The Green Sheet Online Edition
March 12, 2012 • Issue 12:03:01
Researchers say encryption doesn't always work
A Swiss National Science Foundation research team composed of mathematicians and cryptographers working in San Francisco discovered what they believe is a flaw in the encryption algorithm commonly used for online data security that may call online data security into question.
The researchers are scheduled to present their paper at an August 2012 cryptography conference, but they released their findings early, in February 2012, reportedly because they believe the findings are of concern to operators using the public key cryptography system.
Key report findings
The researchers studied public databases of 7.1 million public keys used for email, online banking, POS transactions and other services and found it to be 99.8 percent secure - not 100 percent. The researchers discovered a few of the numbers generated randomly by the encryption software were not actually random.
Potentially, if these nonrandom numbers were discovered, it would be possible to find the underlying data that was supposed to be encrypted. The researchers found 27,000 keys with no security out of the 7.1 million public keys studied. This amounts to approximately two numbers out of every 1,000.
"Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated," the authors said in their report. "A more disconcerting finding is that two out of every one thousand [numbers] we collected offer no security.
"Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for 'multiple secrets' cryptosystems... is significantly riskier than for 'single-secret' ones." They added, that when exploited, this flaw "could affect the expectation of security that the public key infrastructure is intended to achieve."
The authors said they believe their findings are likely not new to "agencies and parties that are known for their curiosity in such matters." They said the majority of encrypted numbers do not seem "to suffer from obvious weaknesses and can be expected to provide the expected level of security.
"We found that on the order of 0.003 percent of public keys is incorrect, which does not seem to be unacceptable. We were surprised, however, by the extent to which public keys are shared among unrelated entities."
Security expert evaluation
It is not a good time for diminished confidence in the encryption system. MasterCard Worldwide and Visa Inc. are pushing for quick introduction of Europay/MasterCard/Visa (EMV) technology as the most secure way to do business. One reason for the push is because EMV technology securely encrypts data, according to the card companies.
Dr. Tim Cranny, Chief Technology Officer at Panoptic Security Inc., said the research findings are more interesting than important. "This is an example of a general class of isolated behavior," he said. "It's not a big deal. ... There's nothing the average person can do about it. It's the cost of living in a flawed world."
Cranny said the research is indicative of the kinds of problems businesses face all the time with technology and, typically, the next step is for businesses to look for improvements and solutions to minimize the problem.
Cranny believes the flaw would be difficult to exploit because it is hard to target. "It would be like trying to find and exploit two people with the same name who were born on the same day," he said. "It's just bad luck if the bad guys happen to find and exploit it.
There are much worse problems that get ignored by everyone. This is very obscure, very mathematical. They are stretching for relevance. I'd be astonished if this amounted to anything."
For additional news stories, please visit
www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story
excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.