Entrust Solution Remedies Newly Found Digital Signature Algorithm Vulnerability


Entrust Technologies Inc., the global leader in solutions that bring trust to e-business, today announced that its existing trust relationship management solutions contain advanced public-key infrastructure (PKI) management features that enable customers to avoid the recently discovered Digital Signature Algorithm (DSA) vulnerability.

The existing remedy, which is inherent in Entrust/PKI(TM) software, provides organizations with the ability to quickly implement a deployment-wide decision to renew cryptographic keys and digital certificates used with DSA and, if desired, change from the use of DSA to an algorithm not subject to the same attack. This capability is available for the keys and certificates of end users as well as the Certification Authority (CA) itself. Demonstrating the ease-of-use of Entrust solutions, this security enhancement can be achieved transparently, with no impact on the ongoing operations of individual users through unique centralized management capabilities.

The anticipated risk from the DSA algorithm vulnerability is very low. Based on a theoretical attack, an attacker would need to gather millions of separate signatures performed from one single key pair to expose a weakness in the algorithm. This weakness can be avoided by replacing key pairs using DSA and/or by moving to an alternative algorithm.

The advanced management capabilities contained in the Entrust/PKI solution are designed to help customers avoid this type of attack by providing the ability to automatically “roll over” and update key pairs within user certificates as well as those used by the CA. By performing this operation, the key pair used to generate DSA digital signatures can be renewed minimizing the possibility that an attacker would gain access to the significantly large number of digital signatures required to attack the algorithm. Optionally, the certificate roll over can also be conducted to replace DSA with an algorithm not subject to the same vulnerability. Entrust/PKI solutions enable these remedies to be implemented for all users by simply initiating a seamless roll over of user certificates to steer clear of the potential of the DSA vulnerability. More importantly, this roll over can also apply to the certification authority (CA) certificate which is likewise seamless to end users.

“The discovery of this vulnerability demonstrates and reinforces the value we bring to our customers through our easy-to-manage trust relationship management solutions,” said Paul Doscher, executive vice president, Entrust Technologies. “Not only do our solutions offer scalability and low cost of ownership, but they also provide robust security to our customers’ in conducting their e-business activities and reduce the risk associated with such threats. The management capabilities that make it possible to avoid this type of vulnerability are essential to e-business and have been available in our PKI solution from its inception.”

Entrust Technologies will support the U.S. National Institute of Standards and Technology (NIST) efforts to deliver any required update to DSA to address this issue and will move quickly to deliver products incorporating any solution.

About Entrust Technologies

Entrust Technologies Inc. (Nasdaq: ENTU) is the global leader in solutions that bring trust to e-business relationships by securing and managing the transactions that constitute e-business. Through the industry’s most comprehensive portfolio of trusted e-business infrastructure solutions, Entrust Technologies enables customers to secure their B2B, B2C and internal enterprise transactions and communications, as well as to manage the e-business portals through which these transactions take place. Pioneers of public-key infrastructure (PKI) and digital certificate solutions that provide security for business transactions and communications over the Internet, Entrust Technologies is a global company with offices around the world. For additional company information please visit www.entrust.com.

Entrust is a registered trademark of Entrust Technologies Inc. in the United States and other countries. In Canada, Entrust is a registered trademark of Entrust Technologies Limited. All Entrust product names are trademarks of Entrust Technologies. All other company and product names are trademarks or registered trademarks of their respective owners.

Don't miss