SecurPC

John Wang (wang@rsa.com)
Thu, 14 May 1998 15:46:47 -0700

• Next message: MJG - crypto lists: "RE: RSA's SecurPC not-so-"Secur""
• Previous message: Bruce Schneier: "Re: RSA's SecurPC not-so-"Secur""

        A contributor to this list, Mike Stay <staym@accessdata.com>, has
recently brought to our attention a previously undiscovered deficiency in
SecurPC: under certain circumstances the Windows 95 virtual memory mechanism
may place a copy of the password on the hard drive. (SecurPC itself does not
write the password to the hard drive. The fact that memory is swapped to the
hard drive presents a security challenge for any software operating within
Windows 95.)

        Our own investigation shows that the offset of the swapped password
is not the same from machine to machine and that the swapped password does
not always appear on the disk. The password is also more difficult to find
when you don't know the password in advance. Nonetheless, we acknowledge
that this is an unacceptable breach of system security.

        We are currently developing a fix. A description of the solution and
a free security upgrade implementing it will be made available as soon as
possible.

        RSA is committed to supplying quality encryption products. The
high-quality technical content of the postings on this list has made those
postings welcome input. Thanks to all who have contributed.

        Regards,
        -John

        John Wang
        Manager, Security Applications
        RSA Data Security, Inc.

        P.S. I will be away from e-mail for the next couple of weeks. Others
from RSA and Security Dynamics will continue to monitor postings in my
absence.

• Next message: MJG - crypto lists: "RE: RSA's SecurPC not-so-"Secur""
• Previous message: Bruce Schneier: "Re: RSA's SecurPC not-so-"Secur""