An online encryption technique widely used to safeguard email, e-commerce, and other sensitive Internet transactions is crackable, according to a study by U.S. and European cryptanalysts.
Their review of 6.6 million public keys employed by Web sites to encrypt online transactions found that 12,720 were completely insecure and 27,000 were susceptible to compromise. The problem was often linked to the manner in which the keys were produced, with the researchers demonstrating that the numbers associated with the keys were not always as random as necessary--thus enabling attackers to use public keys to guess the corresponding private keys used to decode data.
"We are presently working around the clock to inform the parties whose keys are vulnerable and the [certificate authorities] that issued certificates for them, so that new keys can be generated and the vulnerable certificates can be revoked," says the Electronic Frontier Foundation's Peter Eckersley.
He warns that hackers could exploit the vulnerability by assembling a similar database of public keys and reproducing the cryptanalysts' method to identify the weak keys. Cryptographer Bruce Schneier says the random number problems described by the researchers could have been unintentional or deliberately embedded by someone attempting to eavesdrop on encrypted communications.
From Computerworld
View Full Article
Abstracts Copyright © 2012 Information Inc. , Bethesda, Maryland, USA
No entries found