Encryption key virus threat

Virus writers are becoming more devious and more intelligent. Unfortunately, that means many of their new approaches to spreading their work will get past even our best efforts of protecting and locking down our systems. A new type of threat has been identified, but no specific virus that exploits this threat has been discovered yet.

In a paper published by Adi Shamir of the Weizmann Science Institute, in Rehovot, Israel, and Nicko van Someron of NCipher, Cambridge, U.K., a method to quickly and easily locate encryption keys and encrypted data is clearly defined. The method describes how relatively easy it is to discover private keys stored on a computer. Most private keys are 2 to 2048 bits long and are sufficiently random to stand out as anomalies from the otherwise ordered data stored on a hard drive.

In addition to locating the private keys themselves, this method can be modified to discover encrypted data. Malicious virus, worm, or Trojan developers can use this methodology to locate encrypted data and transmit it back to an online repository where code breaking techniques can be employed against it. In most cases, the sections of a hard drive that are encrypted contain the data that is the most valuable.

There are a few ways to impose preventative measures against these types of theoretical attacks. Waiting until real-world exploitations of these findings are discovered is poor security management.

First, never store private keys on your

    Requires Free Membership to View

hard drive. Always store private keys on removable media, such as floppies, USB memory cards, smart cards, etc. This includes both third-party encryption solutions as well as OS native solutions (such as Windows 2000's EFS).

Second, when you must use encryption to protect files, encrypt the entire hard drive. If your system is ever violated by an encryption stealing worm, the more data it has to handle, the more likely it will fail in its task to transmit the treasure and that your auditing system will discover the activity. In effect you will be overloading the malicious code which would have had no problem with a 100KB file but which cannot process a 10GB block of data.

Third, use a secure deletion utility. Just because you store your private keys in removable media does not guarantee that they are not temporarily stored on your system when used. The most common problem is when a private key is stored to the paging file and not properly removed. To remedy this, you should always clear the paging file when shutting down and delete any backup or temporary files that may have been created when you opened the encrypted file (such as from Microsoft Word).

For more information, see the paper "Playing hide and seek with stored keys" at http://www.ncipher.com/products/rscs/downloads/whitepapers/keyhide2.pdf.

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in July 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.