the Department of Electrical Engineering and Computer Science. “Our work redefines the level of security it offers. It lowers the safety assurance by a significant amount.”

Although this paper only discusses the problem, the professors say they’ve identified a solution. It’s a common cryptographic technique called “salting” that changes the order of the digits in a random way every time the key is requested.

“We’ve demonstrated that a fault-based attack on the RSA algorithm is possible,” Austin said. “Hopefully, this will cause manufacturers to make a few small changes to their implementation of the algorithm. RSA is a good algorithm and I think, ultimately, it will survive this type of attack.”

Source

Cryptographers are expecting several of the major cryptographic systems in use today to be broken in the near future.

In the Cryptographers Panel session at the RSA Conference Tuesday, Adi Shamir said that he is working with a team of researchers who have put together a paper that describes an attack that will break AES 128 within 10 rounds.

“And if you go to AES 256, we can break the entire cryptosystem,” Shamir said.

Shamir, one of the inventors of the RSA algorithm, was speaking on the panel with Ron Rivest, Brian Snow of the National Security Agency, Martin Hellman of Stanford University, Whit Diffie, and Ari Juels of RSA Security. The panel, which is an annual event at the RSA Conference, usually provides some of the more interesting anecdotes of the conference, and this year’s was no exception.

In addition to the work against AES, which is the encryption standard used in many cryptosystems today, Rivest said that he expects 1024-bit RSA encryption to be broken relatively soon.

“I expect that RSA 1024 will be broken within a decade,” Rivest said. “People should start moving to 2048 soon.”

Rivest, a professor at MIT who worked with Shamir and Len Adleman to design the original RSA algorithm, also said that he still gets email and calls from people wanting to use the MD5 hash function, which he designed in 1991. MD5 was widely used, but has been shown to have several weaknesses in recent years.

“I always say to them, ‘Don’t you understand that MD5 is an extinct hash function? It’s dead,’” Rivest said.

Juels, chief scientist at RSA Labs, moderated the panel and asked all of the speakers whether they had ever done anything foolish.

“I’ve rarely done anything else,” Diffie said, which got a nice laugh from the crowd.

Hellman took the question a bit more seriously, but essentially echoed Diffie’s answer, saying that his original research with Diffie in the 1970s that led to the invention of public-key cryptography was looked at as a black hole when they started it.

“I was told by all of my colleagues that cryptography was a waste of time. The NSA had a massive budget, we didn’t know how big at the time, and they had been working on the problem for decades. We were told there’s no way we’d discover anything that they hadn’t already found, and if we did, they’d classify it,” Hellman said.

Source

The web site cryptome.org is currently online at http://cryptomeorg.siteprotect.net/ until the domain can be transferred away from Network Solutions. The following is from the temporary site:

This is temporary Cryptome address until the Cryptome.org domain is transferred. Network Solutions shut Cryptome.org and has placed a “legal lock” on the domain name, preventing its transfer, until the “dispute” is settled. Some recent files are available now and the full collection is being transferred.

For almost a year now, the idea of “NoSQL” has been spreading due to the demand for relational database alternatives. Maybe the biggest motivation behind NoSQL is scalability. Relational databases don’t lend themselves well to the kind of horizontal scalability that’s required for large-scale social networking or cloud applications, and ORMs can abstract away impedance mismatch only so much. In other cases, companies just don’t need as many of the complex features and rigid schemas provided by relational databases. Most people are not suggesting that we all ditch the RDBMS, in fact, many companies don’t really need to switch. Relational databases will probably be necessary for many applications years and years from now. In essence, NoSQL is a movement that aims to reexamine the way we structure data and draw attention to innovation in hopes of finding the solution to the next generation’s data persistence problems.

Check the source for details on various types of NoSQL.

Source

Researchers have decomposed a 768-bit number with 232 decimal places into its two prime factors and published a paper with their results. The number is the string released as “RSA-768″ under the now defunct RSA Challenge. As a result, RSA encryptions with 768-bit keys must, from now on, be considered cracked.

It took the team of researchers from Switzerland, Japan, Germany, France, the US and the Netherlands about two and a half years to perform the factorisation. The first step of the calculation, polynomial selection, required half a year on a cluster consisting of 80 PCs, while the second and considerably more labour-intensive sieving step took about two years on a cluster of several hundred computers. According to the researchers, a single Opteron processor with 2 Gbytes of RAM would have needed about 1,500 years to complete the sieving step.

As RSA-512 was cracked about a decade ago, the researchers assume that the computing power required to master RSA-1024 is likely to become available in about ten years. They therefore recommend that all 1024-bit RSA keys be decommissioned by 2014 at the latest.

Source

Computer security used to be regarded as a boring and less important field of computer science, but with the proliferation of computer threats (from malware to active attacks) it has become one whose experts are in great demand and has gained quite an aura of “coolness”.

At the moment, there is a serious lack of cybersecurity experts in the U.S., so if your knowledge is up to speed, you are practically guaranteed a job.

Case in point: of the eight students from California State Polytechnic University, Pomona, that beat five other university teams in a challenge that had them defending a business computer network from cyber threats, six seniors got job offers from Boeing.

According to the New York Times, the demand is for experts is great, but luckily, schools and universities have noticed it and have rushed to open programs: the N.Y.U. Polytechnic, Carnegie Mellon, Purdue and George Mason are just some of the universities offering a master’s degree in cybersecurity. Georgia Tech is planning to start an online degree in information security later this year.

Businesses and the military have faith in the fact that the new generations are so familiar with what the online world has to offer, that they will be challenged by the notion of solving security problems and, therefore, interested in a career in cybersecurity. Another thing that they might find attractive is the pay. Professor Naris Memon of N.Y.U. Poly says that a starting pay for someone with a master’s degree in the field ranges from $60,000 to $80,000.

Source

With the coolness of a card shark at the final table of the World Series of Poker, Matt Bergin pulls the hood of his brown sweatshirt over his head and concentrates on the task at hand.

The task: hacking into as many target computers as he can and then defending those computers from attacks by other skilled hackers.

Other skilled hackers like Michael Coppola, 17, a high school senior who, at this very moment, is hunched over a keyboard in his Connecticut home.

Or like Chris Benedict, 21, from the tiny town of Nauvoo, Illinois. Chris is sitting silently nearby, one of 15 “All Star” hackers who have taken over this spacious hotel conference room.

At days end, the moderator of this unusual computer challenge declares the best of the best: Benedict is the winner, king of the hacker hill, followed by Bergin and Coppola.

The trio — a job seeker, a grape distributor for a vineyard and a student — are precisely the type of people whom organizers of this event hoped to attract: young techies with perhaps little formal computer education who, nonetheless, could contribute to the defense of the nation’s cybernetworks.

In many cases, organizers of the U.S. Cyber Challenge say, hackers’ skills go unrecognized or unappreciated by those around them and sometimes even by themselves.

“I thought that I would get demolished,” Benedict said. “I didn’t think I would get anything at all.”

Source

Crypto pioneer and Sun Microsystems’ veteran chief security officer Whitfield Diffie has left the company, with database-giant Oracle’s acquisition still in the air.

According to Technology Review, Diffie is slated to be a visiting professor at Royal Holloway, University of London, after 18 years at Sun, latterly in the high-profile security role as chief security officer.

It’s unclear why Diffie left Sun and whether his exit was related to Oracle’s pending take over or recent layoffs. Oracle, as ever, declined to comment. Diffie, if you’re reading, drop us an email.

Diffie is famous for his ground-breaking invention of public key cryptography – PKI – in 1975. PKI today is taken for granted because it’s used so widely to protect emails, documents, and commerce in every-day online communications and business.

It’s worth remembering that it was Diffie who helped make this a reality. He sparred with spooks and US politicians, as the government attempted to limit who could use crypto in the interests of “national security.”

Diffie joined Sun in 1991 and in 2002 was named chief security officer, with the mission of leading a global initiative to evangelize Sun’s security offerings. He was also tasked with talking about major issues in relation to technology security.

Source

Last week, in Takoma Park, Md., a new cryptographic voting system that could ensure accurate vote counts was used for the first time in a real election. MIT’s Ron Rivest, the Viterbi Professor of Electrical Engineering and Computer Science, helped develop the system and says he’s quite pleased with how the technology worked. Takoma Park’s city clerk, Jessie Carpenter, agrees that the trial “went very well.”

To minimize the disruption of existing voting procedures, the system, called Scantegrity II, was designed to work with ordinary optical-scan voting technology. Optical-scan voting — which has become the dominant technology in the United States since the 2000 presidential election — usually requires the voter to fill in bubbles printed on a ballot next to candidates’ names. With Scantegrity II, the voter instead uses a special pen to expose a code printed inside the bubble in invisible ink. Thereafter, the ballot is fed into an ordinary optical reader, which simply determines which bubbles have been darkened.

Any voter who’d later like to confirm her vote can simply jot down the code that’s in the exposed bubble, along with the ballot’s serial number, and take that information home. (In the Takoma Park election, voters could record their codes on cards stacked in the voting booths, which were printed with the names of the contested offices — mayor and city councilor.) The voter can then look up that serial number on the election commission’s website and confirm that it’s correlated with the code inside the bubble she marked. Although on the website, the code is never associated with the candidate’s name, Scantegrity ensures that if just 2 percent of voters confirm their codes, it’s statistically almost impossible for vote tampering to go undetected.

Source

No one reading this column needs general references to news about the economic difficulties we are living through in the United States and elsewhere. Just the other day, I spoke with a long-time friend and colleagues from the information security field who used to earn a decent living as a much sought-after consultant; last week he canceled his business telephone line to save money. He’s looking for a permanent job.

Another colleague of ours hasn’t had a consulting contract in months – despite having had trouble in the past keeping up with demand for his services.

I think that security consultants may be suffering from a side-effect of the economic downturn: clients who don’t already have or want permanent information assurance (IA) personnel may simply have decided to continue taking risks and hoping that nothing bad will happen to them.

The situation makes me think more positively about having moved from the business world to academic in 2001 – despite dropping my nominal salaried income by 57.5% at that time and now earning about one-third of what I’d be making as a senior IA executive in industry today. At least I have tenure, which means that I’m not going to be fired unless I appear in class out of uniform (Vermont Militia = US Army Class A greens), show up drunk (I never drink alcohol), treat a student rudely (no way) or recite Monty Python skits in class… uh wait a minute, I do recite Monty Python skits in class – but very briefly. Really. Only little bits of them. Honest.

But more seriously, there is good news for IA students and professionals: according to an extensive survey published by Foote Partners, LLC in Florida, job prospects are good for information assurance (IA) specialists.

Source