Wednesday, February 15, 2012
The researchers reported their findings Feb. 14, 2012. They are scheduled to formally present their paper at a cryptography conference in Santa Barbara, Calif., in August 2012, but they released it early reportedly because they believe the findings are of concern to operators using the public key cryptography system.
The researchers studied public databases of 7.1 million public keys used for email, online banking, POS transactions and other services and found it to be 99.8 percent secure – not 100 percent. The researchers discovered a few of the numbers generated randomly by the encryption software were not actually random.
Potentially, if these nonrandom numbers were discovered, it would be possible to find the underlying data that was supposed to be encrypted. The researchers found 27,000 keys with no security out of the 7.1 million public keys studied. This amounts to approximately two numbers out of every 1,000.
"Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated," the authors said in their report. "A more disconcerting finding is that two out of every one thousand [numbers] we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for 'multiple secrets' cryptosystems … is significantly riskier than for 'single-secret' ones."
They added, that when exploited, this flaw "could affect the expectation of security that the public key infrastructure is intended to achieve."
The authors said they believe their findings are likely not new to "agencies and parties that are known for their curiosity in such matters." They said the majority of encrypted numbers do not seem "to suffer from obvious weaknesses and can be expected to provide the expected level of security. We found that on the order of 0.003 percent of public keys is incorrect, which does not seem to be unacceptable. We were surprised, however, by the extent to which public keys are shared among unrelated entities."
It is not a good time for disruption of confidence in the encryption system. MasterCard Worldwide and Visa Inc. are both pushing for quick introduction of Europay/MasterCard/Visa (EMV) technology as the most secure way to do business. One main reason for the push is because EMV technology securely encrypts data, according to the card companies.
Dr. Tim Cranny, Chief Technology Officer at Panoptic Security Inc., a company providing Payment Card Industry Data Security Standard compliance solutions, said the research findings are more interesting than important.
"This is an example of a general class of isolated behavior," he said. "It's not a big deal. ... There's nothing the average person can do about it. It's the cost of living in a flawed world."
Cranny said the research is indicative of the kinds of problems businesses face all the time with technology and, typically, the next step is for businesses to look for improvements and solutions to minimize the problem.
Cranny said the flaw would be difficult for criminals to exploit because it is hard to target. "It would be like trying to find and exploit two people with the same name who were born on the same day," he said. "It's just bad luck if the bad guys happen to find and exploit it. There are much worse problems that get ignored by everyone. This is very obscure, very mathematical. They are stretching for relevance. I'd be astonished if this amounted to anything."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.