Researchers demonstrate RSA key security breach

By Brad Jones October 28, 2015

personal voter information exposed upguard discovers smtp server

Right now, there are two major groups of people working on new hacking techniques — the hackers themselves, and the researchers who are tasked with slowing them down. Today, the Worcester Polytechnic Institute has shared findings from a team that’s been studying RSA encryption keys, a security measure used by thousands of businesses worldwide.

The team set about seeing exactly what hackers are capable of by creating a virtual machine on the same server as the target system. From the way that this target accessed its memory, the team could figure out when it was using an RSA key. Based on that timing, they could then determine the numerical value of the key itself.

Recommended Videos

The problem outlined by this work has already been solved by a patch from Libgcrypt, according to reporting from Phys.org. However, it remains to be seen how useful this solution will be, as the user has to install it rather than the service provider.

The paper published by Worcester Polytechnic Institute largely focuses on the challenges faced by cloud computing operations, with Amazon Web Services being one example of a potential target. The virtual machines used by these companies were once though to be impossible to attack, but more recent research has proven otherwise.

However, the report does praise Amazon for its efforts to make things more difficult for hackers. Thomas Eisenbarth, who led the research alongside Berk Sunar, notes that “crypto keys are safe if users follow security best practices and stick to well-maintained and fully patched crypto libraries.”

Organizations far more malicious than the Worcester Polytechnic Institute are almost certainly looking into these methods as well, so it’s encouraging to see work being done to cut them off at the pass. Cloud computing offers up some serious security challenges, so this sort of research is imperative to keeping them safe.

Topics

Contributor

Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…

Computing

Apple’s security trumps Microsoft and Twitter’s, say feds

Apple's Craig Federighi speaking about macOS security at WWDC 2022.

Apple has long held a reputation for rock-solid security, and now the U.S. government seemingly agrees after praising the company for its security procedures. At the same time, the feds have suggested Microsoft and Twitter need to pull their socks up and make their products much more secure for their users, according to CNBC.

In a speech given at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly pointed to Apple as a company that took security and accountability seriously, and suggested other companies should take note.

Computing

Hackers dug deep in the massive LastPass security breach

The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company's transparency on this serious issue.

It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo's latest blog update, the company reported that several of its other products were compromised as well.

Computing

Using LastPass? You need to switch urgently, says security firm

A dark mystery hand typing on a laptop computer at night.

It’s a good idea to use one of the best password managers to keep your logins safe, but now a security company is warning that one of the most popular password managers in the world is not safe to use.

The extraordinary claim comes from Intego, a firm that specializes in Mac security. Intego made its assertion based on a series of security breaches LastPass has suffered in recent months, the way LastPass has responded to those incidents, and the underlying technology LastPass uses to protect customer accounts.