Researchers Crack Online Encryption System

An online encryption method widely used to protect banking, email, e-commerce and other sensitive Internet transactions is not as secure as assumed, according to a report issued by a team of U.S and European cryptanalysts.

By Jaikumar Vijayan
Wed, February 15, 2012
. What's this?

Computerworld — An online encryption method widely used to protect banking, email, e-commerce and other sensitive Internet transactions is not as secure as assumed, according to a report issued by a team of U.S and European cryptanalysts.

The researchers reviewed millions of public keys used by websites to encrypt online transactions, and found a small but significant number to be vulnerable to compromise.

In most cases, the problem had to do with the manner in which the keys were generated, according to the researchers. The numbers associated with the keys were not always as random as needed, the research showed.

Therefore, the team concluded, attackers could use public keys to guess the corresponding private keys that are used to decrypt data -- a scenario that was previously believed to be impossible.

"This is an extremely serious cryptographic vulnerability caused by the use of insufficiently good random numbers when generating private keys" for HTTPS, SSL and TSL servers, said Peter Eckersley, senior technologist at the Electronic Frontier Foundation. The EFF contributed data for the research.

"We are presently working around the clock to inform the parties whose keys are vulnerable and the [Certificate Authorities] that issued certificates for them, so that new keys can be generated and the vulnerable certificates can be revoked," he said.

The research was originally scheduled to be released later this year, but became public knowledge in a New York Times story on Tuesday

Public key cryptography is the fundamental encryption system used to protect Internet transactions. It involves the use of a public key to encrypt data and an associated private key to decrypt it.

For instance, when a user logs into a banking website or a secure e-commerce site, the transactions are encrypted using the site's public key. The data can only be decrypted by the site owner using the corresponding private key.

The public keys are typically embedded in digital certificate that are issued by so-called Certificate Authorities. In theory, it's impossible to guess the make-up of a private key, and no two public/private key pairs are ever the same.

In reality, though, not all keys are generated securely, according to James Hughes, an independent U.S.-based cryptanalyst, Arjen Lenstra, a professor at the Ecole Polytechnique Federale de Lausanne in Switzerland, Maxime Augier, a doctoral student, and three other researchers.

The researchers studied 6.6 million public keys generated using the RSA algorithm, and found that 12,720 were not secure at all and 27,000 others were vulnerable.

"The secret keys are accessible to anyone who takes the trouble to redo our work. Assuming access to the public key collection, this is straightforward compared to more traditional ways to retrieve RSA secret keys," the researchers wrote.

Continue Reading

Originally published on www.computerworld.com. Click here to read the original story.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
SnagAJob.com Case Study
Online job search site SnagAJob.com needed a quick and reliable online presence. After assessing its web optimization strategy, the company traded its hardware traffic management solution for a virtualized environment that could match anticipated growth. With Riverbed® Stingray™ Traffic Manager supporting its new virtual environment, the company is now well on its way to meeting its goal of 99.9 percent uptime.
STA Travel Case Study
Global travel specialist STA Travel found that access to its website had slowed and that peaks in web traffic from promotional campaigns had become difficult to manage. The company turned to the Riverbed® Stingray™ Traffic Manager for support. This cost-effective solution deployed quickly, improved the website's performance and uptime, and provided a superior online experience for its customers.
Socialbomb Case Study
Socialbomb builds applications that integrate with its clients' social platforms to create innovative, well-maintained, successful online campaigns. Unfortunately, many of its online applications were faltering at peak traffic times, which made managing campaigns difficult. The company chose Riverbed® Stingray™ Traffic Manager to ensure that its advanced social network projects remained online, and that they provided detailed reporting during traffic spikes.
Triboo Case Study
Triboo specializes in managing e-commerce activities and performance marketing for many Italian companies. The company's website was struggling to support over 2 million page views and 45 million hits each day, so they turned to Riverbed® Stingray™ Traffic Manager. Now Triboo enjoys high website availability and scalability, and its customers enjoy an outstanding online experience.
Meridina fly Case Study
Online airline and travel group Meridiana fly needed a faster, more cost-effective way for its growing customer base to book reservations online. They turned to the Riverbed® Stingray™ Traffic Manager, which ensured a fast, responsive website that could cope with increasing high-demand. The company's pages now load much faster, and downtime is a thing of the past.
Comic Relief Case Study
Every two years, one of the biggest events in the UK fundraising calendar is Comic Relief's Red Nose Day. In 2009 the charity implemented the Riverbed® Stingray™ Traffic Manager to make sure its web and donation platforms could scale up to handle vast peaks of website traffic. Thanks in part to this solution, Comic Relief's 2009 fundraising event raised a phenomenal £54.7m.
Webcasts »
Test Drive the Future of Business Communication Today
Traditional communication methods are no longer sufficient to meet the pace of business today. Video Conferencing is an essential business tool. Dimension Data is revolutionizing the process of doing business and making video conferencing fast, simple and affordable.
Virtualization Success is a Team Effort
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Oracle Database Appliance Best Practices
Business users increasingly demand 24x7 availability of their data while IT departments face the challenge of ensuring maximum availability while operating with limited budgets.
Unlock the Value of Cloud Computing with Workload Automation
Learn how to get the most from your cloud investment in our on-demand webinar from BMC and InformationWeek. You'll hear how integrating the cloud into your production workload brings critical business benefits.
Best Practices to Optimize Your Data Center at Every Layer of the Stack
Date: May 31, 2012
Time: 1 PM EST

Organizations are reaping the benefits of simplifying IT, lowering costs and dramatically improving transactional throughput by deploying optimized application-to-disk solutions. These pre-tuned, tested solutions encompass a wide variety of applications and use cases. Hear from industry experts, and IT executives, how these full-stack solutions can achieve three times faster deployment times and up to 75% reductions in acquisition and operational costs.
Workload Automation Trends and Best Practices in 2012
Find out when you join EMA Senior Analyst, Torsten Volk, for a discussion on the 2012 trends in workload automation and how these trends contribute to better connecting workload automation to business processes. These trends are derived from EMA's empirical research work conducted for the 2012 Workload Automation Radar Report.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

SnagAJob.com Case Study

STA Travel Case Study

Socialbomb Case Study

Triboo Case Study

Meridina fly Case Study

Comic Relief Case Study

See Tickets Case Study

Gartner Magic Quadrant for Web Content Management, 2011

Web Content Management for Online Experience

Finding the right cloud solutions for your organization

Converged Infrastructure for Dummies

Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution

Measuring the Business Value of CI in the Data Center

Building Cloud-Optimized Data Center Networks white paper

The Forrester Wave: Activities Streams, Q2 2012

SMBs Get Virtualization, Plus the Benefits of High Core Count Processors

Virtualized for Agility

The Accelerated SMB: Moving at the Speed of Virtualization

Make Virtual Desktops a Valuable Reality with AMD

Has Your Server Infrastructure Kept Pace with End User Demands?
Sponsored Links

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Click to see how Accenture has delivered high performance to clients

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

High performance. Delivered. Click to see Accenture's client successes

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords