Stealing encryption keys through the power of touch

Researchers from Tel Aviv University have demonstrated an attack against the GnuPG encryption software that enables them to retrieve decryption keys by touching exposed metal parts of laptop computers.

There are several ways of attacking encryption systems. At one end of the spectrum, there are flaws and weaknesses in the algorithms themselves that make it easier than it should be to figure out the key to decrypt something. At the other end, there are flaws and weaknesses in human flesh and bones that make it easier than it should be to force someone to offer up the key to decrypt something.

In the middle are a range of attacks that don't depend on flaws on the encryption algorithms but rather in the way they've been implemented. Encryption systems, both software and hardware, can leak information about the keys being used in all sorts of indirect ways, such as the performance of the system's cache, or the time taken to perform encryption and decryption operations. Attacks using these indirect information leaks are known collectively as side channel attacks.

Read 9 remaining paragraphs | Comments

Researchers create privacy wrapper for Android Web apps

On a mobile application, users typically have a single choice to protect their privacy: install the application or not.

The binary choice has left most users ignoring permission warnings and sacrificing personal data. Most applications aggressively eavesdrop on their users, from monitoring their online habits through the device identifier to tracking their movements in the real world via location information.

Now, a research group at North Carolina State University hopes to give the average user a third option. Dubbed NativeWrap, the technology allows Web pages to be wrapped in code and make them appear as a mobile application, but with user-controlled privacy. Because many applications just add a user interface around a Web application, the user should have equivalent functionality for many wrapped apps, said William Enck, assistant professor in the department of computer science at North Carolina State University.

Read 7 remaining paragraphs | Comments