Date: Wed, 20 Dec 1995 06:45:28 -0800 Subject: (Fwd) Less Than Secure Communications ------- Forwarded Message Follows ------- The New York Times, December 11, 1995, pp. A1, D6. Secure Digital Transactions Just Got a Little Less Secure By John Markoff San Francisco, Dec. 10 -- The discovery of a vulnerability has shaken the computer security world's faith in the safe use of the data-security technologies on which most current and planned electronic banking, shopping and "digital cash" systems are based. The vulnerability has been found in a class of technologies known as public-key encryption -- designed to protect electronic transactions by scrambling data so they can be read only by people with the proper mathematical keys to the code. The flaw was identified by Paul C. Kocher, a 22-year-old researcher, who demonstrated in a paper a way that an electronic eavesdropper who is able to monitor the repeated process of unscrambling incoming messages could figure out the private key. It can be done, he says, by keeping track of the length of time, down to the microsecond, it takes to unscramble each message. The feat would be analogous to a burglar surreptitiously observing people in an office building as they punched in the security code of a door with a push-button combination lock. Even if the burglar could not see which buttons were being pushed, if he observed thousands of entries and timed each with a stopwatch, he might eventually be able to winnow down the possible number of combinations that could be entered within that precise time span. In theory, the burglar could then work through this list of possible combinations until he found the one that opened the door. Mr. Kocher's paper describes a type of attack -- not yet seen outside the lab -- in which a criminal using a PC could figure out the mathematical keys in minutes. Doing so might enable a network snooper to steal a consumer's computer banking deposit, siphon off a credit card number, read personal medical records or otherwise pilfer private data supposedly protected by the security technology. "If you're using an on-line system that is not explicitly guarding against this attack, you're going to be vulnerable," said Matt Blaze, a scientist at AT&T's Bell Laboratories who has studied Mr. Kocher's paper. Mr. Blaze is a well-known researcher in the field of codes and code breaking. Public-key encryption had been assumed to be so difficult to crack that only the brute force of a supercomputer could do it, and even then only if months -- or even years -- were devoted to the task. So highly has the Federal Government respected the technology's shielding power that its export is tightly controlled, for fear that the coding technique would enable foreign enemies and terrorists to conspire with impunity via computer. The newly discovered vulnerability does not affect various forms of private encryption technology between individuals or institutions communicating only with parties known to them, like the encrypted electronic funds transfers that banks perform with one another over secure computer networks. Rather, it is the electronic systems for use by members of the public that are the focus of the research paper, written by Mr. Kocher (pronounced KOTCH-er), who recently graduated from Stanford University with a degree in biology. Mr. Kocher's evidence suggests that while the basic coding technology in public-key systems still appears to be secure, those who install or use it without recognizing the newly disclosed, remarkably subtle vulnerability will put themselves or their customers at risk. Experts who have read the paper disagree over the likelihood of anyone's successfully mounting the type of attack Mr. Kocher describes. Nevertheless, his discovery of a chink in the best armor yet devised for digital commerce has presented scientists with the most sobering evidence so far that perfect security may be no more possible to achieve in the electronic realm than in the physical world of bank robberies and muggings at A.T.M. machines. "Kocher's paper is extremely important, and it will have enormous practical impact," Mr. Blaze said. "Everyone who is building systems in this category will have to re-evaluate their vulnerability." Everyone, in this case, is a broad group that includes anyone using, or planning to use, public-key encryption -- a technology designed to allow secure, private electronic interactions between and among members of the public. That includes most on-line shopping and consumer banking systems now in use or announced, as well as smart-card systems, like one planned by the United States Postal Service, in which a digitally encoded credit-card-size device would hold electronic cash. It also includes various forms of "digital signature" systems, like one developed for civilian use within the Federal Government intended to let recipients check the authenticity of documents sent over computer networks. "Many of the security systems that I am examining are good enough to keep out casual snoopers," said Mr. Kocher, who has worked as a security consultant for a broad range of influential software companies, including Microsoft, Netscape Communications and RSA Data Security, a provider of commercial public-key encryption software. "But they're failing catastrophically when it comes to protecting data against determined attacks." James Bidzos, chief executive of RSA Data, said he considered the danger cited by Mr. Kocher as more theoretical than real, but added: "We've never claimed that all this stuff is totally secure, the question is how much does it cost to attack it. It's important to remember that people can't become complacent." In public-key systems, the sender of an electronic communication uses software that automatically scrambles the information by encoding it through use of a publicly known numerical key. Decoding the scrambled transmission requires a private key, a number supposedly known only by the merchant's computer. Without this key, no outsider can unscramble the incoming messages. Breaking a public-key encryption code is not easy to do, Mr. Kocher acknowledges, and would require sophisticated knowledge by the criminal of how fast the software algorithms, or mathematical formulas, are calculated by a particular computer. Yet it can be done, he has concluded, and many experts say he is right. "Once you read his paper, you say, 'Oh yes, this is obvious,' " said Bruce Schneier, author of "Applied Cryptography," a textbook in the field. Security experts say the vulnerability can be corrected. One solution might be padding the elapsed time of the unscrambling process with random steps to make it difficult to determine how much time the real computation actually requires. But for systems already in operation, taking the precaution would require revisions whose cost and effort may be difficult to predict. "Among the people I'm working with about this," Mr. Kocher said, "there are lot of people who are panicking -- particularly for systems that cannot be changed easily." For future installations, designing safeguards against the vulnerability would be relatively easy, Ronald Rivest said. Mr. Rivest is one of the creators of RSA, a widely used standard for public-key cryptography, which he developed along with two other computer scientists, Adi Shamir and Leonard Adelman (the name RSA is based on the initial letters of their three surnames). He played down the impact of Mr. Kocher's findings. "This is an interesting kind of attack," Mr. Rivest said. "But it's not easy to mount." But any vulnerability undermines the security of an encryption system once it becomes known, cautioned Martin Hellman, a researcher at Stanford University and one of the developers of the first public-key encryption system in 1976. "In probably 99 percent of the cases this won't be a threat," Mr Hellman said. "But if we don't protect against these rare cases, then the whole field of computer security will get a bad name." Netscape Communications, whose future depends on the public's faith in the security of on-line transactions, is so intent on ferreting out flaws that it recently offered to pay a $1,000 bounty to anyone finding a new security problem. On Friday evening, Netscape announced its first list of bounty winners, which included Mr. Kocher. The company has already modified a security component of its technology, known as the Secure Sockets-Layer, to prevent the type of attack that Mr. Kocher first demonstrated at a university seminar on Nov. 29. _________________________________________________________ [Box] Inferring the Combination A researcher has discovered a vulnerability in one of the most trusted types of data-security technology -- public-key encryption. In theory, at least, an electronic eavesdropper who is able to monitor someone else's computer could figure out the secret key to the code simply by keeping track of the precise length of time it takes to unscramble each incoming message. The feat would be analogous to a burglar's surreptitiously observing people as they enter the security code of a door with a push-button combination lock -- even if he can't see which buttons they push. 1. The burglar would already know how many buttons there are on the lock and their arrangement, the same way a network eavesdropper might be familiar with some of the basic structure of the mathematical formula used in unscrambling messages. 2. The burglar can record the precise length of time it takes for each person to enter the code; the network eavesdropper observes, down to the microsecond, how long it takes the secret key to unscramble the code. 3. By recording and timing several hundred interactions, the burglar or the network eavesdropper can then use statistical techniques to winnow the list of possible combinations until eventually finding the one that opens the door or unscrambles the messages. ----- End Included Message -----