GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Interchange under attack

News

Industry Update

New Visa, MasterCard fees stir debate within industry

Researchers say encryption doesn't always work

Kaplan an ideal fit for TMS

Selling Prepaid

Prepaid in brief

Into Africa with Obopay

Has mobile prepaid RDC finally arrived?

Views

Our industry has been invaded: What will you do?

Jeff Brodsly
Chosen Payments

Education

Street SmartsSM:
Remember your partners

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Are you selling rate, a solution or both?

Jeffrey Shavitz and Adam Moss
Charge Card Systems Inc.

Differentiation, the pricing-squeeze terminator

Peggy Bekavac Olson
Strategic Marketing

How ISOs and MLSs can use Pinterest

Alan Kleinman
Meritus Payment Solutions

When warm leads become elephants

Jeff Fortney
Clearent LLC

Company Profile

Complete Merchant Solutions LLC

New Products

An intelligent PCI compliance manager

TrustKeeper PCI Manager
Trustwave

Inspiration

Cultivating your own device-free zone

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 12, 2012  •  Issue 12:03:01

previous next

Researchers say encryption doesn't always work

A Swiss National Science Foundation research team composed of mathematicians and cryptographers working in San Francisco discovered what they believe is a flaw in the encryption algorithm commonly used for online data security that may call online data security into question.

The researchers are scheduled to present their paper at an August 2012 cryptography conference, but they released their findings early, in February 2012, reportedly because they believe the findings are of concern to operators using the public key cryptography system.

Key report findings

The researchers studied public databases of 7.1 million public keys used for email, online banking, POS transactions and other services and found it to be 99.8 percent secure - not 100 percent. The researchers discovered a few of the numbers generated randomly by the encryption software were not actually random.

Potentially, if these nonrandom numbers were discovered, it would be possible to find the underlying data that was supposed to be encrypted. The researchers found 27,000 keys with no security out of the 7.1 million public keys studied. This amounts to approximately two numbers out of every 1,000.

"Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated," the authors said in their report. "A more disconcerting finding is that two out of every one thousand [numbers] we collected offer no security.

"Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for 'multiple secrets' cryptosystems... is significantly riskier than for 'single-secret' ones." They added, that when exploited, this flaw "could affect the expectation of security that the public key infrastructure is intended to achieve."

The authors said they believe their findings are likely not new to "agencies and parties that are known for their curiosity in such matters." They said the majority of encrypted numbers do not seem "to suffer from obvious weaknesses and can be expected to provide the expected level of security.

"We found that on the order of 0.003 percent of public keys is incorrect, which does not seem to be unacceptable. We were surprised, however, by the extent to which public keys are shared among unrelated entities."

Security expert evaluation

It is not a good time for diminished confidence in the encryption system. MasterCard Worldwide and Visa Inc. are pushing for quick introduction of Europay/MasterCard/Visa (EMV) technology as the most secure way to do business. One reason for the push is because EMV technology securely encrypts data, according to the card companies.

Dr. Tim Cranny, Chief Technology Officer at Panoptic Security Inc., said the research findings are more interesting than important. "This is an example of a general class of isolated behavior," he said. "It's not a big deal. ... There's nothing the average person can do about it. It's the cost of living in a flawed world."

Cranny said the research is indicative of the kinds of problems businesses face all the time with technology and, typically, the next step is for businesses to look for improvements and solutions to minimize the problem.

Cranny believes the flaw would be difficult to exploit because it is hard to target. "It would be like trying to find and exploit two people with the same name who were born on the same day," he said. "It's just bad luck if the bad guys happen to find and exploit it.

There are much worse problems that get ignored by everyone. This is very obscure, very mathematical. They are stretching for relevance. I'd be astonished if this amounted to anything."

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems