Perimeter
2/8/2012
11:16 PM
Taher Elgamal
Taher Elgamal
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

RSA Weakness and e-Commerce Authentication

RSA key weakness

The recently disclosed weakness in the RSA keys found on the web created a lot of activity in the scientific and the commercial world. What does that mean to everyday e-commerce transactions and how much trust should we have in them. This particular weakness in some of the RSA keys used in a server certificate for example can enable someone to impersonate a server identity, since an attacker can compute the server’s private key used in signing and authenticating the server to the browsers. This is not a trivial weakness obviously. However, it should not be perceived as an attack on all e-commerce as advertised since the other keys that are generated properly will not have any issue and the trust in them is not affected.

An attack on all e-commerce should have the effect of enabling an attacker to impersonate any server – which is far from reality here. However, this finding does bring a very important issue in generating random numbers and in also generating RSA keys that are not “weak keys”. The software or hardware used to generate keys should be tested against known weaknesses at all times, and customers should ask vendors questions about the process they used to test their cryptographic software. Of course, using other strong cryptographic methods is also a good idea – but also if the keys and random numbers are generated correctly.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web