Online Encryption System Cracked

Friday, February 17, 2012 @ 01:02 PM gHale

An online encryption method used to protect banking, email, e-commerce and other sensitive Internet transactions is not as secure as assumed, a new report said.

The researchers reviewed millions of public keys used by websites to encrypt online transactions and found a small but significant number to be vulnerable to compromise.

FBI Pushes Cloud Security Rules
Wireless Security Lags Wired
Breach Aftermath: Hijacked Sites
User Alert: Brute Force Attacks on Rise

In most cases, the problem had to do with the manner in which keys ended up generated, the researchers said. The numbers associated with the keys were not always as random as needed, the research showed.

Therefore, the team concluded, attackers could use public keys to guess the corresponding private keys used to decrypt data — a scenario previously believed to be impossible.

“This is an extremely serious cryptographic vulnerability caused by the use of insufficiently good random numbers when generating private keys” for HTTPS, SSL and TSL servers, said Peter Eckersley, senior technologist at the Electronic Frontier Foundation. The EFF contributed data for the research.

“We are presently working around the clock to inform the parties whose keys are vulnerable and the [Certificate Authorities] that issued certificates for them, so that new keys can be generated and the vulnerable certificates can be revoked,” he said.

Public key cryptography is the fundamental encryption system used to protect Internet transactions. It involves the use of a public key to encrypt data and an associated private key to decrypt it.

For instance, when a user logs into a banking website or a secure e-commerce site, transactions end up encrypted using the site’s public key. The data can only undergo decryption by the site owner using the corresponding private key.

The public keys typically embed in a digital certificate issued by Certificate Authorities. In theory, it’s impossible to guess the make-up of a private key, and no two public/private key pairs are ever the same.

In reality, though, not all keys generate securely, said James Hughes, an independent U.S.-based cryptanalyst, Arjen Lenstra, a professor at the Ecole Polytechnique Federale de Lausanne in Switzerland, Maxime Augier, a doctoral student, and three other researchers.

The researchers studied 6.6 million public keys generated using the RSA algorithm, and found that 12,720 were not secure at all and 27,000 others were vulnerable.

“The secret keys are accessible to anyone who takes the trouble to redo our work. Assuming access to the public key collection, this is straightforward compared to more traditional ways to retrieve RSA secret keys,” the researchers wrote.

The keys inspected by the researchers came from several public databases, including one maintained by the EFF.

Eckersley said hackers could relatively easily take advantage of the weakness by assembling a similar database of public keys and replicating what the researchers did to identify the vulnerable keys.

One Response to “Online Encryption System Cracked”

  1. […] link: Online Encryption System Cracked | Categories: Encryption, Uncategorized Tags: Encryption, Internet, method-used, […]

Leave a Reply

You must be logged in to post a comment.