Perimeter
2/8/2012
11:16 PM
Taher Elgamal
Taher Elgamal
Commentary
50%
50%

RSA Weakness and e-Commerce Authentication

RSA key weakness

The recently disclosed weakness in the RSA keys found on the web created a lot of activity in the scientific and the commercial world. What does that mean to everyday e-commerce transactions and how much trust should we have in them. This particular weakness in some of the RSA keys used in a server certificate for example can enable someone to impersonate a server identity, since an attacker can compute the server’s private key used in signing and authenticating the server to the browsers. This is not a trivial weakness obviously. However, it should not be perceived as an attack on all e-commerce as advertised since the other keys that are generated properly will not have any issue and the trust in them is not affected.

An attack on all e-commerce should have the effect of enabling an attacker to impersonate any server – which is far from reality here. However, this finding does bring a very important issue in generating random numbers and in also generating RSA keys that are not “weak keys”. The software or hardware used to generate keys should be tested against known weaknesses at all times, and customers should ask vendors questions about the process they used to test their cryptographic software. Of course, using other strong cryptographic methods is also a good idea – but also if the keys and random numbers are generated correctly.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.