It's largely bunk anyway. The "find the private keys" bit means
that encrytion keys are known to have higher entropy than any other
type of data, so it is possible to identify "suspicious" data segments
either in core memory or in a file system in a disk. The act of doing
this is easily detectable in that some weird process will be consuming
huge amounts of CPU time and/or disk I/O as it tried to determine likly
data segments with suitably high entropy.
The real question is whether this technique is practical, not whether
it's possible. Possible, yes, practical, NO.
On Fri, Jan 14, 2000 at 02:36:04PM -0600, Steve Borho wrote:
> On Fri, Jan 14, 2000 at 01:22:27PM -0600, Alan Mead wrote:
> > This article seems to say that all major servers (Apache, Netscape, IIS)
> > are vulnerable to local attacks which read the private key from memory. It
> > goes on to say that you really need their $4,000 to $17,000 solution to
> > "vault" the keys. So it sounds like crap but I was wondering if anyone
> > with more knowledge about Apache, public key cryptography, and Linux memory
> > management would care to explain the degree of risk involved. I suppose
> > this has been an issue, if it is, for years and I've never heard of a
> > problem...
>
> I don't know about other OS's, but in Linux, you need root access to read
> the memory used by processes you don't own.
>
> If someone breaks into your webserver and gets root access.... having
> encrypted keys in your apache memory space which are identifiable is the
> least of your problems.
>
> That press release is just a marketing stunt. They want you to buy their
> secure box... which can only provide marginally better security, if any at
> all.
>
> --
> Steve Borho Voice: 314-615-6349
> Network Engineer
> Celox Communications Corp
>
> Fortune of the day:
> I just thought of something funny...your mother.
> - Cheech Marin
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
--
J. Scott Kasten
jsk AT tetracon-eng DOT net
"That wasn't an attack. It was preemptive retaliation!"
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
