Encryption is the only real tool we have right now to protect our private communications from prying eyes or our valuable business plans from being stolen. Or, to put it simply, encryption is our lock and key to keep people out of our stuff.
BUT a New York Times article this week reported that the strongest encryption we have actually has a significant flaw. http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html. The encryption algorithm starts by RANDOMLY selecting two very large prime numbers and uses these as the basis to create the public and private keys. Unfortunately, scientists have proven that in some cases the selection is not truly random - i.e. it could be predictable. And they say that means "2 out of every 1000 keys would not be secure". Wow! That's scary . . . and makes me think what other encryption methods are not as solid as we thought?
Your job is to find an article that deals with encryption AND something going wrong. You could try these words in your search with ENCRYPTION or CRYPTOGRAPHY: weakness or vulnerability or hack or broken or RSA. In your posting, give a minimum 3 sentence summary of the article and be specific about what went wrong with this encryption method.
Subscribe to:
Post Comments (Atom)
5 comments:
http://arstechnica.com/business/news/2012/02/crypto-crack-makes-satellite-phones-vulnerable-to-eavesdropping.ars
My article dealt with the way communication data is encrypted when using satellite phones. Cryptographers have discovered a vulnerability that would allow an attacker to eavesdrop on a conversation of a person using a satellite phone. The encryption algorithm used is very similar to a cipher that cell phone companies abandonded more than five years ago due to weaknesses cryptographers found which enabled real time cracking. This algorithm reveals key components of how it works in its output that allows attackers to discover the key with a small amount of data and some educated guessing. Although this has been cracked, the key is different for each side of the conversation, so having this key would only enable an attacker to eavesdrop on one side of the phone conversation rather than both. This is better than both sides having the same key, but this is still a huge vulnerability.
http://www.infosecwreck.com/vulnerability-discovered-guardianedge-aka-symantec-endpoint-encryption
This vulnerability deals with Symantec's full disk encryption program called GuardianEdge. It has been found that their program has something of a backdoor; one registry key can be changed and this will start the decryption of all the files it was previously protecting. An administrator can easily access these files, and the registry keys, on a regular basis; however, a regular user can use the command prompt to launch regedt32.exe, which will allow the user to access the said registry key. An intersting fact is that Symantec did not see this as a problem, and has not made a move to correct this issue.
http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
My article explains a major vulnerability with RSA public-key encryption.It was discovered by students at Michigan State University. The way they exploit this vulnerability is very easy. By simply fluctuating the voltage to the CPU so it can generate a single hardware error per clock cycle the students found that they could cause the server to flip single bits of the private key at a time a in order for them to slowly piece together the password.
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
My article deals with a vulnerability in SSL3/TLS1. A couple of security researchers have discovered a flaw in TLS 1.0 , later versions are not affected. However, as most of the internet still uses TLS 1.0 or lower, this is a major problem. The attack itself is described by the researchers as being "block-wise chosen-plaintext attack". In English, this means that the vulnerability forces a specific plain-text value into the data. This allows the attacker to decrypt each block of encryption sequentially. It was long known that this vulnerability existed, but it was thought to be un-exploitable. The attack takes about 2 seconds to decrypt one byte of data, which means to decrypt a PayPal authentication cookie could take around half an hour. However, once that task is accomplished, the attacker would have gained access to the victims PayPal account. What makes this vulnerability unique is that instead of targeting the digital certificate model of SSL, it attacks the browser implementation. Luckily, most major browsers have issued an update or patch to fix this hole.
http://www.dummies.com/how-to/content/understanding-wep-weaknesses.html
This article I picked deals with the weaknesses of WEP and cryptography. One of the biggest problems is when the person does not enable protection in the first place. When a person sets a key it usually stays the same and no one changes it. If someone's laptop and or computer becomes stolen the key can be compromised. Microsoft knows about these vulnerabilities but there is little they can do.
Post a Comment