Encryption keys aren't safe on servers, report warns

Encryption keys are no longer safe on servers according to research published by UK security company, nCipher.

Private encryption keys can be held on a user's network and used to code and decode confidential data sent over the Web. Previously it was thought to be impossible to hack into a network and find the keys, because they were small pieces of code hidden in mountains of information.

But according to nCipher, hackers can find these keys and decode information sent over networks, putting ecommerce and online transactions under-threat.

The study concludes that the safest place for encryption is the hardware.

Colin Bastable, a spokesman for nCipher, said: "This is the first research ever to prove this and it's backed up by many organisations including the government."

Neil McEvoy, managing director of security consultancy, Hyperion, said the research proves what people have suspected for a long time. Banks have kept encryption on hardware religiously for use in networks such as ATMs; it's only recently that companies have started storing their private keys on the network.

"In the rush to embrace ecommerce people forgot the basics of security and neglected to keep their keys safe. I think this research is important and timely," said McEvoy.

He conceded that nCipher may have a vested interest in the announcement since the company manufactures the hardware-based encryption tools itself. However, McEvoy agreed with the findings in principle.

McEvoy and other encryption experts also think that keys should be kept on hardware because it takes up too much bandwidth on the network.

Microsoft and the Sun/Netscape Alliance have endorsed the research findings and are working with nCipher to find way to solve the problem.