Thursday, July 24, 2014
PSEUDO-SECURITY: NSA infiltrated RSA security more deeply than thought
The academic researchers said it took about an hour to crack a free version of BSafe for Java using about $40,000 worth
of computer equipment. It would have been 65,000 times faster in
versions using Extended Random, dropping the time needed to seconds,
according to Stephen Checkoway of Johns Hopkins.
99% BAD HARDWARE WEEK: recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications.
The use of pseudo-random processes
to generate secret quantities can result in pseudo-
security. A sophisticated attacker may find it easier to reproduce
the environment that produced the secret quantities and to search the
resulting small set of possibilities than to locate the quantities in
the whole of the potential number space.
Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult.
99% BAD HARDWARE WEEK: recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications.