CHANNELS
HOME
TOP STORIES
DATA CENTER NEWS
COLUMNS
OPINIONS
SPECIAL REPORTS
JOB BOARD
EVENTS CALENDAR
RESOURCE CENTER
WEBINARS
BLOG
RSS
ON THE WEB
SITE MAP
ADVERTISE
EDITORIAL
PRIVACY POLICY
CONTACT US
REPORT A BUG
PRINT EDITION
SUBSCRIBE NOW!
CURRENT ISSUE
BACK ISSUES
SUBSCRIBER SERVICES
BZ MEDIA
ABOUT US
NEWS
BZ RESEARCH
AS OF 8/20/2008 9:08AM EST
From the Editor: Don't Take Encryption for Granted
By
Systems Management News Team
June 15, 2008 —
When the Debian team revealed in May that it had cryptography problems, many systems administrators found themselves regenerating and managing thousands of encryption keys. From a management standpoint, the biggest hassle was, likely, figuring out which keys were bad and where they all resided.
But for the end user, the whole debacle was likely ignored. When it comes to public key encryption, most end users have to have a VPN or keyed Web access set up for them. They don’t even know there’s encryption involved, let alone understand what an elliptic curve is.
These users are probably taking your security measures for granted. And, now that Internet encryption is an old and proven discipline, perhaps you’re taking your encryption for granted as well. Encryption can be a double-edged sword, however. If your system is locked down, and all your keys are 1024 bits or higher, it’s very likely that, if there’s a security breach, you’re not going to consider a successful brute force attack against those keys as your first culprit. Instead, it’s more likely that someone’s password has been stolen, a database has been compromised or a trojan has made its way onto a server.
Should security practitioners think this way? Probably not, but after years of solid and reliable encryption being available to anyone everywhere, it’s no wonder that crypto tends to be the last possible place people expect a failure. Blame vendors and open-source developers; it’s easy to spin the wheel and scramble things beyond recognition before sending them out into the wild.
And this is why the Debian failure has been such a massive nightmare: With the changing of just a few lines of code, millions of keys generated by thousands of users over the past two years have been completely vulnerable, and there’s been nary a clue. Even the best of cryptographers can’t tell if a bad random number generator was used just by looking at the key. And that’s the worst part about crypto vulnerabilities: They’re the sort of problem that can be hidden for years then pop up suddenly to reveal an entire infrastructure as vulnerable.
It’s unfortunate that the Debian team made this mistake, but perhaps, as a warning, it’s a good thing overall. We’d bet that no one who’s following this issue is going to take cryptography for granted anymore. As rightly they shouldn’t.
Related Search Term(s):
Security
,
Debian
EMAIL THIS ARTICLE
SEND FEEDBACK
MORE OPINIONS
ADVERTISER LINKS
Altova
APC
Avocent
AVTECH Software
Coyote Point
DNSstuff
dtSearch
EventSentry (Netikus)
GroundWork Open Source
Idera
KACE
Lieberman Software
LinMin
Microsoft
PowerGadgets
Raritan
Red Gate Software
Sanbolic
Special Operations Software
SQL Sentry
Sunbelt Software
Symark International
VMware
SUBSCRIBE TODAY!
Systems Management Week
PDF & PRINT EDITION
Download Current Issue!
ISSUE 8/15/2008 PDF
Need Back Issues?
DOWNLOAD HERE
Receive The Print Edition?
SUBSCRIBE HERE
GET NOTIFIED!
About all of the latest Resources
LOADING...
LOADING...