Tag Archive for: Crypto

iPhones and Macs get fix for extremely critical “triple handshake” crypto bug

/in

ShellyS

Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.

The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such “man-in-the-middle” attackers could exploit the bug by abusing the “triple handshake” carried out when secure connections are established by applications that use client certificates to authenticate end users.

“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” Apple’s warning explained. “To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”

Read 4 remaining paragraphs | Comments


Ars Technica » Technology Lab

Scientist-devised crypto attack could one day steal secret Bitcoin keys

/in

Wikipedia

Exposing a previously unknown weakness in the cryptographic system securing bitcoins, scientists have devised an attack that can steal large amounts of the digital currency when hackers run even unprivileged software on the same computer processing the coins.

The technique, laid out in an academic paper published Wednesday, doesn’t pose an immediate threat to Bitcoin users. A successful hack relies on the thief having some access to the same Intel-made processor that processes the targeted bitcoins. That requirement means there would almost certainly be easier ways for the same attacker to pilfer the digital coins. Still, the research is significant because it exposes subtle cryptographic weaknesses not only in a key Bitcoin algorithm, but also in OpenSSL, a widely used code library that implements the core cryptographic protections on the Internet.

The attack relies on “side channel analysis,” in which attackers extract a secret decryption key based on clues leaked by electromagnetic emanations, data caches, or other manifestations of a targeted cryptographic system. In this case, cryptographers can retrieve the private key needed to take control of bitcoins by taking minute measurements of the CPU as it makes transactions using the digital currency. Specifically, by observing the last-level (L3) CPU cache of an Intel processor as it executes as few as 200 signatures, an attacker in many cases has enough data to completely reconstruct the secret key needed to take ownership. The attack exploits the way OpenSSL implements the elliptic curve digital signature algorithm (ECDSA) based on a specific curve known as secp265k1 found in Bitcoin.

Read 13 remaining paragraphs | Comments


Ars Technica » Technology Lab

Microsoft plans upgrade to SHA-2 crypto hash for issuing certs – SC Magazine

/in

Windows IT Pro

Microsoft plans upgrade to SHA-2 crypto hash for issuing certs
SC Magazine
On Wednesday, Benjamin Jun, vice president and CTO of San Francisco-based Cryptography Research, a Divison of Rambus, told SCMagazine.com that 2012 revelations about Flame, sophisticated cyber espionage malware that targeted Iran's oil ministry, 
Microsoft announces retiring of SHA-1Help Net Security

all 14 news articles »

flame malware – read more

CryptoSeal VPN shuts down rather than risk NSA demands for crypto keys

/in

Mayhem Chaos

A consumer VPN service called CryptoSeal Privacy has shut down rather than risk government intrusions that could cost the company money in legal fees and threaten user privacy.

CryptoSeal will continue offering its business-focused VPN, but the consumer service is done, the company announced:

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

VPN services let consumers gain extra privacy and security while using the Internet. A user establishes an encrypted connection with a VPN service, routing all Internet traffic to the VPN before sending it on to the rest of the Internet.

Read 10 remaining paragraphs | Comments


    




Ars Technica » Technology Lab