PublicKeyEncryption
Latest
Researchers challenge Apple's 'unbreakable' iMessages
Shortly after revelations about the NSA's data-snooping programs became public, Apple publicly stated that the end-to-end encryption used in iMessage was so good that it was impossible for anyone -- including Apple -- to break the code. Now security researchers are saying that it could be possible for someone inside Apple to intercept uncoded messages either for themselves or the government. The researchers spoke at the Hack in the Box conference in Kuala Lumpur, with iOS jailbreaker Cyril Cattiaux going so far as to call Apple's assertion that iMessage encryption is rock-solid "just basically lies." The team noted that there's no evidence that Apple or the NSA is actually reading iMessages, but say that it's possible. Apple uses public key cryptography to encrypt iMessages, and Cattiaux says that "Apple has full control over this public key directory." That means that a sender doesn't have the ability to see whether a key has changed, or if the key is actually under the control of the recipient. Another researcher noted that "they give the key and nobody can really know if it's a substitute or anything like that ... it's a matter of trust." Cryptography expert Moxie Marlinspike wasn't involved with the research, but noted that trusting another party to manage cryptography keys on your behalf is no more secure than trusting them with unencrypted text. As Paul Kocher of Cryptography Research put it in an email to Computerworld, "It isn't fair to criticize Apple too heavily since other services aren't better (and most are worse)."
1024-bit RSA encryption cracked by carefully starving CPU of electricity
Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device's power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That's why they're presenting a paper at the Design, Automation and Test conference this week in Europe, and that's why -- until RSA hopefully fixes the flaw -- you should keep a close eye on your server room's power supply.
