NET NEWS: Hunting for Passwords

Science  02 Apr 1999:
Vol. 284, Issue 5411, pp. 7
DOI: 10.1126/science.284.5411.7c

The boss is lunching at Burger King, and he's left his office open and his computer running. Can you find the secret digital key on his computer that authorizes electronic fund transfers and move $1000 surreptitiously from the company's bank account into your own? According to two computer scientists, if the key is stored on a typical 2-gigabyte hard drive, it's possible to find it before the boss finishes his cheeseburger.

Software makers often hide the secret keys needed to run encryption programs inside the reams of code that make up the program, assuming this will provide sufficient protection against unwanted detection. “You could call that the needle-in-the-haystack approach,” says Nicko van Someren of nCipher Corp. in Cambridge, United Kingdom. “We've just invented the metal detector for finding the needle.”

Designed by van Someren and Adi Shamir of the Weizmann Institute of Science in Rehovot, Israel, the detector is simply a program that looks for unusually random bits of code. The data in a typical computer program may look like gibberish, but it's highly patterned. By contrast, a typical encryption or decryption key is usually made of random data, with no pattern at all. At the Financial Cryptography '99 conference in Anguilla last February, van Someren announced that he'd used this strategy to find the key required to add a plug-in to a commercial encryption program. The key is publicly available in the United States, but the company that makes the program was not allowed to provide it to nCipher because of U.S. export restrictions. “The developer had assumed we'd never be able to find it,” van Someren says.

The problem of hiding keys “can become a serious issue,” especially in the coming era of e-commerce, says Yakov Yacobi, the head of the cryptography group at Microsoft Research. The long-term solution, he believes, is to store keys on hardware, such as smart cards, that can be detached from the computer. When smart cards become available—probably in a year or so—he predicts that they will be an essential ingredient in the security of e-commerce.

Related Content

Navigate This Article