IBM researchers have developed a method for shoring up a security weakness in systems that hide sensitive data from intruders.
The company said Monday it has co-developed a new cryptosystem that closes off a little-used "back door" that intruders can use to unseal scrambled data. This back door can be opened using a technique known as "active attack."
"With active attacks, the intruder interacts with the crypto system, and based on the message that comes back, they can get clues about how the message was encrypted and eventually decrypt it," explained Mike Ross, a spokesman for IBM Research.
IBM Research and the Swiss Federal Institute of Technology co-developed a new cryptosystem they say is the first practical and proven way to secure information from active attacks. These attacks not only exploit the Secure Sockets Layer -- an encryption method used to secure credit-card transactions and other commerce applications on the Net -- but threaten other types of encryption systems as well.
In June, a researcher at Lucent Technologies proved that an active attack could break SSL. The attack elicited error messages from a commerce site and provided enough information to decrypt sensitive data contained by the site. In accessing this data, the researcher highlighted the means by which intruders could retrieve credit-card and bank-account information at online stores such as the Gap or Wells Fargo Online banking, just two examples of the many sites using SSL to tunnel consumer information to and from a Web browser.
The IBM technique developed to deal with active attacks does not represent a method of stronger data scrambling, however. Rather, the IBM researchers looked for a way to stymie these relatively rare attacks.
All commercial encryption products are potentially vulnerable, Ross said, and one day could become "duck soup" for the average cracker. The company plans to offer its public key encryption system for use in its own and others' encryption applications.
"This forces [crackers] to go back and do the really hard stuff," Ross said. The "hard stuff" is the time-consuming and resource-draining technique of guessing at the actual "keys" used to lock up a piece of data. Depending on the strength of the encryption system, this can take sophisticated computer set-ups and a good deal of time.
Ross describes the new cryptosystem using the analogy of a locked safe. While a safe may provide strong-as-steel security, a sensitive device can crack all that strength by scrutinizing the clicks of the dial. Stopping active attacks is like making the lock mechanism of a safe totally silent, preventing this particular method of breaking in.
Scientists knew about the back-door path of active attacks but dismissed it,owing to the sophistication required to conduct the attacks.
SSL uses RSA encryption technology, and the company provided a patch to address the back-door issue. But IBM contends that its system is much better at securing SSL and any other encryption applications from active attacks.
