Researchers crack online encryption system
Many of the public keys don't fully protect sensitive online transactions, study concludes
Computerworld - An online encryption method widely used to protect banking, email, e-commerce and other sensitive Internet transactions is not as secure as assumed, according to a report issued by a team of U.S and European cryptanalysts.
The researchers reviewed millions of public keys used by websites to encrypt online transactions and found a small but significant number to be vulnerable to compromise.
In most cases, the problem had to do with the manner in which the keys were generated, according to the researchers. The numbers associated with the keys were not always as random as needed, the research showed.
Therefore, the team concluded, attackers could use public keys to guess the corresponding private keys that are used to decrypt data -- a scenario that was previously believed to be impossible.
"This is an extremely serious cryptographic vulnerability caused by the use of insufficiently good random numbers when generating private keys" for HTTPS, SSL and TSL servers, said Peter Eckersley, senior technologist at the Electronic Frontier Foundation. The EFF contributed data for the research.
"We are presently working around the clock to inform the parties whose keys are vulnerable and the [Certificate Authorities] that issued certificates for them, so that new keys can be generated and the vulnerable certificates can be revoked," he said.
The research was originally scheduled to be released later this year, but became public knowledge in a New York Times story Tuesday.
Public key cryptography is the fundamental encryption system used to protect Internet transactions. It involves the use of a public key to encrypt data and an associated private key to decrypt it.
For instance, when a user logs into a banking website or a secure e-commerce site, the transactions are encrypted using the site's public key. The data can only be decrypted by the site owner using the corresponding private key.
The public keys are typically embedded in digital certificate that are issued by so-called Certificate Authorities. In theory, it's impossible to guess the make-up of a private key, and no two public/private key pairs are ever the same.
In reality, though, not all keys are generated securely, according to James Hughes, an independent U.S.-based cryptanalyst, Arjen Lenstra, a professor at the Ecole Polytechnique Federale de Lausanne in Switzerland, Maxime Augier, a doctoral student, and three other researchers.
The researchers studied 6.6 million public keys generated using the RSA algorithm, and found that 12,720 were not secure at all and 27,000 others were vulnerable.
"The secret keys are accessible to anyone who takes the trouble to redo our work. Assuming access to the public key collection, this is straightforward compared to more traditional ways to retrieve RSA secret keys," the researchers wrote.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts