W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

RE: Password change via HTTP

From: Steve Parker <sparker@well.com>
Date: Wed, 16 Jun 1999 07:04:15 -0700
To: "'John Stracke'" <francis@ecal.com>, <http-wg@hplb.hpl.hp.com>
Message-ID: <000d01beb801$1f31fb80$0100a8c0@steve.well.com>
> I take it this requires access to the process's memory space?
Since this usually gets swapped out at some point, the swap file
would seem a much easier point of attack. How easy this is depends
on implementations. Windows would appear to be easy. Systems with
protected memory space such as AS/400 or various specialized trusted
systems would appear to be immune - but Shamir was exploring the
possibility of "lunchtime attacks" on client systems, which is
virtually synonymous with Windows.

Steve

> -----Original Message-----
> From: francis@ariel.local.thibault.org
> [mailto:francis@ariel.local.thibault.org]On Behalf Of John Stracke
> Sent: Tuesday, June 15, 1999 8:35 AM
> To: http-wg@hplb.hpl.hp.com
> Subject: Re: Password change via HTTP
> 
> 
> Steve Parker wrote:
> 
> > Doesn't help (well, just a slight delay) - see Shamir and van
> > Someren's paper "Playing hide and seek with stored keys", delivered
> > to this year's Financial Cryptography conference: "We 
> describe efficient
> > algebraic attacks which can locate secret RSA keys in long 
> bit strings,
> > and more general statistical attacks which can find 
> arbitrary cryptographic
> > keys embedded in large programs.
> 
> I take it this requires access to the process's memory space?
> 
> --
> /=============================================================\
> |John Stracke    | My opinions are my own | S/MIME & HTML OK  |
> |francis@ecal.com|============================================|
> |Chief Scientist | NT's lack of reliability is only surpassed |
> |eCal Corp.      |  by its lack of scalability. -- John Kirch |
> \=============================================================/
> 
> 
> 
> 
Received on Wednesday, 16 June 1999 15:08:10 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT