Encryption experts warn of e-commerce security risk

Encryption software specialists warn of a potentially serious vulnerability in Web servers, which could raise fears about e-commerce security

Encryption software specialists have warned of a potentially serious vulnerability in Web servers, which could make them a target for intruders.

The concern, isolated by security specialists Nicko van Someren, co-founder of nCipher, and Adi Shamir, co-inventor of the RSA encryption system, will raise fears that e-commerce security cannot be taken for granted.

Latest research by the pair shows a vulnerability in the security infrastructure of Web servers, which are critical to effective consumer-based and business-to-business e-commerce.

Previously it was believed that encryption "keys" could not be compromised because the key itself never resides anywhere within a computer's memory.

This is because the key comes in two halves - a private part which should never be revealed and a public part.

Now, it is claimed, finding the encryption "key" - a series of large numbers with mathematical properties - is easier than first thought.

Typically, in a commercially secure Web server private keys are encrypted and stored within the server, where they must be decrypted before being used. Once decrypted into plain text, the key becomes vulnerable to a "key-finding attack".

As a key is only a few hundred gbytes long, and the storage space of the server may be tens of gigabytes, the key should be difficult to find. Now, it is claimed, the mathematical properties make it possible for an intruder to isolate them.

Once the intruder has found the key, gained permission to read the memory where it is stored, and copied it, the Web server and its customers are defenceless.

Microsoft, Sun and Netscape, together with nCipher, have issued a security workaround for the problem.

Read more on Antivirus, firewall and IDS products