Researchers Find Flaw In Widely Used Web Encryption System

A flaw has been found in the encryption system used to conceal from cybercriminals data passed between parties in online shopping, banking, e-mail and other Internet services.

A team of American and European mathematicians and cryptographers discovered the weakness and recently published their findings in a research paper, The New York Times reported Wednesday. The flaw is in the way the public-key cryptography system generates random numbers to prevent others from deciphering digital messages.

The flaw was found in a small but measurable number of cases, the newspaper reported. Nevertheless, even if the impact is only on a small number of users, it would still lower the overall confidence in the security mechanism used in Web transactions.

The researchers analyzed public databases of more than 7 million public keys used in encrypting e-mail messages, online banking transactions and other data exchanges in online services. What they found was a small percentage of the underlying numbers used to create the numerical keys for locking and unlocking encrypted data were not random, making it possible to crack the system. Several databases were used in the study, including those of the Massachusetts Institute of Technology and the Electronic Frontier Foundation, a San Francisco-based Internet privacy rights group.

While the report's findings are significant, the extent of the danger to users of online services is not clear, Paul Kocher, president and chief scientist of Cryptography Research, a San Francisco-based developer and licensor of semiconductor security, told CRN. The study does not say whether the flawed keys were found across Internet technologies or a small subset. For example, a key used to communicate with an individual firewall or router would have less of an overall impact than the key used in providing access to Amazon.com's Web server sitting on top of a database of customers' credit card numbers.

"The indications are that the problem here is principally one involving less valuable keys," Kocher said.

In the Freedom to Tinker blog hosted by Princeton University's Center for Information Technology Policy, Nadia Heninger, a postdoctoral fellow in mathematical sciences at the University of California, San Diego, said the flawed keys mainly affected various types of embedded devices, such as routers and virtual private networks, not "full-blown Web servers."

"There's no need to panic," she said.

However, Heninger said she and several colleagues in a separate study were able to remotely compromise about 0.4 percent of all the public keys used in SSL Web site security. SSL, or Secure Sockets Layer, is the cryptographic protocol for securing communications over the Internet.

"We've found vulnerable devices from nearly every major manufacturer," Heninger said. The team plans to release their report after contacting all the manufacturers with products that may be affected.

The overall problem, according to Kocher, is whether the trust organizations place in the underlying cryptography of vendors' products is warranted. "Trying to figure out where people are putting too much trust in systems is a big part of the bigger picture process here, and then figuring out what to do about that," he said.